The 2026 Supply Chain Cyber Risk Report

Third-party breaches doubled as a share of all security incidents this year. Regulators across Europe and the United States now hold leadership personally accountable for vendor risk. And 95% of organizations increased their TPRM budgets in 2025, yet 97% still got breached through their supply chain anyway. The problem was never investment. It is program structure.

We are giving this report away with no email gate because the data in it belongs in your next board briefing, and we would rather you have it today than trade it for a form fill next week.

  • Key numbers:
  • 97% of organizations breached via supply chain in 2025
  • 30% of all breaches involved a third party, double the prior year
  • $4.8M average cost of a third-party breach
  • 286 average vendors per organization, up 21% year over year

What’s inside

1. The threat environment map. Where supply chain risk stands right now, broken out by industry and by geography, drawn from Verizon, BlueVoyant, the World Economic Forum, and Black Kite.
2. The regulatory picture. A side-by-side comparison of NIS2, DORA, the Cyber Resilience Act, GDPR, SEC rules, and CMMC, plus a country-by-country compliance status for France, Germany, Belgium, Switzerland, the UK, and the US.
3. What good TPRM looks like. The six practices that separate risk-driven programs from compliance-driven ones, with the business case data to justify the shift internally.
4. The AI factor. How shadow AI in your vendor ecosystem creates blind spots most TPRM frameworks were never built to catch, and what to do about it now.

The numbers behind the headline

Manufacturing has been the number one ransomware target for four straight years. European companies report vendors spanning 20 or more countries at nearly twice the rate of their North American counterparts.

  • 54% of large organizations call supply chain risk their top barrier to cyber resilience (WEF)
  • 76% of CISOs say regulatory fragmentation hurts their ability to stay compliant
  • 69% find current regulation too complex to verify third-party adherence
  • 16% of organizations cite risk reduction, not compliance, as their primary TPRM driver

Escalation and supply chain’s greatest hits

YearIncidentThe MoveThe Wake-Up CallDamage Rating
2013Target, via an HVAC vendorWalked in through the air conditioning contractorThird parties officially became “a way in,” not just a line itemBad
2017NotPetyaTurned a routine software update into a weapon$10B+ in global damages. Trust in updates itself took the hitCatastrophic
2020SolarWindsPoisoned the update mechanism of a tool everyone trusted18,000 organizations exposed, including the US governmentCatastrophic
2021KaseyaHit one MSP, took down 1,500+ businesses in the blast radiusProved one vendor can cascade into thousands overnightVery bad
2023MOVEitCompromised a single file-transfer tool2,700+ organizations and 93 million people caught in the netCatastrophic
2024CrowdStrike outageNo breach required, just concentration risk doing its thingDelta alone lost about $350M. Vendor risk became operational riskVery bad
2025M&S, Qantas, and othersNothing new, just business as usual nowSupply chain breaches stopped being headlines and became background noiseNew normal

Your vendors are not going to tell you when something is wrong. Their vendors definitely will not. The organizations that stop getting surprised by this are the ones that stopped waiting to be told, and started watching the deep, dark, and open web for the signal themselves. Everyone else is still reading questionnaire responses from companies that do not know they have already been compromised.

عن المؤلف