Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Law firms face unique third-party risk exposure — and most aren't prepared. Law firms handle privileged communications, trade secrets, financial data, and personal information, making them high-value targets through their vendor ecosystems. The risks run deep — from software supply chain vulnerabilities and weak vendor contracts to undisclosed fourth-party subprocessors handling client data without the firm's knowledge. Law firms should standardize contract language across the vendor portfolio, require disclosure of all subprocessors, and establish clear vendor AI use policies to prevent client data from being used in model training.
KPMG TPRM survey highlights maturity gap and growth opportunities. While third-party risk management is evolving, true effectiveness remains out of reach for most, according to a KPMG survey. Only 18% of programs are fully integrated with enterprise risk management, just 15% of leaders have high confidence in their own TPRM data, and only 5% have end-to-end managed services. AI shows promise — 22% find it very effective — but most are still in exploration mode. Organizations should move from broad vendor screening to a targeted, risk-based approach, break down silos between TPRM and enterprise risk management, and expand visibility into Nth-party relationships to get ahead of deeper supply chain exposures.
Third- and fourth-party vendor plugins are a growing blind spot. Attackers increasingly target third parties because they know that's where the data lives, and organizations often lack visibility into the fourth-party vendors working behind the scenes. Plugin integrations are a particular challenge: once embedded across dozens of systems, they're nearly impossible to remove and frequently forgotten as teams and personnel change. The basics still matter — regular contract reviews, written documentation of vendor risk processes, and automating how that information is collected can go a long way.
Marquis Software sues SonicWall over breach that exposed 700+ banks and credit unions. Marquis Software is suing SonicWall, alleging a February 2025 cloud breach exposed unencrypted MFA scratch codes and firewall configuration data through a poorly secured API. Attackers used that data to launch a ransomware attack against Marquis six months later — compromising sensitive data across its 700+ bank and credit union customers. Marquis claims SonicWall's use of predictable device serial numbers as access keys, failure to encrypt sensitive data, and months-long delay in disclosing the breach constitute gross negligence.
ManoMano's third-party breach exposes millions of customer records. A threat actor compromised ManoMano's overseas third-party customer service provider, claiming to have stolen 37.8 million customer accounts and nearly a million support tickets. While ManoMano disputes the scale, the breach exposed names, emails, phone numbers, and service conversations across five European countries. Stolen support logs and attachments give attackers the information to create convincing phishing attacks.
Advanced vendor risk management is no longer optional. Third-party breaches continue to rise and 88% of cybersecurity leaders report concern about supply chain risks. Organizations must move toward continuous monitoring, zero-trust architecture, and AI-driven automation. Fourth-party vendors add yet another layer of exposure that many organizations are still underprepared to address. A good starting point is applying risk-based segmentation to ensure scrutiny is where exposure is highest, rather than treating all vendors the same.
Managed security providers must evolve to address third-party risk. Third-party and supply-chain dependencies have expanded the attack surface beyond what traditional security models can handle. Smaller organizations are disproportionately impacted, often lacking the tools to properly manage vendor risk, while larger ones are targeted for their high-impact potential. MSSPs and MSPs that move away from manual, point-in-time vendor assessments toward continuous, structured oversight will be better positioned as strategic partners, not just technical operators.