The Breach Came from a Vendor You Never Hired

Key Takeaways

• The Nth-Party Blind Spot: Most TPRM programs stop at the direct vendor relationship. The breaches causing the most damage in 2025 originated two, three, and four tiers deeper.
• Questionnaires Can’t See What They Can’t Reach: Annual assessments capture what a vendor is willing to disclose about itself, not what its own subcontractors are doing with your data.
• Concentration Risk Is the Hidden Systemic Threat: When multiple vendors share the same underlying infrastructure, one outage becomes everyone’s problem simultaneously.
• The Numbers Are Getting Harder to Ignore: Third-party related breaches accounted for 35.5 percent of all breaches in 2024, a 6.5 percent increase from the year before, and the trend accelerated through 2025.
• Regulators Are Already There: DORA, the SEC’s cyber disclosure rules, and EBA outsourcing guidelines are all reaching into extended supply chain accountability. Programs that stop at tier one are already behind.

Deep Dive

In June 2025, procurement vendor Chain IQ Group AG was hit by a sophisticated cyberattack. Hackers accessed data from Chain IQ and at least 19 of its clients, uploading files to the dark web shortly afterward, exposing over 130,000 employee records from firms including UBS and Pictet. None of those firms had hired the attackers’ actual entry point. They had hired Chain IQ.

That same pattern repeated itself across the year. In December 2025, 700Credit disclosed a breach caused by unauthorized access to a third-party API, exposing personal information for approximately 5.8 million individuals — names, addresses, and Social Security numbers — traced back to a partner system compromise that had been sitting undetected for months.

The entry point was not 700Credit’s own infrastructure. It was a connected vendor’s system, accessed through a route nobody had mapped or monitored.

This is the defining TPRM challenge of 2026. It is not that organizations are ignoring vendor risk. It is that the programs they built were designed to manage direct relationships, and the risk has quietly moved somewhere else entirely.

The Questionnaire Cannot See What It Cannot Reach

The dominant model in TPRM is still the periodic assessment. A questionnaire goes to a vendor. The vendor responds. The response is reviewed, filed, and revisited a year later. For teams already stretched thin — the average vendor risk professional is responsible for assessing 33 vendors against an average inventory of 286 third parties — that model is under serious strain before the fourth-party problem even enters the picture.

But the deeper issue is not workload. It is what the questionnaire is structurally incapable of seeing.

The MOVEit Transfer attack affected over 2,000 organizations and exposed data belonging to more than 62 million people. Most of those organizations did not use MOVEit directly. Their vendors did. Or their vendors’ vendors. The annual questionnaire sent to the direct vendor captured none of it because, in many cases, the direct vendor did not know either. The entry point was two tiers removed from any relationship anyone had thought to assess.

Fourth-party exposures are difficult to detect precisely because there is no direct relationship and therefore no direct line of sight. Organizations are effectively relying on their vendors to manage their own subcontractors on their behalf, with no independent ability to verify the results. It is, in practice, outsourcing your risk management to the very entities whose risk you are trying to manage.

Concentration Risk: The Exposure Nobody Is Mapping

Underneath the fourth-party problem sits something even less visible.

Most TPRM programs assess vendors individually. What they rarely do is ask what those vendors have in common.

A half-day AWS outage in 2025 generated $581 million in insurance losses. The organizations caught in that disruption were not all AWS customers. Many were customers of vendors who were. The failure cascaded through supply chains that nobody had mapped as dependent on the same underlying infrastructure because the mapping had never been done.

This is the question that separates mature TPRM programs from the rest: not “is this vendor secure?” but “what happens to us if this vendor and six others all go down at the same time because they all run on the same provider?” Most organizations do not have a ready answer. Their vendor lists are inventories. They record who has been contracted with. They do not show what those contracts are all sitting on top of, or where the single points of failure are hiding.

Regulators are focusing on this gap directly. DORA requires financial entities to identify and manage ICT concentration risk tied to third-party providers. The EBA’s outsourcing guidelines require registers that include subcontractors involved in critical functions. The SEC’s four-business-day disclosure requirement for material cyber incidents assumes organizations already know where their exposure sits — a difficult assumption to meet when visibility stops at tier one.

What the Data Is Telling Us

Nearly 49 percent of organizations experienced a third-party cyber incident in the past 12 months, according to Venminder’s 2025 State of Third-Party Risk Management report, a figure that has climbed for three consecutive years. More telling is what a KPMG study found sitting alongside that number: 61 percent of businesses admit they underestimate the importance of TPRM, and most acknowledge it was luck, not their programs, that kept them from a major vendor-related breach.

That admission matters. These are not organizations that ignored the problem. Many invested real budgets in vendor risk programs. What the data suggests is that the investment went into the visible layer — direct vendors, annual questionnaires, compliance attestations — while the actual exposure kept moving deeper into the supply chain where those tools do not reach.

What Getting Ahead of This Actually Requires

The organizations that have made meaningful progress share one thing: they stopped treating TPRM as a vendor management function and started treating it as supply chain intelligence.

In practice, that means contracts require vendors to disclose their own critical subcontractors at onboarding — not buried in a clause nobody reads, but as a structured deliverable that gets reviewed and updated. It means SOC 2 reports get read specifically for the subservice organizations section, which reveals the infrastructure dependencies the vendor itself is sitting on. It means dependency maps get built alongside vendor inventories — not as a separate exercise but as a standard output of the onboarding process — so that when a major provider fails, the blast radius is already known.

One financial services firm that went through this exercise discovered that 23 of its top 50 vendors shared the same two cloud providers and a common file transfer tool. None of that was visible in their vendor assessments. It only became visible when someone asked a different question: not “is each vendor managing its own risk?” but “what does our entire vendor ecosystem depend on?”

That is the reframe. And until TPRM programs make it, they will keep producing vendor-level answers to ecosystem-level problems.

The Broader Picture

The vendors that caused the most damage in 2025 were not on anyone’s risk register. They were subcontractors of subcontractors, infrastructure providers two or three tiers removed from any signed contract, operating on shared platforms that nobody had mapped as a point of failure.

TPRM was built to manage vendors. The risk has moved into ecosystems.

The programs that recognize that shift and rebuild around it are the ones that will catch the next incident before it becomes the next headline. The ones that do not will keep filing questionnaires and calling it risk management.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.