2026年供应链网络安全趋势报告：第三方风险悖论

The paradox of third-party risk: Confidence risesas exposure grows Executive Summary Third-party risks are expanding. Mitigation practices aren’t evolving fast enough. For the second consecutive year, SecurityScorecard surveyed leaders who oversee or managethird-party cybersecurity risks within their organization. The results reveal a third-party riskmanagement paradox, defined by a widening gap between leaders’ high confidence and thedemonstrable deficiencies in their supply chains. Among the key findings: Confidence is high, but concern is widespread. Despite 86% of leaders expressingconcern about supply chain risks, 90% remain confident that their business couldseamlessly continue operations if a vendor suffered a cybersecurity incident. Massive gaps in vendor oversight exist.Most (78%) organizations admit their internalcybersecurity programs cover less than 50% of their total vendor ecosystem, including third,fourth, and fifth parties, leaving serious blind spots across their growing risk landscape. Mitigation practices are slow and outdated.More than half (55%) of respondents stilldepend on manual methods like phone calls, meetings, or emails to collaborate with vendorsduring a breach. As a result, it takes 60% of organizations 8 days or more to remediate ahigh-severity issue. Rising AI threats demand continuous monitoring.Organizations continue to favor staticassessments, with 67% using security audits and 46% relying on periodic (monthly/quarterly)monitoring, even though leaders acknowledge the growing risk of AI-driven threats. The need for automated third-party risk management (TPRM) strategies is growing.The reliance on outdated tactics, coupled with nearly half (49%) of respondents’ struggles tokeep pace with changing regulations, underscores the urgent need for more mature TPRMapproaches. The supply chain vendor landscape is multiplying rapidly, and AI is accelerating the pace of threats.The question is: Are organizations’ third-party risk management (TPRM) strategies keeping up with2026’s threats, or are they relying on risk management practices from the 2010s? Keep reading to learn the scope of your peers’ vendor ecosystems, the challenges they’reencountering in securing them, and the plans they’re making to reduce their third-, fourth-, andfifth-party risks. Table of contents Executive SummaryThird-party risks are expanding. Mitigation practices aren’t evolving fast enough.02 Section 1As third-party ecosystems grow, so do the risks04 Section 2Leaders express confidence, but new threats are emerging06 Section 3Keeping up with regulations is an ongoing challenge07 Section 4Yesterday’s supply chain security practices aren’t strong enough09 Section 5With incident response, time is not on your side12 ConclusionClose the confidence-protection gap with stronger threat intelligence14 As third-party ecosystems grow, so do the risks The number of third-, fourth-, and fifth-partyvendors keeps expanding, raising supply chaincybersecurity concerns among leaders. Thisyear,86% of respondents expressed at leastsome level of concern about their third-partyrisks, similar to last year’s results. Yet the TPRMpractices most organizations follow haven’tchanged much over the last 12 months. Most organizations (78%) manage 1,000or fewer third-party vendors.When youextrapolate that out across fourth- and fifth-party suppliers, however, the complexity grows. Roughlytwo-thirds (67%) of respondents say they haveover 1,001 total vendors in their ecosystem, and34% have between 10,001 and 100,000+ suppliers. How concerned are you about supply chaincybersecurity? 01 |As third-party ecosystems grow, so do the risks “What we hear most often from our customers isthat when they get out to the fourth and fifth party,they feel even more exposed,” says Jeff Barker, VPof Product Marketing at Security Scorecard. “Justone material incident can become a full-blown,five-alarm fire quickly.” What percentage of your total vendor ecosystem(up to the fifth party) is overseen by an internalsupply chain cybersecurity program? The challenge, Barker explains, is trying to overseeand orchestrate tens of thousands of vendorswith a relatively small internal team. Surveyrespondents concur. When asked to name themost significant challenge to their current supplychain cybersecurity program, one respondent said: “The biggest blind spot is thelack of coordination andcommunication between usand our different suppliers….Sometimes I feel overwhelmedwith the large amount ofvendors we have.” As the number of nth-party vendors hasincreased, so have the risks. Third-party breachesdoubled in 2025, according to Verizon’s latestData Breach Investigations Report. Yet internaloversight of supply chain risks remains flatfrom last year.Just 9% of respondents sayover three quarters of their total vendorecosystem is overseen by an internal supplychain cybersecurity program, similar to 2025.More concerning: 64% this year’s respondents s