December 2025 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of December 18

Fintech provider data breach exposes personal information of 5.8 million. A third-party integration failure led to a major data breach at fintech provider 700Credit, exposing the personal information of more than 5.8 million individuals. Attackers gained access through a compromised partner and exploited an insecure API, allowing them to extract sensitive data (including names, addresses, dates of birth, and Social Security numbers) over several months before the issue was detected and shut down. The incident underscores the risks tied to third-party integrations and API security, as well as the importance of timely vendor notifications, continuous monitoring, and strong oversight of service provider controls. 

OCC looks for community bank feedback on third-party providers. The OCC is seeking industry feedback on how community banks work with core and other essential third-party service providers, with comments due January 26. The request points to growing concerns about concentration risk from reliance on a small number of core providers, limited negotiating power, declining service quality, and difficulty keeping pace with innovation in areas like cloud services, AI, and crypto-related offerings. The OCC is asking banks and other stakeholders to comment on issues including contract negotiations, third-party risk management, cybersecurity, costs, and regulatory burden, while underscoring that many service provider activities are subject to the same regulatory scrutiny as those applied to banks. 

Third-party cyberattacks show importance of continuous monitoring. Cyberattacks in 2025 shifted from isolated incidents to a constant reality, exposing how unprepared many organizations are. High-profile breaches, soaring cyber insurance claims, and growing vendor-driven attacks showed that annual audits and static controls can’t keep up with AI-powered adversaries, cloud complexity, and fragile third-party ecosystems. With many phishing, invoice fraud, and data breaches now originating through vendors, continuous monitoring and real-time visibility are critical to staying ahead. 

Cybersecurity a critical board-level issue. As cyberattacks become more frequent and disruptive, cybersecurity is firmly a board-level responsibility. Effective oversight means integrating cyber risk into enterprise risk management, clearly assigning accountability, and receiving consistent, decision-ready reporting on how threats — including third-party and supply-chain exposures — could impact operations, financial performance, and reputation. With expanding global regulations and shorter incident notification timelines, boards are expected to look beyond technical controls by ensuring the right expertise is in place, regularly testing incident response and backup plans, monitoring vendor cybersecurity practices, and reinforcing a culture of cyber awareness that supports organizational resilience. 

More insurance companies using AI services. Insurance companies are rapidly implementing AI, with many now using it for fully or largely automated underwriting, claims processing, fraud detection, and customer service, according to a new survey. Insurers are shifting away from manual, document-heavy workflows. More advanced “agentic” AI systems are even managing entire underwriting or claims workflows for routine cases. As insurers push toward more efficient, autonomous operations, it’s important to balance innovation with risk. Insurers should still assess AI vendors and ensure data is protected. 

Beyond spreadsheets: vendor management ideas. Community banks juggling dozens of vendor relationships face growing administrative and regulatory demands, especially as many fintechs add layers of fourth-party risk. Traditional spreadsheet tracking struggles to scale, and industry leaders recommend shifting toward vendor management software — often with AI capabilities — to streamline risk ratings, due diligence, renewals, and data flow oversight. Banks are also encouraged to rethink vendor roles, distribute workload across teams, and use tools that free up time for meaningful risk analysis and stronger vendor partnerships. 

Recently Added Articles as of December 11

Ransom payment in Marquis breach raises regulatory stakes for FIs. Following last week’s disclosure that Marquis Software Solutions suffered a third-party breach in August, one credit union has now confirmed the vendor paid the attacker’s ransom — a decision that adds meaningful compliance risk for its roughly 700 financial institution customers. Even when a vendor makes the payment, FIs can still face OFAC sanctions exposure, FinCEN reporting obligations, and examiner scrutiny over vendor oversight and incident-response expectations. And because a ransom offers no guarantee stolen data won’t be leaked, it can compound — not resolve — risk. It’s a clear reminder that ransomware preparedness must address the regulatory consequences of vendor decisions, not just an institution’s internal controls. 

Freddie Mac mandates AI governance in guidance update. Freddie Mac updated guidelines that require lenders and servicers to establish a formal AI governance framework by March 2026 — including the oversight and management of tech partner’s AI tools. The rules mandate clear processes for mapping and managing AI risks, monitoring data integrity, conducting audits, and documenting roles and responsibilities to prevent conflicts of interest. The update also highlights the importance of proper vetting when selecting AI partners and vendors.  

Massive Jaguar third-party breach reveals the real cost of third-party risk — and why companies must prepare. Jaguar Land Rover’s recent third-party-linked cyberattack — one of the largest in UK history — shows how a single breach can cascade across an entire ecosystem, shuttering global operations, straining financially fragile suppliers, and impacting more than 5,000 companies with an estimated £1.9 billion in losses. As third-party disruptions grow more common, the incident underscores the need for stronger vendor oversight, clearer resiliency planning (including alternative suppliers), and disciplined preparation. Insurance leaders echo the same message: keep incident-response plans current, ensure teams know approved insurer partners, and test those plans regularly. 
 
Organizations plan to increase cyber spending this year as third-party attacks rise. Organizations are doubling down on cyber resilience, with two-thirds planning to increase cyber spending this year, according to a new report. More than a quarter expect to boost budgets by over 25%. Most of these companies (70%) experienced a third-party incident in the past year. Top spending priorities include stronger security tech, better incident response prep, and hiring talent. While no organization can eliminate cyber risk, good hygiene and governance (including routinely vetting vendor security, tightening contracts, and offboarding unused providers) can significantly reduce exposure. 

Why financial institutions are embracing managed risk instead of risk avoidance. A new perspective is emerging in financial services: eliminating risk isn’t just unrealistic — it can quietly stall progress. As technology, AI, and customer expectations accelerate, the goal isn’t avoidance but active, intentional management. Modern models like the Three Lines framework help institutions balance innovation with control, enabling teams to test new products, adopt AI, and work with third parties while staying within risk appetite. But this shift depends on leadership commitment and a culture where risk awareness is shared across the enterprise. Institutions that embrace measured, well-governed risk-taking are better positioned to innovate, stay compliant, and stay competitive. 

Recently Added Articles as of December 4

Fintech data breach affects several large U.S. financial institutions. SitusAMC, a major fintech provider serving over 1,500 clients, disclosed a data breach that compromised corporate records and customer information tied to several U.S. banks. The November attack exposed accounting records, legal documents, and potentially sensitive customer data from SitusAMC’s systems. The company is still assessing the full scope of what was taken and how many banks are affected. The incident highlights how deeply vendor breaches can ripple through the financial sector and reinforces the need for continuous monitoring of third-party partners. 

Comcast fined for vendor data breach. Comcast will pay a $1.5 million FCC fine after a February 2024 vendor data breach. The breach exposed personal and financial data of nearly 275,000 Comcast customers. It impacted 4.2 million people overall. A consent decree required Comcast to strengthen vendor oversight, improve data disposal practices, conduct biennial vendor risk assessments, appoint a compliance officer, and file regular reports with the FCC. While Comcast denies wrongdoing, the case underscores the high stakes of third-party risk management and the importance of monitoring vendors even after relationships end. Your organization is still responsible for your vendor’s failures. 

Vendor data breach impacts OpenAI. OpenAI paused its use of analytics vendor Mixpanel after a breach in Mixpanel’s systems exposed limited profile data for some API users — though ChatGPT users and core OpenAI systems were not affected. The compromised data included names, emails, locations, browser details, and user or organization IDs. OpenAI removed Mixpanel from production, notified impacted users, and warned about phishing risks. While no passwords, API keys, or sensitive content were exposed, the incident underscores growing concerns about third-party security in AI ecosystems as providers rely on external analytics and integrations. 

Bank and credit union data compromised in third-party breach. Dozens of banks and credit unions were impacted by a third-party breach, affecting the sensitive data of at least 400,000. The August 2025 incident exposed names, contact details, dates of birth, Social Security numbers, and account information. The marketing vendor launched a forensic investigation, notified law enforcement, and began informing affected institutions in late October.  

Managing fintech partnership risks. Community bank–fintech partnerships offer big opportunities but come with equally big compliance expectations. Regulators are clear that banks can outsource activities, but never the risk. Experts stress that data security is the top concern. Banks must ensure vendors protect customer information as rigorously as they do internally, while also upholding consumer protection, BSA/AML, and fair lending requirements. Real-time information sharing, thorough due diligence, and clear contract language is critical for managing these partnerships.