Kiteworks | Your Private Data Network

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > Third Party Risk > Your Vendors Are Getting Hacked Once a Month. Here’s What That Means for Your Business.

Your Vendors Are Getting Hacked Once a Month. Here’s What That Means for Your Business.

by Patrick Spencer updated February 24, 2026 Third Party Risk
Reading Time: 14 minutes

Let’s start with a number that should make every executive pause: the average organization experienced 12 third-party breaches last year. That’s one breach per month, coming not from your own systems but from the vendors, suppliers, and service providers you’ve trusted with access to your data and operations.

This finding comes from ProcessUnity’s State of Third-Party Risk Assessments 2026 report, based on a survey of nearly 1,500 risk practitioners conducted by the Ponemon Institute. And here’s the kicker: while 90% of organizations experienced a third-party breach in the past year, 53% of respondents still expressed confidence that their third-party risk management programs were effective.

That disconnect between perception and reality reveals a fundamental problem in how businesses approach vendor relationships. Organizations believe they’re managing risk when the data clearly shows they’re not. The question isn’t whether your vendors will get breached—it’s whether you’ll know about it when they do, and whether you’ll be ready to respond.

5 Key Takeaways

1. Organizations Face an Average of 12 Third-Party Breaches Annually

Your vendors are getting compromised roughly once per month, according to ProcessUnity’s 2026 report surveying nearly 1,500 risk practitioners. Despite this alarming frequency, 53% of organizations still believe their third-party risk management programs are effective—a dangerous gap between perception and reality.

2. Most Vendor Risk Assessments Are Too Slow and Too Narrow

Six out of ten organizations take four months or longer to complete a single vendor assessment, and companies evaluate only 36% of their third parties on average. This means nearly two-thirds of your vendor relationships operate without formal security oversight while threats evolve daily.

3. Email Compromise Drives More Claims Than Ransomware

Business email compromise and funds transfer fraud account for 60% of all cyber insurance claims, dwarfing ransomware’s 20% share. Attackers who infiltrate vendor email systems can impersonate trusted contacts, harvest credentials, and initiate fraudulent transfers—making email security as critical as any vendor questionnaire.

4. Fourth-Party Risk Remains a Massive Blind Spot

Less than half of organizations assess their vendors’ vendors, and only 23% extend these assessments beyond critical suppliers. When incidents like the Snowflake breach cascade through interconnected supply chains, organizations without fourth-party visibility discover their exposure too late.

5. Manual Processes Cannot Keep Pace With Modern Threats

Nearly two-thirds of organizations still rely on spreadsheets for vendor risk assessments, while 27% of vendors never respond to assessment requests at all. AI adoption is accelerating—with 44% of organizations now using or planning AI-assisted assessments—but governance frameworks lag dangerously behind deployment.

The True Cost of Trusting Your Vendors

Third-party breaches aren’t just a security headache. They’re a financial gut punch.

According to Coalition’s 2025 Cyber Claims Report, the average third-party breach costs organizations around $42,000 to remediate. That might sound manageable until you consider that same data shows 52% of miscellaneous first-party losses stemmed from vendor incidents. When you factor in the cascading effects—legal fees, forensic investigations, breach notifications, customer churn, and regulatory scrutiny—the real costs climb dramatically higher.

The numbers from broader breach research paint an even starker picture. Third-party and supply chain compromises have emerged as the second most prevalent attack vector, and they’re among the costliest to address. When a breach originates from a third-party system, organizations now face remediation costs approaching $4.8 million on average. These incidents also take roughly 26 days longer to detect than breaches that originate internally, giving attackers more time to cause damage.

The Change Healthcare breach of 2024 stands as a cautionary tale. A phishing-triggered ransomware attack spiraled into the largest healthcare data breach ever recorded, affecting 190 million individuals and disrupting hospital networks nationwide. UnitedHealth spent over $2 billion responding to the incident and reimbursed providers more than $4.7 billion. When healthcare operations stall, the consequences extend far beyond financial metrics—patient lives hang in the balance.

Take Back Control of Your Data With Vendor Risk Management

Read Now

Why Traditional Vendor Risk Management Is Failing

The ProcessUnity report exposes some uncomfortable truths about how organizations currently approach vendor oversight. On average, companies assess only 36% of their third-party vendors. That means nearly two-thirds of your vendor relationships operate in what amounts to a security blind spot.

Even when assessments do happen, they drag on far too long. Six out of ten organizations report that their vendor risk assessments take four months or longer to complete. More than a quarter say assessments consume over 160 hours of personnel time each. Meanwhile, threats evolve daily. A four-month assessment timeline means you’re evaluating a vendor’s security posture based on conditions that may have changed dramatically by the time you finish the paperwork.

The reliance on manual processes compounds the problem. Nearly two-thirds of organizations still use spreadsheets for their risk assessments. Spreadsheets work fine for tracking your budget or planning a project timeline. They’re woefully inadequate for managing the security posture of dozens or hundreds of vendors in real time.

Vendor responsiveness presents another challenge. According to the survey, 61% of organizations report that vendors typically take four months or more to respond to risk assessment questionnaires. Even more troubling: on average, 27% of vendors simply never respond at all. You can’t manage risk you can’t measure, and you can’t measure what vendors refuse to disclose.

The remediation picture looks equally grim. Only 16% of respondents said remediation was 90% to 100% complete before onboarding a new vendor. Nearly one in five reported that no remediation activities were typically completed before bringing a vendor into production. Organizations know the risks exist. They document them. Then they onboard the vendor anyway because business timelines won’t wait.

The Fourth-Party Problem Nobody Talks About

Your vendors have vendors. Those sub-contractors and service providers—commonly called fourth parties—often have access to the same sensitive data and systems as your direct vendors. Yet less than half of organizations perform any fourth-party assessments as part of their risk management programs. Only 23% extend these assessments beyond critical suppliers.

This gap creates what risk professionals call a concentration problem. When one major vendor experiences an incident, the damage cascades downstream to every organization that relies on them—and every organization that relies on their customers. The Snowflake credential breach of 2024 demonstrated how one vendor compromise can ripple across an entire ecosystem, affecting dozens of major enterprises including Advance Auto Parts, which reported a breach affecting more than 2.3 million people.

The Change Healthcare and CDK Global incidents further illustrate this risk aggregation. A single point of failure in the supply chain can create widespread operational disruption across an entire industry vertical.

Email: The Front Door Attackers Keep Walking Through

While third-party risk captures headlines, the Coalition report reveals that the most common path into your organization remains stubbornly consistent: email.

Business email compromise and funds transfer fraud account for 60% of all cyber insurance claims. Ransomware, despite its dramatic reputation, represents only about 20% of claims—though those incidents carry far heavier financial impact when they occur.

The intersection of email compromise and third-party risk creates a particularly dangerous attack surface. Attackers who gain access to vendor email systems can impersonate trusted contacts, initiate fraudulent fund transfers, and harvest credentials that grant deeper access to your environment. A 2025 incident at Coinbase demonstrated this risk when malicious insiders at a third-party support vendor exfiltrated user data and attempted a $20 million extortion scheme.

The practical implication: your email security controls and payment verification processes deserve at least as much attention as your vendor assessment questionnaires. The most sophisticated vendor risk framework won’t help if an attacker walks through your inbox because someone clicked a link that looked legitimate.

This is precisely why organizations handling sensitive data increasingly adopt email protection platforms that provide end-to-end encryption, advanced threat detection, and comprehensive audit trails. When email serves as both your primary communication channel and your biggest vulnerability, treating it as critical infrastructure rather than a commodity service becomes essential.

Ransomware: Still the Heavyweight Champion of Financial Impact

Despite declining severity year over year, ransomware remains the cost anchor for cyber insurance claims. Global ransomware severity averaged around $292,000 in 2024, and the threat continues evolving.

The Coalition report case study describes a scenario that plays out repeatedly across industries: attackers gain initial access through remote desktop software or other remote access tools, move laterally through the network, corrupt onsite backups to eliminate recovery options, and then deploy ransomware with threats of data leakage if payment isn’t made.

The backup corruption tactic deserves particular attention. Many organizations believe their backup strategy protects them from ransomware, but sophisticated attackers specifically target backup systems as part of their playbook. If your backups sit on the same network as your production systems, accessible through the same credentials, they offer false comfort rather than genuine protection.

Remote access tools present another critical vulnerability. The proliferation of remote work has dramatically expanded the attack surface available to malicious actors. Every VPN concentrator, remote desktop service, and cloud access portal represents a potential entry point that attackers actively probe.

Industry and Company Size: Risk Isn’t Distributed Equally

The Coalition data reveals meaningful variations in risk exposure based on industry sector and company size.

Consumer staples companies face the highest claims frequency at 2.60%, while energy sector organizations experience the highest severity at around $292,000 average loss per incident. Small and medium businesses with under $25 million in revenue accounted for 64% of total claims despite having lower frequency rates. This suggests that smaller organizations often lack the resources and expertise to prevent incidents, even though they’re less frequently targeted.

At the other end of the spectrum, enterprises with over $100 million in revenue experience claim frequency of nearly 6%—but they also have the resources to invest in more robust defenses. The severity they face averages around $228,000 per incident.

These variations have practical implications for risk management resource allocation. A small manufacturing company faces different threats than a large financial services firm, and their defensive investments should reflect those differences.

The AI Transformation: Opportunity and Risk Collide

Artificial intelligence is reshaping third-party risk management in ways both promising and concerning.

On the promising side, AI adoption for risk assessment is accelerating. According to the ProcessUnity survey, 25% of organizations have partially adopted AI to support their third-party risk assessments, 19% report full adoption, and 37% plan to adopt AI in the future. Among those using AI, 53% report that it frees up staff for higher-value tasks, 48% say it provides real-time intelligence, and 42% report improved management outcomes.

AI tools can accelerate assessment cycles, flag emerging risks in real time, and help organizations scale their monitoring capabilities without proportional increases in headcount. For organizations drowning in spreadsheets and questionnaires, this represents a genuine opportunity to transform their approach.

However, AI also introduces new risk vectors. Roughly one in six breaches in 2025 involved AI-driven attacks, with attackers using AI to craft more convincing phishing emails, automate vulnerability scanning, and accelerate their operations. Shadow AI—employees using AI tools without security oversight—has emerged as a significant cost multiplier, adding approximately $670,000 on average to breach expenses when present.

The governance gap is significant. Many organizations have deployed AI capabilities faster than they’ve developed policies to govern their use. Regular audits for unsanctioned AI tools remain the exception rather than the rule.

The Point Solution Problem: Why Fragmented Security Creates Risk

One pattern emerges repeatedly in breach post-mortems: organizations with fragmented security architectures—a different tool for email, another for file sharing, separate systems for forms and data collection—struggle to maintain consistent protection and visibility across their operations.

Each point solution introduces its own security model, its own access controls, its own audit logging, and its own potential vulnerabilities. When these systems don’t communicate effectively, gaps emerge. An attacker who compromises one system can often pivot to others because the fragmented architecture lacks unified visibility and control.

The Coalition data on vendor concentration risk reinforces this point. When 52% of miscellaneous first-party losses stem from third-party incidents, the number of vendors in your security stack directly correlates with your exposure. Every additional vendor relationship—including security vendors themselves—expands your attack surface.

This reality drives growing interest in unified platforms that consolidate sensitive content communications under a single security architecture. Rather than managing separate tools for secure email, file sharing, managed file transfer, and web forms, organizations can reduce complexity and risk by adopting integrated solutions with consistent security controls, centralized policy management, and comprehensive audit capabilities across all sensitive data flows.

Web Forms: The Overlooked Attack Vector

While email dominates the claims statistics, web forms represent an increasingly exploited vulnerability that deserves attention. Every form that collects sensitive data—patient intake information, financial applications, employee onboarding documentation, customer service requests—creates a potential entry point for attackers and a compliance liability for organizations.

Traditional web form platforms prioritize convenience over security. They operate on multi-tenant architectures where a single breach can expose data from thousands of organizations simultaneously. They store submissions in unencrypted databases. They lack the audit trails regulators increasingly demand.

For organizations collecting sensitive data through secure web forms, security requirements should include encryption at rest and in transit, granular access controls, comprehensive audit logging, and integration with existing identity management systems. Forms that collect healthcare data need HIPAA-compliant infrastructure. Forms processing financial information require SOX-appropriate controls. Generic form builders rarely meet these requirements out of the box.

Compliance: The Cost Multiplier Nobody Budgets For

Incidents don’t stay in the security department. They become compliance events with their own workstreams and cost centers.

Coalition attributes rising business email compromise severity partly to the expanding burden of legal expenses, incident response costs, data mining efforts, and notification requirements. When a breach occurs, counsel gets involved. Regulators may come calling. Affected individuals must be notified. Evidence must be preserved. All of this consumes resources and extends the financial impact well beyond the initial incident.

The compliance dimension transforms what might be a contained security incident into an organization-wide crisis. Healthcare organizations face HIPAA notification requirements and potential penalties. Financial institutions must navigate SOX implications. Any organization handling EU resident data confronts GDPR‘s strict breach notification timelines and substantial fine exposure.

Organizations that treat compliance readiness as an afterthought face longer recovery timelines and higher costs. Building the infrastructure for incident response—knowing which counsel to call, having notification templates ready, understanding regulatory requirements—should happen before you need it, not during a crisis.

Automated compliance reporting and comprehensive audit trails don’t just satisfy regulators—they accelerate incident response by providing immediate visibility into what data was affected, who accessed it, and when. This capability can mean the difference between a contained incident and a regulatory catastrophe.

Data Sovereignty: The Emerging Compliance Frontier

As organizations grapple with third-party risk, data sovereignty has emerged as a critical consideration that many vendor risk programs overlook. Data sovereignty laws now span over 100 countries, each with specific requirements for where sensitive data can be stored and processed.

When your vendors store or process your data, their data residency decisions become your compliance problem. A vendor that routes European customer data through U.S. servers may expose your organization to GDPR violations regardless of your own infrastructure choices. A healthcare vendor that stores patient information in a jurisdiction without adequate privacy protections creates HIPAA liability for your organization.

This extends to government data access as well. Legislation like the U.S. Cloud Act can compel vendors to produce data stored in foreign jurisdictions, potentially forcing conflicts between legal obligations and contractual commitments. Organizations with strict data sovereignty requirements increasingly demand architectural guarantees—not just contractual promises—that their data remains within specified geographic boundaries and beyond the reach of foreign government requests.

Building a Third-Party Risk Program That Actually Works

The data points to several practical improvements organizations can implement to strengthen their vendor risk posture.

First, automation isn’t optional anymore. Manual spreadsheet-based processes can’t keep pace with the volume and velocity of modern vendor relationships. Organizations need to invest in platforms that can scale assessment activities, track remediation progress, and provide continuous monitoring capabilities. The goal isn’t to eliminate human judgment but to focus that judgment on decisions that matter rather than data entry and document chasing.

Second, prioritization matters more than completeness. You probably can’t assess every vendor with the same level of rigor, and you shouldn’t try. Implement a tiering system that concentrates your most intensive due diligence on vendors with access to sensitive data, critical systems, or significant operational dependencies. Lower-risk vendors can receive lighter-touch assessments with monitoring for red flags.

Third, extend visibility to fourth parties. Your critical vendors’ vendor relationships deserve attention, particularly when those sub-contractors handle sensitive data or provide services that affect your operations. Contractual requirements for fourth-party disclosure and assessment cooperation should become standard practice.

Fourth, consolidate where possible. Every additional vendor in your ecosystem represents additional risk exposure. Before adding another point solution, evaluate whether existing platforms can address the requirement. Unified architectures with consistent security controls reduce both complexity and attack surface.

Fifth, measure what matters. Only 49% of organizations in the ProcessUnity survey formally measure the effectiveness of their vendor assessments. Without metrics like assessment cycle time, remediation completion rates, vendor population coverage, and repeat findings, you’re flying blind. Establish baselines, track trends, and use data to drive improvement.

Sixth, don’t neglect the basics. While sophisticated vendor risk frameworks capture attention, the fundamentals still matter enormously. Email security controls, payment verification processes, remote access hardening, and backup resilience prevent more damage than elaborate assessment questionnaires ever will. Treat these as core controls, not baseline hygiene you can take for granted.

Vendor Relationship Paradox

Modern businesses can’t operate without vendors. The specialization and scalability that third-party relationships provide are fundamental to competitive operations. Yet those same relationships create risk exposure that organizations struggle to manage effectively.

The path forward isn’t to minimize vendor relationships—that’s neither practical nor desirable. Instead, organizations must transform how they approach vendor risk from a periodic checkbox exercise to an ongoing discipline integrated into business operations.

The organizations that succeed will be those that treat vendor risk management as a strategic capability rather than a compliance burden. They’ll invest in the tools, processes, and skills needed to maintain visibility across their vendor ecosystem. They’ll build relationships with vendors that include security cooperation, not just service level agreements. And they’ll measure their performance continuously, improving their approach based on data rather than assumptions.

The numbers are clear: your vendors are getting breached, probably more often than you realize. The question is whether you’ll be ready when it happens to one of yours.

What This Means for Your Organization

If these statistics prompt some uncomfortable conversations in your organization, that’s probably a healthy response. Here’s where to focus attention first:

Review your vendor assessment coverage. What percentage of your vendors undergo formal risk assessment? If you’re at or below the 36% average, you have significant blind spots that need addressing.

Examine your assessment timelines. Four-month assessment cycles aren’t keeping pace with threat evolution. Identify bottlenecks and evaluate whether technology can accelerate the process without sacrificing quality.

Audit your fourth-party visibility. Do you know who your critical vendors rely on for their own operations? If not, you’re missing a significant dimension of your risk exposure.

Evaluate your platform fragmentation. Count the number of separate systems handling sensitive data in your organization. Each represents a potential vulnerability and a governance challenge. Consider whether consolidation could reduce both risk and complexity.

Test your backup recovery. Assume attackers will target your backups. Can you actually restore operations if your primary backup systems are compromised? When did you last verify this?

Assess your email security and payment controls. Given that email-based attacks drive the majority of claims, these controls deserve scrutiny proportional to the risk they address.

Verify your compliance readiness. When—not if—an incident occurs, will you have the audit trails, notification processes, and documentation needed to respond within regulatory timelines?

The good news: organizations that take these steps will be better positioned than the majority of their peers. The bad news: “better than average” still means significant exposure to vendor-driven incidents. True resilience requires sustained attention and continuous improvement, not one-time projects.

Your vendors are part of your security perimeter whether you acknowledge it or not. The organizations that thrive will be those that manage this reality proactively rather than learning its implications through painful experience.

To learn how Kiteworks can help, schedule a custom demo today.

Frequently Asked Questions

It means the average organization suffered a vendor-related security incident roughly once per month — not from its own systems, but from the suppliers, contractors, and service providers it trusts with access to data and operations. What makes this figure particularly alarming is the confidence gap it reveals: 53% of organizations still believe their third-party risk management programs are effective despite experiencing monthly breaches. This disconnect suggests that most vendor risk programs are measuring activity — assessments completed, questionnaires sent — rather than actual security outcomes.

Three structural failures undermine most programs. First, coverage is far too narrow — organizations formally assess only 36% of their vendors on average, leaving nearly two-thirds of vendor relationships operating without any security oversight. Second, assessments are far too slow — six in ten organizations take four months or longer to complete a single vendor review, meaning a vendor’s security posture can change dramatically before the assessment is even finished. Third, the process relies too heavily on manual work — nearly two-thirds of organizations still use spreadsheets for vendor risk management, and 27% of vendors never respond to assessment requests at all, leaving organizations making decisions on incomplete data.

Fourth-party risk refers to the security exposure created by your vendors’ vendors — the sub-contractors and service providers that your direct suppliers rely on. These fourth parties often access the same sensitive data and critical systems as your direct vendors, but most organizations have little or no visibility into them. Less than half of organizations perform any fourth-party assessments, and only 23% extend reviews beyond their most critical suppliers. The Snowflake breach of 2024 illustrated the danger: a single credential compromise cascaded across dozens of major enterprises, including Advance Auto Parts, which reported a breach affecting more than 2.3 million people. Without fourth-party visibility, organizations cannot accurately assess their true supply chain exposure.

By volume, business email compromise and funds transfer fraud account for 60% of all cyber insurance claims — three times the share attributed to ransomware. The third-party dimension makes this especially dangerous: when attackers compromise a vendor’s email system, they can impersonate a trusted contact your organization already works with regularly, making fraudulent requests far more convincing. The 2025 Coinbase incident demonstrated this directly — malicious insiders at a third-party support vendor exfiltrated user data and attempted a $20 million extortion scheme using access granted through a trusted vendor relationship. Standard email security controls and payment verification procedures deserve as much attention as vendor assessment questionnaires.

Start by addressing coverage before sophistication. Implement a vendor tiering system that concentrates the most rigorous due diligence on vendors with access to sensitive data, critical systems, or significant operational dependencies — even a tiered approach covering your highest-risk vendors is more effective than a uniform but superficial program covering everyone. Second, automate the time-consuming administrative work: assessment distribution, response tracking, and remediation follow-up all consume resources that could be redirected to analysis and judgment. Third, close the fourth-party blind spot for your most critical vendors before expanding oversight more broadly. Finally, don’t neglect the fundamentals — email security controls, payment verification processes, backup resilience, and remote access hardening prevent more damage than any assessment questionnaire, and they protect against the email-based attacks that drive the majority of claims.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo

Table of Contents

Table of Content
Share
Tweet
Share
Explore Kiteworks