BUSINESS | Supply chain cyber risks outpace security maturity
Despite rising budgets and more mature third-party risk management programs, nearly all global organizations suffered supply chain cyber incidents in 2025, highlighting gaps in executive buy-in, integration, and risk-focused execution.
Despite years of investment and growing sophistication in third-party risk management (TPRM), global organizations continue to suffer widespread supply chain cyber incidents, underscoring a widening gap between program maturity and real-world outcomes, according to the State of Supply Chain Defense: Annual Global Insights Report 2025.
The report found that 97% of organizations were negatively impacted by at least one breach in their supply chain, up sharply from 81% in 2024, even as nearly half of respondents described their TPRM programs as established or optimized.
As the report bluntly states, “Mature programs don’t automatically equal positive outcomes.”
Maturity without organizational alignment
According to the study, 46% of surveyed organizations now classify their TPRM programs as established or optimized. Yet execution continues to lag because of internal friction.
With 60% of organizations citing internal resistance as a top barrier to program maturity and effectiveness, the report concludes that “the strategy may be there, but tactically it’s hard to execute without far-reaching support.”
Executive engagement remains limited. Only 24% of organizations brief senior leadership on third-party cyber risk monthly or more often, while most do so every three to six months. The report warns that “without this visibility, executives likely won’t throw their support behind a program they don’t understand or aren’t fully aware of.”
This disconnect is especially pronounced in financial services. Once considered an industry benchmark, only 36% of respondents in the sector now report established or optimized programs, while just 17% brief senior leadership monthly or more. At the same time, 99% of financial services organizations experienced breaches in the past year, the highest rate among surveyed industries.
The findings reinforce the report’s conclusion that “maturity is not a single destination, but rather a living program that requires engagement and support.”
Compliance over risk reduction
A central finding of the 2025 report is that compliance, rather than risk reduction, continues to dominate TPRM strategy.
Only 16% of respondents identified risk reduction as a primary program driver, while cyber insurance requirements, contractual obligations, and board mandates ranked higher. The report cautions that “organizations are building TPRM programs to check a compliance box and not necessarily reduce risk.”
While compliance remains necessary, the study emphasizes that “compliance is step one, not necessarily the end goal.” The persistence of incidents reinforces that warning, with the report noting that “97% of organizations experienced at least one breach in their supply chains.”
Organizational structure compounds the problem. Although 36% of programs now sit within cyber or IT teams, 64% remain housed in legal, finance, or procurement, functions the report describes as being “structurally oriented toward meeting contractual and regulatory requirements, not proactively reducing exposure.”
The result, the report warns, is that “checking the compliance box can lead to a false sense of security.”
Growth outpacing control
Risk exposure is accelerating as vendor ecosystems expand. The study found that 96% of organizations expect their vendor ecosystems to grow in the next year, widening the attack surface across industries.
Yet many organizations are adding vendors faster than they are building visibility or remediation capacity. More than half of respondents said they consider 30% to 50% of their suppliers “critical,” a designation the report argues loses meaning at that scale. As the study notes, “If half your vendors are critical, you may be lacking a strong prioritization strategy.”
The report also criticizes reliance on simplistic tiering models, warning that “basing prioritization on factors like contract value or operational criticality fails to capture the full picture of risk.”
Integration gaps and operational silos
Across sectors and regions, the lack of integration between TPRM tools and broader enterprise risk or governance, risk, and compliance systems emerged as the top operational challenge.
The report states that “a fragmented program unfortunately leads to fragmented results,” adding that siloed teams reduce visibility, slow incident response, and make it harder to demonstrate value to senior leadership.
Even as organizations invest in monitoring platforms, security ratings, and automation, the study emphasizes that “technology alone won’t solve the fundamental challenges of organizational alignment and strategic prioritization.”
Signs of progress
Despite persistent weaknesses, the report highlights areas of improvement. Forty-five percent of organizations now work directly with vendors to remediate issues, a shift the study describes as “a step in the right direction.”
Spending is also rising, with 95% of respondents estimating that their TPRM spending increased over the past 12 months, signaling stronger financial commitment even if execution remains uneven.
The defense sector emerged as the most mature and aligned. Sixty percent reported established or optimized programs, 30% briefed senior leadership monthly or more, and 47% collaborated closely with vendors. Still, the industry averaged 3.5 supply chain breaches, underscoring what the report calls “just how sophisticated the threats have become.”
APAC: uneven maturity, relationship-driven mitigation
Results across APAC were uneven. The region reported the lowest overall maturity rate at 32%, yet averaged fewer breaches than the global mean.
Singapore stood out with 60% program maturity and strong executive engagement, while the Philippines reported 23% maturity and 100% breach impact. The contrast highlights what the report describes as “the range of economic and cultural nuances across this region.”
APAC also showed the highest rate of direct vendor collaboration at 47%, suggesting that relationship-based approaches can partially offset technical gaps. However, the report cautions that “as these vendor ecosystems grow, relying on collaboration alone can lead to critical blind spots.”
A turning point for supply chain defense
After six years of data, the 2025 report concludes that organizations face a decisive moment. “It’s no longer a question of ‘should we build this program?’ but now, ‘how do we do this effectively?’”
The study’s core warning is unequivocal: “Without organizational alignment, even the most sophisticated programs will fail to thrive.” As supply chains continue to scale and digitize, the report argues that integrated systems and a genuine focus on risk reduction — not box-checking — will determine whether organizations achieve resilience or remain trapped in recurring disruption.
————————————————————————-
WE ARE 10 YEARS OLD! TEN YEARS OF TECHSABADO, IMAGINE THAT.
WATCH TECHSABADO ON OUR YOUTUBE CHANNEL:
WATCH OUR OTHER YOUTUBE CHANNELS:
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
PLEASE LIKE our FACEBOOK PAGE and SUBSCRIBE to OUR YOUTUBE CHANNEL.
