The 2026 Supply Chain Cyber Risk Report
Third-party breaches doubled as a share of all security incidents this year. Regulators across Europe and the United States now hold leadership personally accountable for vendor risk. And 95% of organizations increased their TPRM budgets in 2025, yet 97% still got breached through their supply chain anyway. The problem was never investment. It is program structure.
We are giving this report away with no email gate because the data in it belongs in your next board briefing, and we would rather you have it today than trade it for a form fill next week.
- Key numbers:
- 97% of organizations breached via supply chain in 2025
- 30% of all breaches involved a third party, double the prior year
- $4.8M average cost of a third-party breach
- 286 average vendors per organization, up 21% year over year
What’s inside
1. The threat environment map. Where supply chain risk stands right now, broken out by industry and by geography, drawn from Verizon, BlueVoyant, the World Economic Forum, and Black Kite.
2. The regulatory picture. A side-by-side comparison of NIS2, DORA, the Cyber Resilience Act, GDPR, SEC rules, and CMMC, plus a country-by-country compliance status for France, Germany, Belgium, Switzerland, the UK, and the US.
3. What good TPRM looks like. The six practices that separate risk-driven programs from compliance-driven ones, with the business case data to justify the shift internally.
4. The AI factor. How shadow AI in your vendor ecosystem creates blind spots most TPRM frameworks were never built to catch, and what to do about it now.
The numbers behind the headline
Manufacturing has been the number one ransomware target for four straight years. European companies report vendors spanning 20 or more countries at nearly twice the rate of their North American counterparts.
- 54% of large organizations call supply chain risk their top barrier to cyber resilience (WEF)
- 76% of CISOs say regulatory fragmentation hurts their ability to stay compliant
- 69% find current regulation too complex to verify third-party adherence
- 16% of organizations cite risk reduction, not compliance, as their primary TPRM driver
Escalation and supply chain’s greatest hits
| Year | Incident | The Move | The Wake-Up Call | Damage Rating |
|---|---|---|---|---|
| 2013 | Target, via an HVAC vendor | Walked in through the air conditioning contractor | Third parties officially became “a way in,” not just a line item | Bad |
| 2017 | NotPetya | Turned a routine software update into a weapon | $10B+ in global damages. Trust in updates itself took the hit | Catastrophic |
| 2020 | SolarWinds | Poisoned the update mechanism of a tool everyone trusted | 18,000 organizations exposed, including the US government | Catastrophic |
| 2021 | Kaseya | Hit one MSP, took down 1,500+ businesses in the blast radius | Proved one vendor can cascade into thousands overnight | Very bad |
| 2023 | MOVEit | Compromised a single file-transfer tool | 2,700+ organizations and 93 million people caught in the net | Catastrophic |
| 2024 | CrowdStrike outage | No breach required, just concentration risk doing its thing | Delta alone lost about $350M. Vendor risk became operational risk | Very bad |
| 2025 | M&S, Qantas, and others | Nothing new, just business as usual now | Supply chain breaches stopped being headlines and became background noise | New normal |
Your vendors are not going to tell you when something is wrong. Their vendors definitely will not. The organizations that stop getting surprised by this are the ones that stopped waiting to be told, and started watching the deep, dark, and open web for the signal themselves. Everyone else is still reading questionnaire responses from companies that do not know they have already been compromised.
