Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of April 10
New Ncontracts’ survey data reveals how financial institutions are managing third-party risk management, a massive security incident at the OCC compromises sensitive financial institution information, and U.S. states are introducing new privacy bills. Check out the news below.
Financial institutions face increasing regulatory pressure with lean TPRM teams per new Ncontracts survey: Ncontracts’ latest 2025 Third-Party Risk Management Survey shows financial institutions face increasing pressure to improve third-party risk management programs. Most institutions (73%) only have one to two employees to manage vendor risk, despite overseeing more than 300 vendors. Institutions are under pressure to improve their TPRM programs, and cybersecurity and artificial intelligence risks remain top concerns. In fact, 31% of institutions were told to make TPRM improvements after their most recent audit or exam.
Security incident at OCC compromises financial institutions’ sensitive information: The Office of the Comptroller of the Currency (OCC) experienced a major security incident as thousands of emails were compromised, exposing sensitive information about the financial condition of institutions. The OCC is investigating the breach with help from third-party cybersecurity experts and is evaluating its current IT security policies and procedures. Although these events aren’t always preventable, it’s important to continuously review vendor cybersecurity practices.
More U.S. states introduce new state privacy legislation: Several states recently introduced new comprehensive privacy bills – including Maine, North Carolina, Pennsylvania, and Wisconsin. These new bills mostly align with common privacy themes in other U.S. state privacy laws. This includes a consumer right to access, correct, and delete personal data. Some bills also have requirements for organizations to disclose data processing practices. Each new bill will need to go through the legislative process. However, as more states look to adopt state privacy laws, it’s important to know your third parties’ data privacy practices. (Need help keeping up with changing laws and regulations? Check out Ncomply.)
Evaluating third-party providers to protect open finance: As financial institutions embrace open banking through interconnected systems of APIs and third-party relationships, security concerns increase. Financial institutions face API vulnerabilities and third-party cybersecurity risks. Adopt proactive measures like ensuring third parties use security best practices like authentication, encryption, and routine penetration testing. Third parties also must be thoroughly vetted and continuously monitored. Evaluate technical certifications, security protocols, and compliance history.
Reviewing third-party compliance with DORA: More than 22,000 financial institutions must comply with the European Union’s Digital Operational Resilience Act (DORA). A key compliance component is managing third-party vendors that access sensitive data or systems. Conduct thorough due diligence and review third-party incident reporting and recovery protocols. Review the third party’s documented evidence of compliance during the due diligence process.
Recently Added Articles as of April 3
Third-party risk remains in the spotlight as more breaches of thousands of people’s data, potential new UK legislation, and EU regulations like DORA highlight growing demands for stronger vendor oversight, faster incident reporting, and tighter supply chain security. Catch up on this week’s news below.
Streaming company experiences third-party data breach: A cloud-based streaming company confirmed a third-party data breach after stolen data was posted on a hacking forum. The company, StreamElements, stopped working with the third party last year, but older data was still exposed. The hacker claimed it stole data of 210,000 customers, including names, phone numbers, and email addresses. It’s an important reminder that vendor contracts should include provisions for disposal of sensitive data.
Related: How to Get Data Back from a Vendor
UK to introduce cyber resilience bill with strict reporting rules and supply chain oversight: The United Kingdom plans to introduce the Cyber Security and Resilience Bill, aiming to enforce stricter incident reporting and supply chain vulnerability patching. Organizations would need to report significant cyber incidents within 24 hours and submit detailed reports within 72 hours to the National Cyber Security Center. The bill also seeks to regulate managed service providers, enhancing cyber hygiene requirements for essential and digital service supply chain entities.
Third-party software vulnerability causes university breach: A third-party software vulnerability caused a data breach at Lee University in Tennessee. Hackers were able to access and download confidential information. It’s not clear how many people were impacted by the breach.
Assessing a critical vendor’s security posture: As third-party cyberattacks increase, CISOs need to ask third-party vendors about their overall security program, how they integrate security into development, and whether they manage supply chain risks with a third-party risk management program. These questions help evaluate whether vendors meet organizational security standards. Transparency and alignment are key to protecting shared systems and data. Review documentation that offers insight into the vendor’s overall security program, like SOC 2 reports or other certifications.
67,000 compromised in healthcare third-party data breach: A third-party data breach at orthopedic clinic impacted more than 67,000 New Hampshire residents. The third-party software is used for patient registration and check-ins. Compromised information includes names, drivers' licenses, Social Security numbers, and health insurance information.
Importance of third-party compliance with DORA: Third-party vendors serving the European Union (EU) — including those based in the U.S. — must comply with the Digital Operational Resilience Act (DORA). EU financial institutions will look for DORA compliance when selecting a third-party vendor, including standards on operational resilience, cybersecurity, and third-party risk management. Audit systems, review and improve resilience protocols, and prepare for audits to meet DORA’s requirements.
