Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of June 18
OCC and Fed ramp up AI scrutiny in bank examinations. The OCC and Federal Reserve have begun pressing banks during routine exams on how they're deploying AI — including governance controls, data access, and risks posed by third-party vendors. Examiners are asking firms to map their AI use in higher-risk functions like lending, KYC, and sanctions screening with a formal request for information on generative and agentic AI in the works.
Nintendo confirms breach came through third-party HR vendor. Nintendo of America confirmed that a threat actor accessed internal employee survey data through a third-party employee engagement platform — not Nintendo's own systems. The company says no customer or financial data was affected, though a hacker group is demanding $2 million to prevent the records from being released publicly.
AI is embedded in asset management, but due diligence hasn't caught up. Mercer's 2026 AI in Asset Management Survey found that 55% of asset managers have integrated AI into at least one investment process, with 91% planning to expand use over the next 12 months. For asset owners and allocators, the firm cautions that knowing a manager uses AI is only the starting point. Due diligence requires understanding how, where, and how well it's governed.
2 in 5 organizations experienced a cyber incident tied to a supplier last year. New survey data found that 43% of organizations experienced a cyber incident caused by or originating from a third-party vendor in the past 12 months — and more than half of those incidents involved the service provider directly. Despite the exposure, over half of the respondents don't continuously monitor supply chain risk.
Novo Nordisk discloses unauthorized access to clinical trial data. Novo Nordisk reported unauthorized access to personal data belonging to a limited number of clinical trial participants. The affected data includes sex, year of birth, biomarkers, and randomized patient IDs — information the company says cannot be used to directly identify individuals. An investigation is ongoing.
LabCorp agrees to $35M settlement over 2018 vendor hack. A medical diagnostics company will pay $35 million to resolve class-action litigation stemming from a breach at American Medical Collection Agency, a now-defunct billing vendor. Hackers had access to AMCA's systems for seven months, compromising Social Security numbers, payment information, and medical data belonging to more than 10 million patients.
Fake remote workers are becoming a vendor oversight problem. A Morgan Lewis analysis warns that fraudulent remote workers — individuals using stolen identities and AI-generated profiles to gain access to company systems — represent a growing insider threat that extends beyond the organization itself. The firm urges organizations to hold their staffing and recruiting vendors to the same identity verification standards they apply internally.
Recently Added Articles as of June 11
AI vendors warned against mission creep by wealth management firms. Technology leaders at wealth management firms are flagging a growing risk as AI vendors expand beyond their core capabilities. Vendors straying from their core competency can create data integrity problems, inconsistent information across systems, and governance gaps that are difficult to manage. Firms need to maintain a clear data layer, limit vendor scope, and resist the pressure to treat AI as a universal fix. The consensus: AI is a tool, and vendor relationships built around it require the same rigorous oversight as any other third-party engagement.
What mortgage lenders need to know about vendor risk in 2026. Mortgage lenders operate through a dense web of third-party relationships, and most TPRM programs are stretched past capacity to oversee them. Survey data shows 63% of programs run with just one or two dedicated staff while managing 300 or more vendors, and 64% expect budgets to stay flat. AI tied with cybersecurity as the top concern, yet 72% of organizations are only partially aware of which vendors use AI in their products.
When shadow AI becomes a vendor management problem. A community bank employee's unauthorized use of a consumer AI tool to process sensitive customer data triggered a material SEC cybersecurity disclosure — the first known 8-K where shadow AI, not a hack or vendor breach, was the root cause. No operational disruption was required; data volume and sensitivity alone crossed the materiality threshold.
Vendor hack victim count now tops 62.2 million. The victim tally from back-office services vendor Conduent's 2024 hack has more than doubled, now exceeding 62.2 million people. The revised figure was reported to federal regulators in early June. One TPRM expert noted that the healthcare and financial services ecosystem's highly distributed data environment makes it difficult to fully assess breach scope, underscoring why continuous vendor oversight matters even after an incident appears contained.
SoFi's Hong Kong subsidiary hit in third-party vendor breach. SoFi discovered unauthorized access to a third-party customer database. The breach affected the company's Hong Kong subsidiary and may have exposed names, dates of birth, addresses, and contact information, though the full scope remains under investigation.
FTC finalizes order against ed-tech vendor over breach affecting 10 million students. The FTC finalized a consent order against K-12 software vendor Illuminate Education, requiring the company to overhaul its data security practices after a 2021 breach exposed personal data of more than 10 million students. The agency found that Illuminate ignored security warnings from a third-party vendor dating back to 2020 and failed to notify some school districts of the breach for up to two years. The order mandates a comprehensive security program, data minimization practices, and deletion of unnecessary personal data — and bars the company from misrepresenting its privacy practices.
Recently Added Articles as of June 4
Wealth manager's third-party cloud breach hits 9,000 clients. A wealth management firm disclosed a November 2025 incident affecting nearly 9,000 people. A cybercriminal accessed third-party cloud application accounts and downloaded files containing clients' names, dates of birth, Social Security numbers, and account numbers. This is separate from an earlier incident involving an affiliated entity that impacted over 9,300 people.
Smaller RIAs hit Reg S-P deadline. Yesterday marked the compliance deadline for smaller SEC-registered investment advisers under the amended Regulation S-P. Firms with less than $1.5 billion in regulatory assets under management must now have written incident response programs, 30-day customer notification procedures, expanded vendor oversight obligations, and updated recordkeeping practices — requirements that didn't exist under the original rule. The SEC has signaled that Reg S-P compliance will be a priority in examinations conducted later this year. Firms with over $1.5 billion in managed assets already had their December 2025 compliance date.
Carnival breach exposes nearly 6 million customers. The world's largest cruise operator confirmed that hackers stole personal data from nearly 6 million customers in an April cyberattack. The attack was a phishing attempt against a third-party account, giving attackers access to names, dates of birth, passport and driver's license numbers, and loyalty program data.
The missing measure in third-party risk. Despite widespread TPRM programs, most organizations still lack a standardized way to convert vendor evidence — questionnaires, certifications, audits, contracts, and insurance — into a comparable measure of residual risk. Without that common unit of measure, threshold decisions drift toward reviewer experience and business urgency rather than consistent governance. Some experts suggest a universal, assured measurement methodology that supports vendor decisions, exception management, portfolio aggregation, benchmarking, and risk transfer across the full vendor ecosystem.
AI governance lands on CFO desks. As financial institutions embed AI across credit decisioning, fraud detection, AML monitoring, and trading, compliance obligations are multiplying. US regulators expect fair lending compliance for AI-driven decisions, transparent credit outcome explanations, and full application of model risk management frameworks — and FIs remain accountable for third-party models they use even when sourced externally. CFOs are advised to build comprehensive AI model inventories, strengthen vendor oversight for AI tools, and treat compliance as a strategic capability rather than a cost center.
