Third-Party Breach Report Reveals Growing Supply Chain Vulnerabilities
Event summary
- Black Kite's 2026 Third-Party Breach Report identified 136 major incidents in 2025, affecting 719 companies and an estimated 26,000 unnamed impacted companies.
- The average number of downstream victims per breach reached 5.28, the highest level observed to date.
- The median time to detect an intrusion was 10 days, with a median disclosure lag of 73 days.
- The top 50 vendors shared by the Forbes Global 2000 have a lower average Cyber Grade (83.9) and 70% have at least one CISA KEV exposure.
The big picture
Black Kite's report highlights a systemic shift in third-party cyber risk, where traditional risk management strategies are failing to keep up with the evolving threat landscape. The interconnectedness of supply chains and the aggressive targeting of high-dependency vendors by threat actors are transforming isolated incidents into cascading failures. The finance sector's lower ransomware susceptibility scores suggest that regulatory frameworks and continuous audit expectations can mitigate risk, but other sectors lag behind.
What we're watching
- Risk Concentration
- How the concentration of risk among top 50 shared vendors will affect global supply chain resilience.
- Regulatory Pressure
- Whether sustained governance pressure in finance will force tighter controls in other sectors.
- Active Intelligence
- The pace at which security teams adopt active intelligence and systematic awareness to mitigate third-party risks.
Related topics