Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of October 16
Cybersecurity and third-party risks are top concerns for insurers and businesses, with recent class action lawsuits and growing risk concerns. More organizations are also investing in governance as AI adoption grows.
Organizations investing in governance to mitigate AI risks. Organizations are ramping up governance investments as AI adoption accelerates. Strategies like human review, data access restrictions, and trusted technology providers help mitigate risks. Fast-moving AI initiatives require equally agile oversight, or businesses risk serious financial, operational, and reputational damage.
Practices to remain secure from third-party risks. One of the biggest cybersecurity gaps isn’t inside your organization, but instead with third-party vendors. Many organizations assume reputable vendors are secure, but weak contracts, unchecked questionnaires, and outdated oversight leave them vulnerable. The FTC, SEC, and state-level requirements emphasize vendor oversight. Organizations must identify critical vendors, define clear security expectations, verify controls with evidence like SOC 2 reports, and conduct annual reviews. Strong vendor management helps ensure compliance while providing a competitive advantage.
Cybersecurity risks can be costly for insurers. Two recent class action cases resulted in nearly $20 million in settlements after breaches exposed sensitive health and personal data of over 3 million people. Regulators and plaintiffs are treating basic cybersecurity failures as actionable. Cybersecurity has shifted from an IT concern to a core compliance issue. Regularly reviewing security controls, improving breach response plans, and managing third-party risks are essential steps to avoid regulatory scrutiny and significant financial and reputational fallout.
Cybersecurity risk a top concern for insurers. A recent survey revealed insurers are facing a convergence of challenges, from cyber and climate risks to geopolitical volatility, requiring strategy, resilience, and innovation. Cyber risk leads the pack, with insurers exposed both as underwriters and targets, while AI-driven threats demand clearer policies and resilience planning. Climate change and natural disasters continue pressuring underwriting and capital allocation, while geopolitical tensions and regulatory shifts underscore the need for proactive risk monitoring.
Trust gap emerges in third-party relationships. Nearly one in three UK risk managers don't fully trust third parties to handle key threats, while over a quarter admit they don't fully understand the risks they're managing. Traditional due diligence and one-time assessments can't keep pace with today's fast-changing cyber, AI, and geopolitical risks. Continuous, intelligence-driven oversight is essential. By improving internal visibility and mapping critical dependencies, organizations can transform outsourcing from a blind leap into a strategic advantage.
Protecting your organization from third-party cybersecurity risk. Third-party vendors and cloud providers are vital to modern business but pose massive cybersecurity risks. Many breaches now stem from vendor vulnerabilities rather than internal systems, driving greater regulatory scrutiny. Move beyond onboarding checks. Prioritize continuous monitoring, robust contractual safeguards, and clear internal accountability. While you can delegate tasks to vendors, you can't delegate responsibility. Boards and executives must treat third-party risk with the same rigor as internal security.
Recently Added Articles as of October 10
Third-party risks are making headlines: Several third-party data breaches compromised customer data. On the industry front, fintechs are increasingly partnering with credit unions and third-party risk is becoming a greater priority.
Third-party data breach exposes personal information on Discord. Discord disclosed a breach involving one of its third-party customer service providers, impacting users who interacted with support or trust and safety teams. Compromised data includes usernames, email addresses, billing details, IP addresses, and in some cases, government ID images from users appealing age-verification decisions. The breach prompted Discord to revoke the vendor’s access.
More fintechs partnering with credit unions. A recent report shows nearly half of fintechs (48% in 2025) now partner with credit unions. Yet, many underestimate the hurdles and opportunities these relationships bring. Fintechs report slow decision-making and regulatory complexity, while credit unions worry about product fit and compliance. Success requires fintechs to be regulation-ready, align solutions with credit union governance, and demonstrate measurable value — all while maintaining strong risk controls.
Third-party risk management crucial to remaining secure. As organizations lean more on cloud services, SaaS platforms, and IoT devices, traditional defenses like firewalls aren’t enough. Effective third-party risk management now demands continuous vendor assessments, stronger authentication, network segmentation, and, importantly, collaboration. Turning cybersecurity into a shared responsibility transforms it from reactive defense to proactive protection — essential for maintaining trust in the digital economy.
Renault customers impacted in third-party data breach. Renault UK notified customers of a third-party data breach. Compromised information may include names, contact details, and vehicle identifiers. Renault has contained the incident, is working with the vendor, and has alerted relevant authorities. The automaker urges customers to remain vigilant against phishing attempts.
Turning third-party risk management into strategic advantage is critical. Emerging technologies and evolving regulations are reshaping cybersecurity in financial services. ING’s CISO Debbie Janecek noted that third-party risk management has been elevated from a compliance checkbox to a continuous, board-level responsibility. Organizations must balance innovation, regulation, and resilience, while fostering close vendor partnerships to stay ahead of fast-moving cyber threats. AI governance will also grow more important.
Small percentage use AI for risk management. While technology adoption is growing for compliance and due diligence, only about 15% of asset owners use AI for risk management. AI can improve efficiency, transparency, and risk identification, but organizations must first ensure robust risk assessments, governance, and data integrity. As regulations evolve, AI is increasingly not just a productivity tool but a potential driver of enterprise-wide risk management transformation.
Recently Added Articles as of October 2
Organizations are learning the hard way that blind spots in the vendor ecosystem — such as overprivileged access for third-party providers to unexpected shifts in vendor AI models — create exploitable gaps. Recent cases illustrate the stakes: Salesforce faces lawsuits tied to the Salesloft Drift attacks, while a major retailer has endured a second vendor breach in just six months.
State regulatory pressure is also heating up, as California introduced sweeping requirements for developers and organizations using AI systems. As organizations continue to navigate new threats and evolving compliance requirements, they can’t stand still — ongoing vendor due diligence, oversight, and incident planning are critical to mitigating risk.
Overprivileged access leaves organizations exposed. Many companies lack full visibility into who has access to their sensitive systems and data, creating significant cyber and compliance risks. When it comes to third-party providers, companies often grant access that exceeds business requirements, creating preventable vulnerabilities. By treating access management as an ongoing priority rather than a one-time task, organizations can strengthen resilience, ensure compliance, and reduce the risk of costly security incidents.
Volatile AI models can disrupt operations. Unexpected changes to third-party AI provider models risk disruption, as shown when GPT-5 displaced GPT-4o. Sudden model changes can break workflows and create migration bottlenecks. To build resilience, organizations need multi-provider redundancy, real-time performance monitoring, contractual support guarantees, and staged rollouts. Compliance, geographic backup, and in some cases controlling their own model layer are also essential. The bottom line: treat AI models as unstable dependencies and design systems that can adapt quickly, or risk major business disruption.
Salesforce faces string of lawsuits over breach. The CRM giant is facing a growing number of lawsuits after customer data was exposed in the Salesloft breach. Plaintiffs argue Salesforce failed to safeguard sensitive information, while the company maintains that its platform was not compromised and attributes the issue to social engineering — a view supported by Google’s analysis. The legal backlash underscores the significant financial and reputational consequences of data breaches, regardless of their source.
California introduces sweeping AI requirements. California's new Transparency in Frontier Artificial Intelligence Act introduces significant regulatory requirements for AI developers and enterprises. Large developers must publish frameworks outlining best practices, while enterprises must adapt internal processes and vendor relationships to comply. The move reflects broader state-level AI scrutiny, as Massachusetts recently settled a $2.5 million case against a lender for AI-driven underwriting violations.
Retailer suffers second data breach in six months. Harrods has experienced its second cyberattack in six months, resulting in the theft of personal data from approximately 430,000 customers. The breach was traced back to a third-party supplier, which has since isolated and contained the incident. While experts say the retailer met the second breach with better preparedness, the attack is a reminder that ongoing monitoring is an essential part of the vendor risk management lifecycle.
