Supply Chain Attacks Surge: Are Third-Party Risk Programs Failing?

NEW YORK, NY – November 20, 2025

A staggering 97% of organizations have experienced negative impacts from supply chain breaches in the last year, according to a new report released today by BlueVoyant. The finding underscores the escalating threat posed by increasingly complex and interconnected supply chains, and raises serious questions about the effectiveness of current Third-Party Risk Management (TPRM) programs.

The Widening Attack Surface

The report, titled ‘State of Supply Chain Defense 2025,’ reveals a significant jump from the 81% of organizations impacted in the previous year. While increased investment in TPRM programs is evident, the report suggests a critical disconnect: compliance is often prioritized over genuine risk reduction. Only 16% of respondents indicated that risk reduction is the primary driver for their TPRM initiatives, a concerning statistic given the growing sophistication and frequency of supply chain attacks.

“We’re seeing a perfect storm,” explains one cybersecurity professional who wished to remain anonymous. “Organizations are relying more and more on third-party vendors to streamline operations and reduce costs, but they’re not adequately assessing or mitigating the associated risks. It’s a classic case of expanding the attack surface without bolstering defenses.”

The trend is corroborated by other recent threat reports. Verizon’s 2025 Data Breach Investigations Report reveals a 100% increase in breaches involving third parties, now accounting for 30% of all incidents. Meanwhile, a recent study by SecurityScorecard found that 71% of organizations experienced at least one material third-party cyber incident in the last 12 months.

Beyond Compliance: The Need for Proactive Risk Management

The BlueVoyant report highlights a critical flaw in many TPRM programs: a focus on ticking boxes rather than proactively identifying and mitigating risks. Many organizations are treating TPRM as a compliance exercise, prioritizing audits and questionnaires over continuous monitoring and threat intelligence.

“It’s not enough to simply ask vendors if they’re secure,” explains another industry analyst. “You need to continuously monitor their security posture, assess their vulnerabilities, and integrate threat intelligence into your risk assessments. It's about shifting from a reactive to a proactive approach.