Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Almost a third of financial data breaches involve third parties. Financial services once again led all industries in data breaches in 2025, highlighting a risk environment that continues to intensify. New data shows that roughly 30% of breaches now involve third parties, with vendors increasingly used to gain access to financial institutions. Concentration risk in a small number of critical technology providers raises the stakes of any single failure. Stronger third-party oversight, better visibility into supply chains, and more proactive information sharing are essential to managing evolving cyber risks.
AI legislation speeds up across the states. Just one month into 2026, state lawmakers are already moving aggressively on AI and privacy, with hundreds of bills under consideration across the country. Legislatures are especially active in states with short sessions, accelerating momentum around regulations for AI chatbots, algorithmic and surveillance-based pricing, health-related AI use, children’s privacy, data brokers, and consumer data protection. State-level action on AI transparency, pricing practices, and privacy rights is far from slowing down. The regulatory patchwork is growing more complex and keeping pace with evolving state requirements around AI governance, data use, and third-party impacts will be critical throughout 2026.
Third-party risk management needs to evolve as risks become more complex. As financial institutions deepen partnerships with fintech and crypto-native firms, third-party risk is becoming more complex and more critical to get right. While collaborations unlock innovation and growth, they also expand the attack surface, introducing new cybersecurity, financial crime, operational, and regulatory risks. One-size-fits-all TPRM programs no longer work. Organizations need tailored, risk-based approaches that improve visibility, strengthen due diligence and onboarding, and align third-party oversight with enterprise risk programs. Thoughtful third-party risk management helps institutions protect trust, meet regulatory expectations, and safely pursue new opportunities in a rapidly evolving landscape.
Third-party risk is inherently a customer service issue. As organizations rely on SaaS providers for everything from identity verification to payments and data storage, third-party failures or breaches quickly become customer-facing issues, directly impacting trust and brand reputation. Cybersecurity and vendor risk management should be treated as core customer disciplines, not just compliance exercises. Map vendors to customer journeys, prioritize risks based on customer impact, and build accountability into procurement and governance. By breaking down silos between customer service, IT, and security, organizations can better protect customer data, strengthen trust, and deliver more resilient, customer-centric experiences.
Improving TPRM practices to address increasing risks. Third-party risk now lives across ecosystems of vendors, cloud providers, fintechs, and digital asset partners, where failures can quickly cascade into regulatory, operational, and reputational fallout. Even trusted, top-tier vendors can become single points of failure. Move toward continuous, risk-based oversight that prioritizes critical third and fourth parties, strengthens governance and contractual controls, improves real-time visibility across supply chains, and integrates AI responsibly with human judgment.