Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of October 30
Are you assessing AI risks? This week's deadlines emphasized the importance of investing in AI governance, assessing the risk of all AI tools, including AI agents, and reviewing how your vendor uses AI.
Assessing the risk of AI agents. AI agents now act like decision-making insiders — accessing internal and third-party systems, executing actions, and influencing outcomes — yet most organizations still treat them like passive tools. They must instead be governed like part of the workforce: fully inventoried, given least-privilege access, bound by policy, continuously monitored for behavior and output risk, and even “trained” to operate within approved boundaries. This isn’t a technical configuration issue anymore — it’s a shift to full accountability and governance from day one.
Asset managers face growing cyber threats yet are unprepared. A recent study found that 93% of asset managers experienced at least one cybersecurity incident in the past year — and nearly 20% faced dozens. These firms, especially investment advisers, wealth managers, hedge funds, and private equity firms, are high-value targets due to the sensitive data and large capital flows they handle. An overwhelming 88% said a major cyber incident would likely result in asset withdrawals or financial losses. Yet readiness remains uneven: about a third lack confidence in AI-driven threat detection, only 17% plan to prioritize security training, and 41% still review cyber risk quarterly or less.
Aligning vendor due diligence to emerging risks. Nearly half of organizations experienced a third-party breach in the past year — underscoring the rising complexity of vendor risk. CISOs are under pressure to manage due diligence without slowing innovation or damaging strategic partnerships. True vendor vetting is no longer a one-time checklist exercise; it requires continuous dialogue, relationship-building, and shared accountability. As AI introduces both new risks and new evaluation tools, organizations should align assessments to recognized frameworks like ISO 27001 or SOC 2, incorporate AI governance expectations, and maintain transparency to build trust rather than friction.
Investing in AI governance a critical necessity. AI is now a core enterprise function that requires governance to ensure transparency, accountability, and compliance. Organizations must embed cross-functional ownership, continuous monitoring, and structured controls, including model registries and third-party oversight. Proper AI governance aligns systems with operational, legal, and ethical standards, mitigates risk, and enables safe, scalable deployment, making it essential for organizations that want to grow AI responsibly without compromising performance or compliance.
10.5 million patients impacted in third-party data breach. More than 10.5 million patients were impacted in a January 2025 third-party data breach. Conduent Business Solutions reported the breach that impacted multiple healthcare clients. These breaches underscore the need for robust vendor risk management, continuous monitoring of high-risk providers, strict contractual obligations, and comprehensive incident response plans.
How to assess vendor AI tools. Before adopting AI tools, organizations need to follow a structured evaluation process that goes beyond vendor demos to assess use cases, regulatory implications, data quality, technical details, vendor dependencies, output risks, and human oversight. Perform AI impact assessments addressing privacy, security, and trustworthiness, document compliance, and plan for failures and resilience. Contracts should include restrictions on AI use, transparency about vendor processes, documentation and audit rights, compliance assurances, and supply chain oversight.
Using continuous monitoring for third-party attacks. Attackers increasingly exploit vendor systems to access larger, more secure organizations, using reused or compromised credentials as their entry point. Point-in-time vendor risk assessments aren’t enough. They don’t detect when credentials are actively circulating on the dark web. With regulators holding organizations accountable for vendor-related breaches, continuous credential monitoring is becoming a must-have defense. By requiring vendors to implement ongoing password checks and replacing weak or exposed credentials in real time, organizations add an extra preventative layer of security.
Recently Added Articles as of October 23
New York regulators reminded banks of their responsibility for third-party cybersecurity risks and the recent AWS outage shows the consequences of concentration risk. Catch up on this week's news plus check out our latest resources!
NYDFS reminds financial institutions of their third-party risk management requirements. Financial institutions are fully accountable for third-party cybersecurity risks, according to New York’s Department of Financial Services (NYDFS). The agency released new guidance that reinforces that institutions must protect their customers, even when outsourcing services. NYDFS encouraged institutions to strengthen internal controls, clarify vendor responsibilities, and align with existing cybersecurity requirements. With third-party breaches doubling in 2024 and data breach lawsuits skyrocketing, effective third-party risk management is essential for maintaining trust, resilience, and regulatory compliance in today’s interconnected financial ecosystem.
Outdated risk management processes puts insurers in danger. A new Dun & Bradstreet report reveals that 85% of UK insurers and brokers have suffered negative impacts from third-party risks, including cyber incidents, financial losses, and reputational damage. Despite increased investment in areas like cybersecurity and fraud prevention, many firms admit they’re still underprepared — largely due to poor data quality, siloed systems, and outdated risk processes. Tackling modern threats with “yesterday’s tools” won’t cut it. Insurers must strengthen data foundations, modernize their third-party risk frameworks, and adopt real-time monitoring to stay resilient.
Lessons in third-party concentration risk from the AWS outage. A major AWS outage in its US-East region caused widespread disruptions across consumer, financial, and government services, underscoring the growing risks of cloud concentration. Overreliance on a single cloud provider or region can create cascading impacts across critical systems. Organizations should strengthen oversight, diversify infrastructure, and ensure disaster recovery plans account for cloud outages. Mapping dependencies, testing vendor resilience, and updating third-party contracts to clarify accountability are key steps to reducing exposure when essential cloud services go down.
Cybersecurity trends for organizations to monitor. Recent cybersecurity trends show the landscape evolving rapidly, with AI-enhanced attacks, sophisticated ransomware, nation-state operations, and third-party supply chain breaches becoming increasingly common. Generative AI enables more convincing phishing, deepfakes, and vishing attacks, while ransomware groups are escalating disruption and extortion tactics. Third-party breaches are also emerging as a costly, persistent threat. Track these trends closely, strengthen incident response and vendor oversight, update policies, and adopt proactive monitoring to stay ahead.
Growing concern over third-party risks as data breaches increase. A new report highlights growing concern over third-party and supply chain risk, with 60% of cybersecurity leaders calling these threats “innumerable and unmanageable” and 61% reporting a breach in the past year. Despite the impact, only 23% rank supply chain compromise as a top threat, revealing a major confidence gap. The report warns that attackers increasingly target smaller vendors as entry points and urges stronger vendor risk management and investment to improve resilience.
Using proactive third-party risk management to manage global vendors. Managing global vendors requires proactive third-party risk management. A disruption in a vendor’s region, whether due to political issues, natural disasters, or infrastructure failures, can directly impact operations. Thoroughly vet potential vendors, clearly define expectations in contracts, and maintain backup options in case of disruptions. Strong oversight and preparation are key steps toward creating stable, secure, and dependable global partnerships.
The importance of managing third-party risk. Many cybersecurity leaders underestimate third-party risk, focusing their defenses inward while overlooking vendor vulnerabilities. A single weak link can lead to massive financial, operational, and reputational fallout. Regulations now emphasize stronger due diligence, contractual safeguards, and continuous monitoring to prevent third parties from becoming cyber weak points. Effective third-party risk management requires a proactive, intelligence-driven approach.
Regulators rescind climate guidance for banks. The Federal Reserve, FDIC, and OCC jointly rescinded their Principles for Climate-Related Financial Risk Management for Large Financial Institutions, ending formal climate-risk guidance for banks with more than $100 billion in assets. The agencies stated that existing risk management standards already require institutions to identify and address all material risks, including emerging ones, and expressed concern that the climate framework could distract from other priorities.
Recently Added Articles as of October 16
Cybersecurity and third-party risks are top concerns for insurers and businesses, with recent class action lawsuits and growing risk concerns. More organizations are also investing in governance as AI adoption grows.
Organizations investing in governance to mitigate AI risks. Organizations are ramping up governance investments as AI adoption accelerates. Strategies like human review, data access restrictions, and trusted technology providers help mitigate risks. Fast-moving AI initiatives require equally agile oversight, or businesses risk serious financial, operational, and reputational damage.
Practices to remain secure from third-party risks. One of the biggest cybersecurity gaps isn’t inside your organization, but instead with third-party vendors. Many organizations assume reputable vendors are secure, but weak contracts, unchecked questionnaires, and outdated oversight leave them vulnerable. The FTC, SEC, and state-level requirements emphasize vendor oversight. Organizations must identify critical vendors, define clear security expectations, verify controls with evidence like SOC 2 reports, and conduct annual reviews. Strong vendor management helps ensure compliance while providing a competitive advantage.
Cybersecurity risks can be costly for insurers. Two recent class action cases resulted in nearly $20 million in settlements after breaches exposed sensitive health and personal data of over 3 million people. Regulators and plaintiffs are treating basic cybersecurity failures as actionable. Cybersecurity has shifted from an IT concern to a core compliance issue. Regularly reviewing security controls, improving breach response plans, and managing third-party risks are essential steps to avoid regulatory scrutiny and significant financial and reputational fallout.
Cybersecurity risk a top concern for insurers. A recent survey revealed insurers are facing a convergence of challenges, from cyber and climate risks to geopolitical volatility, requiring strategy, resilience, and innovation. Cyber risk leads the pack, with insurers exposed both as underwriters and targets, while AI-driven threats demand clearer policies and resilience planning. Climate change and natural disasters continue pressuring underwriting and capital allocation, while geopolitical tensions and regulatory shifts underscore the need for proactive risk monitoring.
Trust gap emerges in third-party relationships. Nearly one in three UK risk managers don't fully trust third parties to handle key threats, while over a quarter admit they don't fully understand the risks they're managing. Traditional due diligence and one-time assessments can't keep pace with today's fast-changing cyber, AI, and geopolitical risks. Continuous, intelligence-driven oversight is essential. By improving internal visibility and mapping critical dependencies, organizations can transform outsourcing from a blind leap into a strategic advantage.
Protecting your organization from third-party cybersecurity risk. Third-party vendors and cloud providers are vital to modern business but pose massive cybersecurity risks. Many breaches now stem from vendor vulnerabilities rather than internal systems, driving greater regulatory scrutiny. Move beyond onboarding checks. Prioritize continuous monitoring, robust contractual safeguards, and clear internal accountability. While you can delegate tasks to vendors, you can't delegate responsibility. Boards and executives must treat third-party risk with the same rigor as internal security.
Recently Added Articles as of October 10
Third-party risks are making headlines: Several third-party data breaches compromised customer data. On the industry front, fintechs are increasingly partnering with credit unions and third-party risk is becoming a greater priority.
Third-party data breach exposes personal information on Discord. Discord disclosed a breach involving one of its third-party customer service providers, impacting users who interacted with support or trust and safety teams. Compromised data includes usernames, email addresses, billing details, IP addresses, and in some cases, government ID images from users appealing age-verification decisions. The breach prompted Discord to revoke the vendor’s access.
More fintechs partnering with credit unions. A recent report shows nearly half of fintechs (48% in 2025) now partner with credit unions. Yet, many underestimate the hurdles and opportunities these relationships bring. Fintechs report slow decision-making and regulatory complexity, while credit unions worry about product fit and compliance. Success requires fintechs to be regulation-ready, align solutions with credit union governance, and demonstrate measurable value — all while maintaining strong risk controls.
Third-party risk management crucial to remaining secure. As organizations lean more on cloud services, SaaS platforms, and IoT devices, traditional defenses like firewalls aren’t enough. Effective third-party risk management now demands continuous vendor assessments, stronger authentication, network segmentation, and, importantly, collaboration. Turning cybersecurity into a shared responsibility transforms it from reactive defense to proactive protection — essential for maintaining trust in the digital economy.
Renault customers impacted in third-party data breach. Renault UK notified customers of a third-party data breach. Compromised information may include names, contact details, and vehicle identifiers. Renault has contained the incident, is working with the vendor, and has alerted relevant authorities. The automaker urges customers to remain vigilant against phishing attempts.
Turning third-party risk management into strategic advantage is critical. Emerging technologies and evolving regulations are reshaping cybersecurity in financial services. ING’s CISO Debbie Janecek noted that third-party risk management has been elevated from a compliance checkbox to a continuous, board-level responsibility. Organizations must balance innovation, regulation, and resilience, while fostering close vendor partnerships to stay ahead of fast-moving cyber threats. AI governance will also grow more important.
Small percentage use AI for risk management. While technology adoption is growing for compliance and due diligence, only about 15% of asset owners use AI for risk management. AI can improve efficiency, transparency, and risk identification, but organizations must first ensure robust risk assessments, governance, and data integrity. As regulations evolve, AI is increasingly not just a productivity tool but a potential driver of enterprise-wide risk management transformation.
Recently Added Articles as of October 2
Organizations are learning the hard way that blind spots in the vendor ecosystem — such as overprivileged access for third-party providers to unexpected shifts in vendor AI models — create exploitable gaps. Recent cases illustrate the stakes: Salesforce faces lawsuits tied to the Salesloft Drift attacks, while a major retailer has endured a second vendor breach in just six months.
State regulatory pressure is also heating up, as California introduced sweeping requirements for developers and organizations using AI systems. As organizations continue to navigate new threats and evolving compliance requirements, they can’t stand still — ongoing vendor due diligence, oversight, and incident planning are critical to mitigating risk.
Overprivileged access leaves organizations exposed. Many companies lack full visibility into who has access to their sensitive systems and data, creating significant cyber and compliance risks. When it comes to third-party providers, companies often grant access that exceeds business requirements, creating preventable vulnerabilities. By treating access management as an ongoing priority rather than a one-time task, organizations can strengthen resilience, ensure compliance, and reduce the risk of costly security incidents.
Volatile AI models can disrupt operations. Unexpected changes to third-party AI provider models risk disruption, as shown when GPT-5 displaced GPT-4o. Sudden model changes can break workflows and create migration bottlenecks. To build resilience, organizations need multi-provider redundancy, real-time performance monitoring, contractual support guarantees, and staged rollouts. Compliance, geographic backup, and in some cases controlling their own model layer are also essential. The bottom line: treat AI models as unstable dependencies and design systems that can adapt quickly, or risk major business disruption.
Salesforce faces string of lawsuits over breach. The CRM giant is facing a growing number of lawsuits after customer data was exposed in the Salesloft breach. Plaintiffs argue Salesforce failed to safeguard sensitive information, while the company maintains that its platform was not compromised and attributes the issue to social engineering — a view supported by Google’s analysis. The legal backlash underscores the significant financial and reputational consequences of data breaches, regardless of their source.
California introduces sweeping AI requirements. California's new Transparency in Frontier Artificial Intelligence Act introduces significant regulatory requirements for AI developers and enterprises. Large developers must publish frameworks outlining best practices, while enterprises must adapt internal processes and vendor relationships to comply. The move reflects broader state-level AI scrutiny, as Massachusetts recently settled a $2.5 million case against a lender for AI-driven underwriting violations.
Retailer suffers second data breach in six months. Harrods has experienced its second cyberattack in six months, resulting in the theft of personal data from approximately 430,000 customers. The breach was traced back to a third-party supplier, which has since isolated and contained the incident. While experts say the retailer met the second breach with better preparedness, the attack is a reminder that ongoing monitoring is an essential part of the vendor risk management lifecycle.
