Here’s a number that should keep every risk manager in America awake at night: 46% of organizations experienced a data breach from a vendor after onboarding them. Not before the relationship started—after. That’s nearly half of all companies getting burned by partners they’d already vetted and approved.
That statistic comes from Vanta’s 2025 State of Trust Report, which surveyed over 3,500 IT and business leaders. And it tells us something uncomfortable about how most organizations approach vendor risk: we’re really good at checking boxes during onboarding and really bad at everything that comes after.
The SEC has noticed. Their 2026 examination priorities make it crystal clear that third-party risk management isn’t just a nice-to-have anymore—it’s a regulatory imperative. And if you’re still managing vendor risk through annual questionnaires and spreadsheets, you’re about to have some very uncomfortable conversations with examiners.
The Regulatory Landscape Just Shifted
Let’s talk about what’s actually happening in Washington—because the regulatory pressure on third-party risk is intensifying faster than most organizations realize.
The SEC’s Division of Examinations released their 2026 priorities in November 2025, and vendor risk appears across virtually every focus area. This isn’t coincidental. As SEC Chairman Paul Atkins noted, the priorities reflect evolving market conditions and increased reliance on automated systems and emerging technology—and those systems increasingly live with third parties.
The updated Regulation S-P requirements hit particularly hard. Larger firms faced compliance deadlines in December 2025, with smaller firms following in June 2026. The rule now requires written cybersecurity policies and procedures, customer notification within 30 days of a breach, and—critically—stringent new third-party risk management requirements. Your vendor’s breach is now your disclosure obligation.
FINRA’s 2025 Annual Regulatory Oversight Report reinforces this focus. They’ve observed an increase in cyberattacks and outages at third-party vendors and are explicitly calling out the need for firms to establish supervisory controls for third-party technology vendors’ business impact, including assessments and contingency plans. If you’re in financial services and your business continuity plan doesn’t account for critical vendor failures, you’ve got a gap that regulators will find.
The Numbers Tell a Brutal Story
Before we dive into solutions, let’s sit with the problem for a moment. Because the data on third-party breaches is genuinely alarming.
Verizon’s 2025 Data Breach Investigations Report found that breaches involving a third party jumped to 30%—double the previous year’s figure. SecurityScorecard’s 2025 Global Third Party Breach Report shows 35.5% of all breaches are now linked to third-party access. And research consistently shows that over 60% of data breaches involve a third-party vendor at some point in the attack chain.
Meanwhile, the average company now manages 286 vendors, up from 237 in 2024. More vendors means more attack surface. More attack surface means more risk. And yet, 73% of financial institutions have two or fewer full-time employees managing their entire vendor risk program.
Let that sink in: hundreds of vendors, millions of dollars in potential exposure, and maybe one or two people trying to keep it all under control. Something has to give—and right now, it’s usually the quality of ongoing vendor oversight.
The Annual Assessment Trap
Here’s where most TPRM programs break down: they treat vendor risk like a point-in-time event rather than a continuous exposure.
Think about it this way. A vendor passes your security review in January. They look great—solid SOC 2, clean penetration test, all the right policies in place. You check the box and move on. Then in March, they suffer a major breach. But you won’t know about it until next January when you send out your annual questionnaire. That’s nine months of operating under a false sense of security.
This is exactly what modern TPRM solutions are designed to address. As one industry analysis put it, the difference between traditional vendor management and modern TPRM is like checking your bank account once a year versus having real-time alerts on your phone. Both technically qualify as ‘monitoring,’ but only one actually protects you.
Your risk assessment process needs to evolve beyond static, periodic reviews. Continuous monitoring isn’t just a nice feature—it’s becoming the regulatory expectation.
The AI Wildcard
As if traditional vendor risks weren’t enough, there’s a new dimension that’s complicating everything: artificial intelligence.
The SEC’s 2026 examination priorities specifically call out emerging financial technology and AI, with examiners focusing on automated investment tools, algorithmic models, and AI-based systems. And here’s the thing—a huge portion of that AI exposure comes through third parties. Your vendors are integrating AI into their products whether you asked them to or not.
FINRA is asking firms to consider whether their third-party vendors incorporate generative AI into products or services, and if so, to evaluate contracts with those vendors accordingly. The Ncontracts 2025 Third-Party Risk Management Survey found that AI now ranks as the second-biggest TPRM risk heading into 2026, with institutions increasingly adding AI usage language to contracts and implementing specific due diligence measures.
Yet 23% of organizations still don’t monitor vendor AI usage at all. That’s down from 37% in 2024—progress, but not nearly enough given the pace of AI adoption.
The practical implication? Your vendor due diligence questionnaire needs an AI section. You need to know what models your vendors are using, how they’re training them, what data they’re feeding them, and what governance they have in place. This isn’t optional anymore—it’s a regulatory expectation that’s only going to intensify.
Building a TPRM Program That Actually Works
Alright, enough about the problems. Let’s talk about what mature TPRM programs actually look like—because the gap between leading practices and common practices is enormous.
Tier your vendors by criticality. Not all vendors are created equal, and treating them the same is a recipe for either wasted resources or missed risks. Companies that excel at TPRM categorize their vendors by criticality and create structured, risk-driven review schedules. Critical vendors handling sensitive data or essential operations need quarterly reviews. Lower-risk vendors can be assessed annually. Your risk appetite framework should define these thresholds explicitly.
Implement continuous monitoring. Move beyond point-in-time assessments to ongoing visibility. This doesn’t necessarily mean expensive real-time platforms for every vendor—but for your critical third parties, you need automated monitoring of security ratings, financial health indicators, breach history, and regulatory actions. When something changes, you should know about it within days, not months.
Integrate TPRM into your incident response. FINRA specifically calls out involving third-party vendors in testing your incident response plan. Under Regulation S-P, you have 30 days to notify customers of a breach—regardless of whether it originated with you or your vendor. Your business impact analysis should map vendor dependencies and your incident response playbooks should include vendor communication protocols.
Document your risk appetite for third parties. Mature organizations clearly outline the level of vendor risk they’re willing to accept while pursuing their objectives. This guides decision-making and prevents the inconsistent, case-by-case judgments that lead to either over-caution or excessive risk-taking. When a prospective vendor falls outside your risk appetite, you have a documented basis for the decision.
Get board-level visibility. When third-party or supply chain risk appears on the boardroom agenda, it reflects meaningful executive alignment and long-term commitment. This isn’t about scaring directors—it’s about ensuring resource allocation and strategic attention match the actual risk exposure. Include TPRM metrics in your regular board reporting alongside other key risk indicators.
The Due Diligence Bottleneck
Here’s an operational reality that doesn’t get enough attention: collecting and analyzing vendor documents is the top bottleneck in most TPRM programs. Teams are drowning in SOC reports, penetration test results, policy documents, and questionnaire responses—and they don’t have the bandwidth to actually analyze what they’re collecting.
The math is brutal. If you’re managing 300 vendors with a two-person team, and each vendor review takes even 4 hours (which is conservative for critical vendors), you’re looking at 1,200 hours of review work annually. That’s more than half the available working hours for your entire team—leaving almost no capacity for ongoing monitoring, incident response, or program improvement.
This is where technology and process efficiency become critical. Some organizations are exploring AI-augmented assessment tools to help scale vendor reviews. Others are adopting hybrid operating models where dedicated TPRM teams oversee the framework while vendor owners manage day-to-day risk and performance. The right approach depends on your organization’s size and complexity, but doing nothing isn’t sustainable.
The Fourth-Party Problem
Just when you thought you had a handle on your vendors, there’s another layer to consider: your vendors’ vendors. Fourth-party risk—the exposure you inherit through your third parties’ subcontractors and service providers—is increasingly appearing in breach postmortems.
The SEC and FINRA are paying attention to this supply chain dimension. If your critical vendor outsources a key function to a subcontractor with weak security controls, that’s your problem too. Regulation S-P’s requirements extend to the entire chain of custody for customer information.
What does this mean practically? Your vendor contracts need to address subcontractor oversight. Your due diligence should include questions about critical fourth parties. And your monitoring should flag when vendors make significant changes to their own supply chain. It’s risk management turtles all the way down.
The Financial Services Pressure Cooker
If you’re in financial services, the pressure is particularly intense. Beyond the SEC and FINRA requirements, you’re navigating a complex web of state and federal regulations that all touch on vendor risk.
The Ncontracts survey found that 49% of financial institutions experienced a vendor-related cyber incident in the past year. Recovery times ranged from under 60 days for two-thirds of organizations to more than 90 days for 8% of them. Think about what a 90-day recovery from a critical vendor incident means for customer service, regulatory compliance, and competitive position.
Two-thirds of financial institutions report feeling pressure to enhance their TPRM programs, with nearly half citing auditors and regulators as primary drivers. The message from examiners is clear: it’s no longer enough to have vendor contracts on file. They’re looking for evidence of ongoing oversight, documented governance, and effective controls that demonstrate you’re actively managing third-party risk—not simply checking compliance boxes.
Your enterprise risk management framework needs to treat vendor risk as a strategic exposure, not a compliance checkbox. The regulatory environment demands it.
Making the Business Case
Here’s some good news amid all the challenges: there’s strong evidence that TPRM investments pay off. 96% of organizations believe TPRM delivers measurable ROI, and 85% of financial institutions report moderate to high value from their programs.
The benefits go beyond avoiding breaches. Organizations cite improved cybersecurity posture, enhanced vendor performance, better cost control, and stronger customer confidence. A robust TPRM program isn’t just about defense—it’s a competitive differentiator that enhances operational resilience across the enterprise.
When you’re building the business case for TPRM investment, don’t just lead with fear. Lead with the operational benefits: faster vendor onboarding through standardized processes, better negotiating leverage from documented risk assessments, reduced audit burden through continuous compliance evidence, and stronger relationships with vendors who appreciate professional oversight.
A Practical Roadmap
Let me leave you with a prioritized action list for strengthening your TPRM program in 2026:
- Audit your current state. How many vendors do you have? How are they tiered? When were they last assessed? You can’t manage what you don’t measure. Build a complete vendor inventory with criticality ratings.
- Review Regulation S-P compliance. If you’re in financial services, ensure your vendor contracts include required provisions and your incident response plan addresses vendor breaches with the 30-day notification requirement.
- Add AI to your due diligence. Update your vendor assessment questionnaire to address AI usage, data handling, and governance. This will only become more important as regulatory scrutiny increases.
- Implement continuous monitoring for critical vendors. Even if you can’t monitor everyone in real-time, prioritize your top-tier vendors for ongoing visibility beyond annual assessments.
- Test your incident response with vendors. Run a tabletop exercise that includes a critical vendor failure scenario. Identify gaps in communication protocols, escalation procedures, and recovery capabilities.
- Get executive buy-in. Present TPRM metrics and regulatory trends to leadership. Ensure resource allocation matches actual risk exposure. If you need additional headcount or technology, now is the time to make the case.
The Bottom Line
Your vendors’ risk is your risk. That’s not a slogan—it’s a regulatory reality that the SEC, FINRA, and state regulators are enforcing with increasing vigor. The organizations that thrive in this environment will be those that move from reactive, checkbox-driven vendor management to proactive, intelligence-driven third-party risk programs.
The investment is significant, but so is the exposure. With nearly half of organizations experiencing vendor-related breaches and regulatory scrutiny at historic highs, the cost of getting TPRM wrong has never been greater.
The good news? The path forward is clear. Tier your vendors, monitor continuously, integrate with incident response, and get board-level visibility. The playbook exists—the question is whether you’ll run it before regulators force you to.
Over to You
How is your organization handling the third-party risk challenge? Are you seeing the same regulatory pressure? I’d love to hear what’s working—and what’s not—in your TPRM program. Leave a comment below or reach out on LinkedIn.
Want to dive deeper into building a world-class risk program? Check out these related resources:
- The Complete Guide to Risk Registers
- ISO 31000 Risk Management Framework
- Building Operational Resilience
- Cybersecurity Risk Assessment Guide
- Compliance Risk Management Essentials
About Risk Publishing: We provide practical, standards-based guidance for enterprise risk management, business continuity, and compliance professionals. Our mission is to make sophisticated risk management accessible and actionable for organizations worldwide.
Keywords: third-party risk management, TPRM, vendor risk management, SEC 2026 examination priorities, Regulation S-P, FINRA vendor oversight, supply chain risk, AI vendor risk, fourth-party risk, cybersecurity compliance, vendor due diligence, financial services compliance
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.