Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of May 21
Supply chain attacks doubled in five years — and the blast radius keeps growing. Roughly 30% of all U.S. data breaches now involve at least one third party, and the number of companies caught in supply chain attacks nearly doubled in a single year. Professional services firms saw the sharpest climb over the five-year period, with attacks rising 162% as they became preferred entry points to reach multiple downstream clients simultaneously.
FINRA conference panel flags vendor oversight gaps across financial firms. Third-party vendor risks are becoming harder to manage as AI lowers the barrier for sophisticated fraud targeting vendors of all sizes. Panelists at the 2026 FINRA Annual Conference emphasized that due diligence shouldn't stop at onboarding — tiered risk frameworks, ongoing monitoring, and vendor-specific incident response planning are all essential. One speaker put it plainly: a vendor with access to firm data represents the same exposure as a direct attack on the firm itself.
Generative AI is "out of scope" in new banking guidance, but that's not a pass. The revised federal model risk management guidance explicitly excludes generative and agentic AI in footnote 3 — not because the risk is low, but because regulators haven't built a framework capable of addressing it yet. That gap places the burden squarely on institutions to govern AI tools already operating in their environments, including those embedded several layers deep in vendor platforms. Contracts are the best defense. Institutions actively managing vendor AI risks update vendor agreements to include breach notification timelines, subcontractor visibility, data storage terms, and independent audit requirements.
Third-party breaches demand layered defenses and continuous oversight. Vendors are increasingly used as entry points into larger organizations, and a single compromised third party can expose an entire network — the same dynamic behind some of the most damaging breaches of the past decade. Effective defenses require vetting partners against recognized standards, enforcing Zero Trust access controls, segmenting networks to contain damage, and continuously monitoring third-party connections rather than relying on point-in-time reviews. Regulatory pressure is intensifying globally, with data protection frameworks expected to impose heavier fines and push organizations toward proactive, ongoing vendor risk assessment.
Insurance CROs rank third-party vendor risk among top cyber concerns. Eighty percent of insurance chief risk officers now rank cyber among their top five risks, up 14 percentage points year over year, per the annual EY-IIF global insurance CRO survey. Third-party and vendor cyber risk management was flagged as an important aspect of cyber risk by 77% of respondents. Data access, control automation, and vendor governance are increasingly important parts of managing third-party risk. As operational resilience requirements and vendor concentration concerns rise, third-party risk continues to be a top concern.
Recently Added Articles as of May 14
SEC's updated Regulation S-P puts vendor oversight on the clock. Amendments to the SEC's Regulation S-P — already in effect for large firms, taking effect June 3 for small ones — extend cybersecurity governance obligations beyond a firm's own systems to third-party vendors, cloud providers, outsourced administrators, and technology contractors. Firms must notify affected individuals within 30 days of discovering a breach, a requirement that may force a simultaneous rethinking of both internal escalation procedures and vendor relationships. Small firms face the steepest transition, as many rely on third-party providers that serve hundreds of clients and may resist customized compliance obligations.
When your vendor's breach lands you in court. Following a vendor-driven data breach at a national bank, at least two class actions were filed against the bank — not the vendor — alleging negligence, breach of fiduciary duty, and unjust enrichment. Plaintiffs' theory is that the bank's duty to safeguard customer data extended to the selection, monitoring, and oversight of every third party it trusted with that data. The takeaway for financial institutions: vendor risk programs must be designed to withstand discovery, not just satisfy examiners. Generic contract language, lapsed due diligence, and undocumented SOC 2 findings can become evidence of negligence when plaintiffs go looking. To prevent the costs and distractions of lawsuits, re-examine vendors that access sensitive customer data, audit your vendor contracts, and pressure test your incident response plan with vendor-specific scenarios.
BWH Hotels guests' reservation data accessed for six months. Hospitality group BWH Hotels — operator of Best Western, WorldHotels, and Sure Hotels — is notifying guests that hackers had undetected access to third-party housing reservation data from October 2025 through April 2026. Exposed data includes names, email addresses, phone numbers, and reservation details. Payment and financial information wasn’t stored in the affected system.
How a third-party compromise enabled a months-long stealthy intrusion. Microsoft Incident Response investigated a breach where attackers gained initial access by compromising a third-party IT services provider, then operated undetected for over 100 days by moving entirely through trusted, legitimate management tools. Because IT infrastructure management had been delegated to an outside provider, the attacker could execute scripts and harvest credentials while blending in with routine administrative activity. The case illustrates a well-documented but underappreciated risk: when a third party holds the keys to your environment, their compromise becomes yours.
Recently Added Articles as of May 7
AI governance in mortgage banking has moved from theory to regulatory expectation. AI is no longer experimental in mortgage banking — it's embedded in pricing, fraud detection, document analysis, appraisal review, and servicing. The question now is whether they can defend it to examiners, investors, and GSEs. As regulatory scrutiny increases, lenders must demonstrate that each AI system was identified, risk-rated, tested, governed with clear ownership, monitored for drift, and controlled through enforceable vendor contracts. Lenders need a complete list of AI tools and must extend AI governance to their third-party vendors.
Federal Reserve to update third-party risk guidance, signals shift on AI oversight. Vice Chair for Supervision Michelle Bowman addressed the FSOC AI roundtable on cybersecurity and risk management, signaling two significant supervisory shifts. First, the Fed, along with the OCC and FDIC, amended model risk management guidance to clarify it doesn’t apply to generative or agentic AI, acknowledging that prior guidance had been stretched beyond its original scope. Second, the Fed is actively working to update and simplify its third-party risk management guidance, which Bowman described as too vague in scope and application. She also noted that banks of all sizes have raised concerns about access to the Anthropic Mythos model and its cybersecurity implications, and that regulators will continue communicating emerging risks as the technology evolves.
Banks tighten defenses as AI model raises systemic concerns. Anthropic's security-focused model Mythos demonstrated the ability in testing to identify previously unseen software vulnerabilities and turn them into working exploits — including one bug that had gone undetected for 27 years. Anthropic hasn’t released the model publicly, granting access only to select partners. However, banks are already responding, including limiting Anthropic access and establishing task forces. Industry observers note the immediate pressure points are attack-surface scanning cadence, incident response playbooks, and vendor contract security clauses.
Third-party breaches are defining the AI-era threat landscape. A cybersecurity outlook report found that third-party and supply chain breaches have quadrupled over five years. The report identifies supply chain and third-party software as one of three primary vulnerability categories, noting that a survey ranked limited insight into upstream suppliers as a top cyber risk. Contracts are the primary protection for organizations, including mandatory breach notification timelines, visibility into subcontractors and fourth parties, clarity on data storage and AI training use, and requirements for independent audits over self-reported questionnaires.
