Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of June 25
Klue hack results in data breach at several cybersecurity firms. A breach at competitive intelligence platform Klue allowed attackers to steal CRM data from dozens of companies. Hackers exploited a compromised legacy credential to access OAuth tokens. Affected organizations include GRC and compliance platform OneTrust, threat intelligence firm Recorded Future, and insurance software provider Insurity. The attack is an example of fourth-party risk. One compromised vendor created exposure across its entire client base. Stolen data is limited to CRM records — business contacts, account details, and sales data — with no evidence of product infrastructure or customer-facing systems affected.
Third-party breach affects 3 million. A third-party cyberattack at the Texas Parks and Wildlife Department exposed the personal information of more than 3 million. The vendor managed the hunting and fishing license sales system. Compromised data includes driver's license information, passport numbers, email addresses, phone numbers, and residential addresses.
One Medical Seniors reports data breach of third-party vendor impacting patient records. A third-party file storage system breach exposed archived records held by One Medical, the Amazon-owned primary care provider. The compromised system stored files belonging to a company One Medical had previously acquired. Affected files contain demographic and clinical records from patients at senior-focused clinics across several U.S. cities. The incident highlights the risk of legacy data persisting in third-party platforms after acquisitions.
Ransomware and third-party vendors drive highest cyber insurance losses. An analysis of about 5,500 cyber claims across 95 countries found that third-party vendors now account for nearly 50% of data breach losses and 29% of first-party losses — and a single vendor incident can affect multiple organizations simultaneously. Ransomware carries the highest financial severity of any event category, with the average incident lasting 25 days and generating $5.3 million in losses. For financial institutions, regulatory and settlement costs drive nearly 70% of total cyber losses, producing an average incident cost of $6.9 million. Regularly monitor critical vendors, confirm contractual liability before an incident, and verify vendors carry their own cyber insurance.
Third-party risk grows as businesses expand vendor networks. With 87% of executives saying third-party risk matters more today than it did three years ago, insurers and legal professionals are looking closely at vendor risks. A key warning from experts: certificates of insurance aren’t enough — businesses need to review actual policy endorsements, maintain strong contractual language with indemnification provisions, and periodically reassess vendors for compliance and cybersecurity practices.
Recently Added Articles as of June 18
OCC and Fed ramp up AI scrutiny in bank examinations. The OCC and Federal Reserve have begun pressing banks during routine exams on how they're deploying AI — including governance controls, data access, and risks posed by third-party vendors. Examiners are asking firms to map their AI use in higher-risk functions like lending, KYC, and sanctions screening with a formal request for information on generative and agentic AI in the works.
Nintendo confirms breach came through third-party HR vendor. Nintendo of America confirmed that a threat actor accessed internal employee survey data through a third-party employee engagement platform — not Nintendo's own systems. The company says no customer or financial data was affected, though a hacker group is demanding $2 million to prevent the records from being released publicly.
AI is embedded in asset management, but due diligence hasn't caught up. Mercer's 2026 AI in Asset Management Survey found that 55% of asset managers have integrated AI into at least one investment process, with 91% planning to expand use over the next 12 months. For asset owners and allocators, the firm cautions that knowing a manager uses AI is only the starting point. Due diligence requires understanding how, where, and how well it's governed.
2 in 5 organizations experienced a cyber incident tied to a supplier last year. New survey data found that 43% of organizations experienced a cyber incident caused by or originating from a third-party vendor in the past 12 months — and more than half of those incidents involved the service provider directly. Despite the exposure, over half of the respondents don't continuously monitor supply chain risk.
Novo Nordisk discloses unauthorized access to clinical trial data. Novo Nordisk reported unauthorized access to personal data belonging to a limited number of clinical trial participants. The affected data includes sex, year of birth, biomarkers, and randomized patient IDs — information the company says cannot be used to directly identify individuals. An investigation is ongoing.
LabCorp agrees to $35M settlement over 2018 vendor hack. A medical diagnostics company will pay $35 million to resolve class-action litigation stemming from a breach at American Medical Collection Agency, a now-defunct billing vendor. Hackers had access to AMCA's systems for seven months, compromising Social Security numbers, payment information, and medical data belonging to more than 10 million patients.
Fake remote workers are becoming a vendor oversight problem. A Morgan Lewis analysis warns that fraudulent remote workers — individuals using stolen identities and AI-generated profiles to gain access to company systems — represent a growing insider threat that extends beyond the organization itself. The firm urges organizations to hold their staffing and recruiting vendors to the same identity verification standards they apply internally.
Recently Added Articles as of June 11
AI vendors warned against mission creep by wealth management firms. Technology leaders at wealth management firms are flagging a growing risk as AI vendors expand beyond their core capabilities. Vendors straying from their core competency can create data integrity problems, inconsistent information across systems, and governance gaps that are difficult to manage. Firms need to maintain a clear data layer, limit vendor scope, and resist the pressure to treat AI as a universal fix. The consensus: AI is a tool, and vendor relationships built around it require the same rigorous oversight as any other third-party engagement.
What mortgage lenders need to know about vendor risk in 2026. Mortgage lenders operate through a dense web of third-party relationships, and most TPRM programs are stretched past capacity to oversee them. Survey data shows 63% of programs run with just one or two dedicated staff while managing 300 or more vendors, and 64% expect budgets to stay flat. AI tied with cybersecurity as the top concern, yet 72% of organizations are only partially aware of which vendors use AI in their products.
When shadow AI becomes a vendor management problem. A community bank employee's unauthorized use of a consumer AI tool to process sensitive customer data triggered a material SEC cybersecurity disclosure — the first known 8-K where shadow AI, not a hack or vendor breach, was the root cause. No operational disruption was required; data volume and sensitivity alone crossed the materiality threshold.
Vendor hack victim count now tops 62.2 million. The victim tally from back-office services vendor Conduent's 2024 hack has more than doubled, now exceeding 62.2 million people. The revised figure was reported to federal regulators in early June. One TPRM expert noted that the healthcare and financial services ecosystem's highly distributed data environment makes it difficult to fully assess breach scope, underscoring why continuous vendor oversight matters even after an incident appears contained.
SoFi's Hong Kong subsidiary hit in third-party vendor breach. SoFi discovered unauthorized access to a third-party customer database. The breach affected the company's Hong Kong subsidiary and may have exposed names, dates of birth, addresses, and contact information, though the full scope remains under investigation.
FTC finalizes order against ed-tech vendor over breach affecting 10 million students. The FTC finalized a consent order against K-12 software vendor Illuminate Education, requiring the company to overhaul its data security practices after a 2021 breach exposed personal data of more than 10 million students. The agency found that Illuminate ignored security warnings from a third-party vendor dating back to 2020 and failed to notify some school districts of the breach for up to two years. The order mandates a comprehensive security program, data minimization practices, and deletion of unnecessary personal data — and bars the company from misrepresenting its privacy practices.
Recently Added Articles as of June 4
Wealth manager's third-party cloud breach hits 9,000 clients. A wealth management firm disclosed a November 2025 incident affecting nearly 9,000 people. A cybercriminal accessed third-party cloud application accounts and downloaded files containing clients' names, dates of birth, Social Security numbers, and account numbers. This is separate from an earlier incident involving an affiliated entity that impacted over 9,300 people.
Smaller RIAs hit Reg S-P deadline. Yesterday marked the compliance deadline for smaller SEC-registered investment advisers under the amended Regulation S-P. Firms with less than $1.5 billion in regulatory assets under management must now have written incident response programs, 30-day customer notification procedures, expanded vendor oversight obligations, and updated recordkeeping practices — requirements that didn't exist under the original rule. The SEC has signaled that Reg S-P compliance will be a priority in examinations conducted later this year. Firms with over $1.5 billion in managed assets already had their December 2025 compliance date.
Carnival breach exposes nearly 6 million customers. The world's largest cruise operator confirmed that hackers stole personal data from nearly 6 million customers in an April cyberattack. The attack was a phishing attempt against a third-party account, giving attackers access to names, dates of birth, passport and driver's license numbers, and loyalty program data.
The missing measure in third-party risk. Despite widespread TPRM programs, most organizations still lack a standardized way to convert vendor evidence — questionnaires, certifications, audits, contracts, and insurance — into a comparable measure of residual risk. Without that common unit of measure, threshold decisions drift toward reviewer experience and business urgency rather than consistent governance. Some experts suggest a universal, assured measurement methodology that supports vendor decisions, exception management, portfolio aggregation, benchmarking, and risk transfer across the full vendor ecosystem.
AI governance lands on CFO desks. As financial institutions embed AI across credit decisioning, fraud detection, AML monitoring, and trading, compliance obligations are multiplying. US regulators expect fair lending compliance for AI-driven decisions, transparent credit outcome explanations, and full application of model risk management frameworks — and FIs remain accountable for third-party models they use even when sourced externally. CFOs are advised to build comprehensive AI model inventories, strengthen vendor oversight for AI tools, and treat compliance as a strategic capability rather than a cost center.
