Third-party cybersecurity risk is no longer an emerging concern—it is a documented and escalating threat. A recent SecurityScorecard survey revealed that 71% of organizations experienced at least one material third-party cybersecurity incident in the past 12 months, with 5% reporting ten or more such events. Supporting data from the 2025 Verizon Data Breach Investigations Report further confirms the trend, showing that third-party involvement in breaches has nearly doubled in recent years, rising from 15% to nearly 30%.
These findings highlight a critical compliance issue: organizations cannot adequately meet regulatory, contractual, or governance obligations without a structured, risk-based approach to managing third-party relationships and software supply chains.
Expanding Supply Chain Attack Surface
Enterprises today depend on extensive networks of suppliers, SaaS platforms, contractors, and digital service providers. While essential to operations, these relationships expand the organization’s attack surface exponentially. Threat actors increasingly exploit these dependencies, bypassing traditional defenses by targeting trusted third parties.
Recent high-profile attacks demonstrate how vulnerabilities in service providers can cascade across industries. SaaS integrations, OAuth connections, and over-permissioned access points allow adversaries to “log in” rather than break in, inheriting trust and privileges that downstream organizations have already granted.
From a compliance standpoint, this creates a material risk: organizations may be unable to demonstrate adequate vendor oversight as required by frameworks such as NIST CSF, ISO 27001, HIPAA, PCI DSS, and the EU Cybersecurity Resilience Act (CRA).
The Software Supply Chain Challenge
The software supply chain presents another critical area of concern. Organizations are heavily reliant on open-source components, AI models, and third-party libraries, many of which are maintained by under-resourced developers. Attackers exploit this by planting malicious code in public repositories or compromising CI/CD pipelines, leading to downstream breaches.
The SolarWinds attack of 2020 underscored the regulatory and operational consequences of software supply chain compromises. Five years later, many organizations continue to lack effective controls in this area.
While the adoption of Software Bills of Materials (SBOMs) is now encouraged by regulators such as CISA and required under the EU CRA, many enterprises still treat SBOMs as static documents rather than dynamic inventories critical for compliance, audit readiness, and risk visibility.
Lack of Visibility and Oversight
The SecurityScorecard survey further revealed that only 21% of organizations could confirm that at least half of their extended supply chain is covered by cybersecurity programs, and only 26% incorporate incident response into supply chain security frameworks.
This lack of visibility directly undermines compliance efforts. Regulators and auditors increasingly expect organizations to demonstrate not only that they perform vendor assessments but also that they maintain continuous oversight and enforce contractual security requirements.
Strengthening Third-Party Risk Management Programs
To align with compliance obligations and reduce enterprise risk, organizations should strengthen their Third-Party Risk Management (TPRM) and Vendor Risk Management (VRM) programs with the following measures:
- Contractual Controls – Ensure vendor agreements include audit rights, incident notification requirements, and evidence of security controls such as MFA, EDR, and logging.
- Continuous Monitoring – Move beyond annual assessments to real-time monitoring of third-party cyber hygiene and compliance.
- Standardized Assessments – Utilize frameworks such as SIG, CAIQ, or ISO-based questionnaires aligned with regulatory expectations.
- Incident Preparedness – Integrate vendors into tabletop exercises, penetration testing, phishing simulations, and coordinated incident response planning.
- Supply Chain Transparency – Require vendors to provide and update SBOMs, ensuring compliance with regulatory requirements and enabling effective vulnerability management.
Conclusion
With the majority of CISOs reporting third-party security incidents, it is clear that supply chain vulnerabilities represent not only an operational risk but also a compliance risk. Regulators, auditors, and stakeholders increasingly expect organizations to demonstrate active oversight of their third-party ecosystem.
Organizations that continue to rely on static questionnaires and passive vendor assessments will struggle to meet these expectations. By adopting a structured, compliance-focused Third-Party Risk Management program—incorporating continuous monitoring, enforceable contractual requirements, and robust supply chain visibility—enterprises can reduce exposure, satisfy regulatory mandates, and build greater resilience.
At Modevity, we support organizations in implementing comprehensive vendor due diligence programs, enhancing vendor governance frameworks, and ensuring compliance with evolving cybersecurity regulations.
Modevity Vendor Risk Management as a Service supports organizations by mitigating varied company and regulatory risks and utilizes powerful database technology, AI and vendor assessment automation with continuous monitoring – to provide real-time reports for the identification of risks when conducting business with vendors across varied departments or operations.
Contact Information:
Thomas J. Canova, Co-Founder, Chief Marketing Officer
Modevity, LLC
610-251-0700
