Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of March 19
New TPRM survey shows AI risk insecurities and the cost of manual processes. Financial institutions are overseeing hundreds of vendors with teams that haven't kept pace. 63% of TPRM programs run on just one or two dedicated employees, while more than half manage 300 or more vendor relationships. For the first time in the State of Third-Party Risk Management Survey, AI risk tied cybersecurity as the top third-party concern, even as 72% of institutions admit only partial awareness of which vendors use AI and no organization surveyed feels extremely confident managing it. Institutions still relying on manual processes are significantly more likely to receive exam findings, a gap that's pushing 85% of FIs toward dedicated TPRM software.
NSA and Allies Issue AI Supply Chain Risk Guidance. The NSA published a joint cybersecurity information sheet addressing AI and ML supply chain risks, defining six risk areas — training data, models, software, infrastructure, hardware, and third-party services. Third-party services are flagged as the highest-complexity risk vector, as they can introduce vulnerabilities through their own supply chains, cyber incidents, or shared resources. The guidance calls on organizations to assess and monitor vendor security practices, require an AI Bill of Materials, and include cybersecurity requirements in contracts.
Evolving third-party risk management to address modern risks. Third-party ecosystems have become the operational backbone of many organizations, and a growing liability. Risks extend beyond direct vendors into fourth- and fifth-tier relationships most organizations can't see, and one-time assessments and contract-based oversight are no longer sufficient. Experts call instead for continuous monitoring, comprehensive vendor inventories, and a partnership model built on shared responsibility rather than checkbox compliance.
NYDFS Issues Cybersecurity Advisory for Financial Sector. The New York State Department of Financial Services issued an alert reminding regulated entities of increased cyberattack risk arising from ongoing global conflicts, urging them to ensure their cybersecurity risk management practices reflect the current heightened threat environment and to review compliance with 23 NYCRR Part 500.
Recently Added Articles as of March 12
Cloud attackers are shifting focus to third-party software flaws. A new Google report signals a shift in how cybercriminals are breaking into cloud environments — and third parties are increasingly the door they're walking through. Software vulnerabilities now account for 44.5% of initial cloud access vectors, surpassing weak credentials for the first time. Attackers are also moving faster, with exploitation windows shrinking from weeks to days. A fifth of all cloud intrusions tracked in 2025 involved compromised third-party relationships, with SaaS integrations and OAuth tokens emerging as favored entry points. As core cloud platforms improve their defenses, attackers are pivoting to the weaker links surrounding them.
Why strong TPRM programs still miss privacy risk. Having a sophisticated TPRM program doesn't guarantee privacy accountability. Mature frameworks, strong contracts, and monitoring can create the appearance of control while real gaps go undetected. Privacy responsibility gets fragmented across different departments, leaving no single owner when something goes wrong. Contracts don't enforce themselves, audit rights go unexercised, and static assessments can't keep pace with how quickly vendors evolve. Organizations must focus on whether they can demonstrate actual control over real-world outcomes.
AI in HR brings new compliance and vendor risk challenges. As companies use AI in HR for hiring, performance management, and workforce analytics, they’re facing growing operational and compliance challenges. Regulators are scrutinizing AI-driven employment decisions, pushing organizations to implement stronger governance and human oversight. Responsible AI in HR requires AI governance, involving legal teams earlier in procurement, and closely managing vendors, since employers can still be liable for how third-party HR tools use AI.
Third parties are increasingly targeted in cyberattacks. Third-party relationships remain a major source of cyber risk, with 58% of breaches involving the top 100 U.S. federal contractors linked to third-party attack vectors. Attackers increasingly target suppliers, subcontractors, and partners that access sensitive systems but operate outside the same security controls. Continuous monitoring, stronger visibility into vendor relationships, and the use of analytics and AI to detect emerging risks is critical to stay ahead, especially as new threats like AI-generated identities make it easier to exploit trust-based processes.
Third-party data breach impacts 15,000 at Ericsson. Ericsson's U.S. subsidiary reported a breach traced back to unauthorized access at a third-party service provider in April 2025 — though the investigation wasn't completed until nearly a year later. Roughly 15,000 individuals had personal information potentially exposed, though Ericsson has not clarified whether the affected data belongs to employees or customers.
Salesforce warns of cyberattackers targeting customer data. The ShinyHunters cybercrime group launched a new extortion campaign targeting Salesforce customers. It exploits overly permissive guest user configurations. Salesforce confirmed the activity stems from customer-side misconfigurations, but the group is threatening to release stolen data unless organizations pay. ShinyHunters has been running similar campaigns since mid-2025, with previous incidents resulting in millions of compromised records. Third-party platform security is only as strong as how well your own configurations are managed.
Recently Added Articles as of March 5
Law firms face unique third-party risk exposure — and most aren't prepared. Law firms handle privileged communications, trade secrets, financial data, and personal information, making them high-value targets through their vendor ecosystems. The risks run deep — from software supply chain vulnerabilities and weak vendor contracts to undisclosed fourth-party subprocessors handling client data without the firm's knowledge. Law firms should standardize contract language across the vendor portfolio, require disclosure of all subprocessors, and establish clear vendor AI use policies to prevent client data from being used in model training.
KPMG TPRM survey highlights maturity gap and growth opportunities. While third-party risk management is evolving, true effectiveness remains out of reach for most, according to a KPMG survey. Only 18% of programs are fully integrated with enterprise risk management, just 15% of leaders have high confidence in their own TPRM data, and only 5% have end-to-end managed services. AI shows promise — 22% find it very effective — but most are still in exploration mode. Organizations should move from broad vendor screening to a targeted, risk-based approach, break down silos between TPRM and enterprise risk management, and expand visibility into Nth-party relationships to get ahead of deeper supply chain exposures.
Third- and fourth-party vendor plugins are a growing blind spot. Attackers increasingly target third parties because they know that's where the data lives, and organizations often lack visibility into the fourth-party vendors working behind the scenes. Plugin integrations are a particular challenge: once embedded across dozens of systems, they're nearly impossible to remove and frequently forgotten as teams and personnel change. The basics still matter — regular contract reviews, written documentation of vendor risk processes, and automating how that information is collected can go a long way.
Marquis Software sues SonicWall over breach that exposed 700+ banks and credit unions. Marquis Software is suing SonicWall, alleging a February 2025 cloud breach exposed unencrypted MFA scratch codes and firewall configuration data through a poorly secured API. Attackers used that data to launch a ransomware attack against Marquis six months later — compromising sensitive data across its 700+ bank and credit union customers. Marquis claims SonicWall's use of predictable device serial numbers as access keys, failure to encrypt sensitive data, and months-long delay in disclosing the breach constitute gross negligence.
ManoMano's third-party breach exposes millions of customer records. A threat actor compromised ManoMano's overseas third-party customer service provider, claiming to have stolen 37.8 million customer accounts and nearly a million support tickets. While ManoMano disputes the scale, the breach exposed names, emails, phone numbers, and service conversations across five European countries. Stolen support logs and attachments give attackers the information to create convincing phishing attacks.
Advanced vendor risk management is no longer optional. Third-party breaches continue to rise and 88% of cybersecurity leaders report concern about supply chain risks. Organizations must move toward continuous monitoring, zero-trust architecture, and AI-driven automation. Fourth-party vendors add yet another layer of exposure that many organizations are still underprepared to address. A good starting point is applying risk-based segmentation to ensure scrutiny is where exposure is highest, rather than treating all vendors the same.
Managed security providers must evolve to address third-party risk. Third-party and supply-chain dependencies have expanded the attack surface beyond what traditional security models can handle. Smaller organizations are disproportionately impacted, often lacking the tools to properly manage vendor risk, while larger ones are targeted for their high-impact potential. MSSPs and MSPs that move away from manual, point-in-time vendor assessments toward continuous, structured oversight will be better positioned as strategic partners, not just technical operators.
