Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Third-party data breaches have doubled, representing a staggering 30% of cyberattacks, some banks are limiting information sharing with the OCC. Check out the news below.
Third-party data breaches double, now account for 30% of cyberattacks: Third-party data breaches doubled in the past year, according to Verizon’s 2025 Data Breach Investigations Report. Third parties are now involved in 30% of all cyberattacks, and vulnerability exploitation grew by 34% – reinforcing an expanding threat landscape for organizations. Third-party cybersecurity threats continue to grow, requiring organizations to invest time and resources to mitigate the risks. The financial industry continues to be a top target for cybercriminals due to the wealth of sensitive information the industry holds.
Some banks limit information sharing with OCC post-breach: After the Office of the Comptroller of the Currency’s data breach, some financial institutions are limiting information shared with the agency. While the agency continues to take stock of the breach, some institutions are now hesitant to share information electronically. Hackers were able to access about 150,000 emails and more than 100 email accounts in the breach.
Fintech startup files Chapter 11 bankruptcy: Banking as a service (BaaS) startup Solid Financial Technologies filed for Chapter 11 bankruptcy recently. The fintech has struggled to raise capital for operations and has faced costly litigation. Through the process – which involves selling Solid’s assets – operations should be maintained. It’s important for financial institutions to monitor their third-party fintechs through litigation and bankruptcy procedures.
Ensuring vendors are cyber secure in the insurance industry: Is your insurance company managing the increasing cybersecurity risks of third-party claims processing vendors? Recent incidents exposed how these relationships create security gaps when sharing sensitive customer data. There are practical steps for insurance companies to mitigate the risks. Evaluate the vendor’s cybersecurity policies and program, ensure they follow industry best practices, and review any external audits or certifications. Include cybersecurity expectations in the vendor contract and continuously track and monitor the vendor’s risk and performance. Vendors must have robust security standards for your insurance company to remain protected.
Tips for CISOs managing third-party cybersecurity risks: With many cyber incidents originating from third-party relationships, CISOs need a proactive, dynamic approach to third-party risk management, emphasizing five key strategies: risk-based vendor tiering, continuous monitoring, contractual enforcement of security standards, zero trust access controls, and collaborative incident response planning. Fostering a culture of shared responsibility between organizations and their vendors to enhance overall cybersecurity resilience is also essential.
In this week’s news, Republicans asked federal banking agencies to change TPRM guidance, a hacker is claiming an unconfirmed third-party data breach, and the financial industry faces severe consequences of third-party breaches. Check out the news below.
Republicans ask federal banking agencies to change third-party risk management guidance: House Financial Services Committee Republicans are asking financial regulators for more guidance on the Interagency Guidance on Risk Management: Third-Party Relationships. The OCC, FDIC, and the Fed passed the comprehensive third-party risk management guidance in 2023. Republicans asserted that the guidance doesn’t include what TPRM practices are consistent with the agencies’ expectations. The letter also asked agencies to change or rescind several other rules and guidance, including the Community Reinvestment Act.
How to manage third-party cybersecurity risks in the financial industry: The financial sector's reliance on third-party providers — such as cloud services, software vendors, and payment processors — introduces serious cybersecurity risks. Financial institutions may struggle with limited visibility into vendor security, intricate interdependencies, and an evolving threat landscape, all under increasing regulatory scrutiny. Establish robust vendor risk management frameworks, perform thorough due diligence, enforce strong contractual safeguards, and leverage technologies like risk assessment platforms and threat intelligence tools.
Hacker claims unconfirmed third-party data breach: A threat actor claimed responsibility for the breach of an open-source e-commerce platform, Magento, used by thousands of organizations. The alleged breach occurred via a third-party integration. Magento, which is owned by Adobe, hasn’t confirmed that a breach occurred. However, the hacker claims to have stolen 745,000 unique entries. The data appears to come from a CRM system and includes names, job titles, and corporate emails.
Financial industry faces severe consequences with third-party data breaches: Third-party data breaches have severe consequences in critical sectors, according to a recent report. Financial institutions are prime targets for attacks due to their access to sensitive data and need for real-time operations. The costs of a third-party data breach include regulatory fines, loss of customer trust, reputational harm, and operational disruption. It’s crucial to monitor third-party vendors and ensure they follow cybersecurity standards.
Supply chain attacks require the longest response times for UK financial sector: Supply chain attacks are the most challenging for the United Kingdom financial sector, according to new research. The average response time for supply chain incidents is almost 16 hours — the complexity and volume of supply chains contributes to this challenge. Using preventative measures like due diligence and ongoing monitoring can help lower the response times, allowing organizations to focus on more strategic priorities.
Third-party breaches driving increases in cyber-insurance claims: In 2024, third-party security failures emerged as a major driver of cyber-insurance claims, with indirect ransomware attacks — where breaches at vendors or partners lead to incidents at insured companies — rising significantly in cost and frequency. Financial fraud, often stemming from phishing attacks and email compromises at third-party firms, remained the most common type of cyber event. It’s important to ensure your third parties have strong cybersecurity practices in place.
New Ncontracts’ survey data reveals how financial institutions are managing third-party risk management, a massive security incident at the OCC compromises sensitive financial institution information, and U.S. states are introducing new privacy bills. Check out the news below.
Financial institutions face increasing regulatory pressure with lean TPRM teams per new Ncontracts survey: Ncontracts’ latest 2025 Third-Party Risk Management Survey shows financial institutions face increasing pressure to improve third-party risk management programs. Most institutions (73%) only have one to two employees to manage vendor risk, despite overseeing more than 300 vendors. Institutions are under pressure to improve their TPRM programs, and cybersecurity and artificial intelligence risks remain top concerns. In fact, 31% of institutions were told to make TPRM improvements after their most recent audit or exam.
Security incident at OCC compromises financial institutions’ sensitive information: The Office of the Comptroller of the Currency (OCC) experienced a major security incident as thousands of emails were compromised, exposing sensitive information about the financial condition of institutions. The OCC is investigating the breach with help from third-party cybersecurity experts and is evaluating its current IT security policies and procedures. Although these events aren’t always preventable, it’s important to continuously review vendor cybersecurity practices.
More U.S. states introduce new state privacy legislation: Several states recently introduced new comprehensive privacy bills – including Maine, North Carolina, Pennsylvania, and Wisconsin. These new bills mostly align with common privacy themes in other U.S. state privacy laws. This includes a consumer right to access, correct, and delete personal data. Some bills also have requirements for organizations to disclose data processing practices. Each new bill will need to go through the legislative process. However, as more states look to adopt state privacy laws, it’s important to know your third parties’ data privacy practices. (Need help keeping up with changing laws and regulations? Check out Ncomply.)
Evaluating third-party providers to protect open finance: As financial institutions embrace open banking through interconnected systems of APIs and third-party relationships, security concerns increase. Financial institutions face API vulnerabilities and third-party cybersecurity risks. Adopt proactive measures like ensuring third parties use security best practices like authentication, encryption, and routine penetration testing. Third parties also must be thoroughly vetted and continuously monitored. Evaluate technical certifications, security protocols, and compliance history.
Reviewing third-party compliance with DORA: More than 22,000 financial institutions must comply with the European Union’s Digital Operational Resilience Act (DORA). A key compliance component is managing third-party vendors that access sensitive data or systems. Conduct thorough due diligence and review third-party incident reporting and recovery protocols. Review the third party’s documented evidence of compliance during the due diligence process.
Third-party risk remains in the spotlight as more breaches of thousands of people’s data, potential new UK legislation, and EU regulations like DORA highlight growing demands for stronger vendor oversight, faster incident reporting, and tighter supply chain security. Catch up on this week’s news below.
Streaming company experiences third-party data breach: A cloud-based streaming company confirmed a third-party data breach after stolen data was posted on a hacking forum. The company, StreamElements, stopped working with the third party last year, but older data was still exposed. The hacker claimed it stole data of 210,000 customers, including names, phone numbers, and email addresses. It’s an important reminder that vendor contracts should include provisions for disposal of sensitive data.
Related: How to Get Data Back from a Vendor
UK to introduce cyber resilience bill with strict reporting rules and supply chain oversight: The United Kingdom plans to introduce the Cyber Security and Resilience Bill, aiming to enforce stricter incident reporting and supply chain vulnerability patching. Organizations would need to report significant cyber incidents within 24 hours and submit detailed reports within 72 hours to the National Cyber Security Center. The bill also seeks to regulate managed service providers, enhancing cyber hygiene requirements for essential and digital service supply chain entities.
Third-party software vulnerability causes university breach: A third-party software vulnerability caused a data breach at Lee University in Tennessee. Hackers were able to access and download confidential information. It’s not clear how many people were impacted by the breach.
Assessing a critical vendor’s security posture: As third-party cyberattacks increase, CISOs need to ask third-party vendors about their overall security program, how they integrate security into development, and whether they manage supply chain risks with a third-party risk management program. These questions help evaluate whether vendors meet organizational security standards. Transparency and alignment are key to protecting shared systems and data. Review documentation that offers insight into the vendor’s overall security program, like SOC 2 reports or other certifications.
67,000 compromised in healthcare third-party data breach: A third-party data breach at orthopedic clinic impacted more than 67,000 New Hampshire residents. The third-party software is used for patient registration and check-ins. Compromised information includes names, drivers' licenses, Social Security numbers, and health insurance information.
Importance of third-party compliance with DORA: Third-party vendors serving the European Union (EU) — including those based in the U.S. — must comply with the Digital Operational Resilience Act (DORA). EU financial institutions will look for DORA compliance when selecting a third-party vendor, including standards on operational resilience, cybersecurity, and third-party risk management. Audit systems, review and improve resilience protocols, and prepare for audits to meet DORA’s requirements.