May 2026 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of May 28

TPRM programs are maturing in name only, global survey finds. A KPMG survey reveals a widening gap between TPRM ambition and execution. Only 18% have fully integrated TPRM with enterprise risk management, just one in five report their TPRM data as fully reliable, and fewer than half have standardized their vendor assessment processes. The good news: awareness is translating into action — board-level visibility into TPRM has increased significantly, and organizations that have invested in program maturity report stronger vendor relationships and faster incident response. Most are now exploring AI to accelerate the work, though only a quarter find it "very effective" — a signal that foundational data and infrastructure need to come first.

AI deployments are creating hidden GLBA compliance gaps for mortgage lenders. When mortgage company employees pass borrower data to third-party generative AI tools outside the institution's vendor management framework, the result is a potential GLBA and Safeguards Rule violation with no negotiated data-use restriction, no audit rights, no subprocessor controls, and no record of the disclosure. GLBA, ECOA, and the Fair Housing Act predate AI by decades, but they still govern how lenders handle nonpublic personal information regardless of the technology involved. The compliance risk emerges at three levels: vendor data flows, employee use of unapproved tools, and model-generated inferences that trigger privacy and fair-lending consequences.

Third-party risk sits off the balance sheet — until it doesn't. As vendor ecosystems sprawl across cloud providers, contractors, and outsourced platforms, the share of data breaches with a third-party origin has roughly doubled in recent years. Financial institutions and credit unions face heightened exposure through fintechs, cloud providers, and outsourced platforms, where failures in fraud controls, data security, or compliance can trigger enforcement actions and erode customer trust. A tiered TPRM framework, resilient vendor contracts, and continuous monitoring are key tools to manage the risks.  

Mortgage vendor consolidation accelerates under compliance and cyber pressure. Smaller mortgage technology and service vendors are being squeezed out as rising regulatory and cybersecurity requirements raise operating costs beyond what subscale providers can sustain. Scale is becoming a decisive advantage, with lenders consolidating toward multiproduct platforms and pulling business from vendors that can't meet compliance or cyber thresholds. The shift is visible across title, processing, and appraisal management — where the five largest providers now dominate a market that remains heavily fragmented at the lower tier.

Banking industry calls for TPRM framework overhaul. The Consumer Bankers Association, American Fintech Council, Coalition for Financial Ecosystem Standards, and Independent Community Bankers of America jointly released a report calling for supervisory reforms to third-party risk management. The core argument: existing guidance was designed around point-in-time vendor validation, but today's banking environment — characterized by concentrated hyperscale cloud and AI infrastructure providers, continuously updated AI models, and thousands of vendor relationships — demands a shift toward materiality-based, real-time monitoring and operational resiliency frameworks. Key recommendations include limiting examiner expectations on fourth- and nth-party oversight, accommodating concentrated vendors where negotiation is impractical, and supporting AI-assisted TPRM functions with appropriate governance.

Downtime now costs Global 2000 companies $600 billion annually. A recent report finds that unplanned outages and service degradation cost Global 2000 companies an average of $300 million per company per year — a 50% increase in two years. Third-party dependencies are a leading contributor, alongside human error, ransomware, and AI-related complexity. Downtime caused by third parties increased from 24% in 2024 to 63% in 2026. Regulatory fines tied to outages are now the single most disruptive cost category for technology leaders, cited by 57% as highly disruptive.

Vulnerability exploitation overtakes credential theft as top breach vector. The 2026 Verizon Data Breach Investigations Report finds that breaches now start more often with exploited software vulnerabilities than stolen passwords — a shift in how attackers gain initial access. Ransomware is involved in nearly all breaches, though payouts are declining. Generative AI is augmenting attacks across multiple stages, from identifying gaps to writing malware, and mobile devices are increasingly targeted as phishing defenses have improved. 

Recently Added Articles as of May 21

Supply chain attacks doubled in five years — and the blast radius keeps growing. Roughly 30% of all U.S. data breaches now involve at least one third party, and the number of companies caught in supply chain attacks nearly doubled in a single year. Professional services firms saw the sharpest climb over the five-year period, with attacks rising 162% as they became preferred entry points to reach multiple downstream clients simultaneously.

FINRA conference panel flags vendor oversight gaps across financial firms. Third-party vendor risks are becoming harder to manage as AI lowers the barrier for sophisticated fraud targeting vendors of all sizes. Panelists at the 2026 FINRA Annual Conference emphasized that due diligence shouldn't stop at onboarding — tiered risk frameworks, ongoing monitoring, and vendor-specific incident response planning are all essential. One speaker put it plainly: a vendor with access to firm data represents the same exposure as a direct attack on the firm itself.

Generative AI is "out of scope" in new banking guidance, but that's not a pass. The revised federal model risk management guidance explicitly excludes generative and agentic AI in footnote 3 — not because the risk is low, but because regulators haven't built a framework capable of addressing it yet. That gap places the burden squarely on institutions to govern AI tools already operating in their environments, including those embedded several layers deep in vendor platforms. Contracts are the best defense. Institutions actively managing vendor AI risks update vendor agreements to include breach notification timelines, subcontractor visibility, data storage terms, and independent audit requirements.

Third-party breaches demand layered defenses and continuous oversight. Vendors are increasingly used as entry points into larger organizations, and a single compromised third party can expose an entire network — the same dynamic behind some of the most damaging breaches of the past decade. Effective defenses require vetting partners against recognized standards, enforcing Zero Trust access controls, segmenting networks to contain damage, and continuously monitoring third-party connections rather than relying on point-in-time reviews. Regulatory pressure is intensifying globally, with data protection frameworks expected to impose heavier fines and push organizations toward proactive, ongoing vendor risk assessment.

Insurance CROs rank third-party vendor risk among top cyber concerns. Eighty percent of insurance chief risk officers now rank cyber among their top five risks, up 14 percentage points year over year, per the annual EY-IIF global insurance CRO survey. Third-party and vendor cyber risk management was flagged as an important aspect of cyber risk by 77% of respondents. Data access, control automation, and vendor governance are increasingly important parts of managing third-party risk. As operational resilience requirements and vendor concentration concerns rise, third-party risk continues to be a top concern. 

Recently Added Articles as of May 14

SEC's updated Regulation S-P puts vendor oversight on the clock. Amendments to the SEC's Regulation S-P — already in effect for large firms, taking effect June 3 for small ones — extend cybersecurity governance obligations beyond a firm's own systems to third-party vendors, cloud providers, outsourced administrators, and technology contractors. Firms must notify affected individuals within 30 days of discovering a breach, a requirement that may force a simultaneous rethinking of both internal escalation procedures and vendor relationships. Small firms face the steepest transition, as many rely on third-party providers that serve hundreds of clients and may resist customized compliance obligations.  

When your vendor's breach lands you in court. Following a vendor-driven data breach at a national bank, at least two class actions were filed against the bank — not the vendor — alleging negligence, breach of fiduciary duty, and unjust enrichment. Plaintiffs' theory is that the bank's duty to safeguard customer data extended to the selection, monitoring, and oversight of every third party it trusted with that data. The takeaway for financial institutions: vendor risk programs must be designed to withstand discovery, not just satisfy examiners. Generic contract language, lapsed due diligence, and undocumented SOC 2 findings can become evidence of negligence when plaintiffs go looking. To prevent the costs and distractions of lawsuits, re-examine vendors that access sensitive customer data, audit your vendor contracts, and pressure test your incident response plan with vendor-specific scenarios.  

BWH Hotels guests' reservation data accessed for six months. Hospitality group BWH Hotels — operator of Best Western, WorldHotels, and Sure Hotels — is notifying guests that hackers had undetected access to third-party housing reservation data from October 2025 through April 2026. Exposed data includes names, email addresses, phone numbers, and reservation details. Payment and financial information wasn’t stored in the affected system.

How a third-party compromise enabled a months-long stealthy intrusion. Microsoft Incident Response investigated a breach where attackers gained initial access by compromising a third-party IT services provider, then operated undetected for over 100 days by moving entirely through trusted, legitimate management tools. Because IT infrastructure management had been delegated to an outside provider, the attacker could execute scripts and harvest credentials while blending in with routine administrative activity. The case illustrates a well-documented but underappreciated risk: when a third party holds the keys to your environment, their compromise becomes yours. 

Recently Added Articles as of May 7

AI governance in mortgage banking has moved from theory to regulatory expectation. AI is no longer experimental in mortgage banking — it's embedded in pricing, fraud detection, document analysis, appraisal review, and servicing. The question now is whether they can defend it to examiners, investors, and GSEs. As regulatory scrutiny increases, lenders must demonstrate that each AI system was identified, risk-rated, tested, governed with clear ownership, monitored for drift, and controlled through enforceable vendor contracts. Lenders need a complete list of AI tools and must extend AI governance to their third-party vendors.

Federal Reserve to update third-party risk guidance, signals shift on AI oversight. Vice Chair for Supervision Michelle Bowman addressed the FSOC AI roundtable on cybersecurity and risk management, signaling two significant supervisory shifts. First, the Fed, along with the OCC and FDIC, amended model risk management guidance to clarify it doesn’t apply to generative or agentic AI, acknowledging that prior guidance had been stretched beyond its original scope. Second, the Fed is actively working to update and simplify its third-party risk management guidance, which Bowman described as too vague in scope and application. She also noted that banks of all sizes have raised concerns about access to the Anthropic Mythos model and its cybersecurity implications, and that regulators will continue communicating emerging risks as the technology evolves.

Banks tighten defenses as AI model raises systemic concerns. Anthropic's security-focused model Mythos demonstrated the ability in testing to identify previously unseen software vulnerabilities and turn them into working exploits — including one bug that had gone undetected for 27 years. Anthropic hasn’t released the model publicly, granting access only to select partners. However, banks are already responding, including limiting Anthropic access and establishing task forces. Industry observers note the immediate pressure points are attack-surface scanning cadence, incident response playbooks, and vendor contract security clauses.

Third-party breaches are defining the AI-era threat landscape. A cybersecurity outlook report found that third-party and supply chain breaches have quadrupled over five years. The report identifies supply chain and third-party software as one of three primary vulnerability categories, noting that a survey ranked limited insight into upstream suppliers as a top cyber risk. Contracts are the primary protection for organizations, including mandatory breach notification timelines, visibility into subcontractors and fourth parties, clarity on data storage and AI training use, and requirements for independent audits over self-reported questionnaires.