The Continuing Challenge of 3rd Party Risk
Third-party risk is the potential for financial loss, operational disruption, data breach, or compliance violation caused by an external vendor, supplier, contractor, or service provider that has access to the company's systems, data, or business processes. 3rd party attacks on companies such as SolarWinds, CrowdStrike, Log4J, MOVEit, Delta, MGM Resorts, and Kaseya have caused a raft of negative headlines over the last few years and given CISO and security leaders plenty of sleepless nights.
Third-party vendors caused an estimated $12.5 billion in breach-related losses across Fortune 500 companies in 2023 alone, and those attacks are continuing into 2026. It is still top of mind for every CISO and security leader.
Notable third-party incidents and vendor breaches in 2026 so far include:
Vercel (April 2026): Attackers compromised a third-party AI tool, Context.ai, which a Vercel employee used, allowing them to access Vercel's internal systems, GitHub tokens, and source code via Google Workspace OAuth apps.
Crunchyroll (March 2026): A contractor's laptop in India was compromised, leading to a breach of 8 million support tickets, including sensitive customer data. The attack was targeted at a vendor with Okta SSO access.
Navia Benefit Solutions (Dec 2025–Jan 2026): Attackers utilized an exposed API to gain unauthorized access and steal personal and health-related data for 2.7 million individuals.
Ledger and Global-e (March 2026): Crypto platform Ledger confirmed a data breach related to its e-commerce payment partner, Global-e, exposing customer addresses and order details.
Marquis Software Solutions (March 2026): A 2025 ransomware attack on this service provider was disclosed in March 2026, impacting 74 downstream financial institutions and exposing data for 672,000 individuals.
Other cyber breaches in 2026 so far include: Match Group Data Breach, Stryker Cyberattack, Brightspeed Ransomware Attack, Nike Internal Data Breach, and Under Armour Data Leak
Most security teams still rely on annual questionnaires and compliance checkboxes to assess these risks. When a payment processor gets ransomware, a cloud provider suffers an outage, or a software vendor ship compromised code, the financial and operational damage cascades directly to every customer depending on that service.
The challenge comes down to three factors. First, third parties often hold privileged network access, process sensitive customer data, or run mission-critical applications on your behalf. Second, you can’t continuously monitor third-party security postures, patch cycles, or insider threats the way you monitor your own systems. Third, a breach or outage at a single widely used vendor can simultaneously affect hundreds or thousands of downstream customers—think of it as a force multiplier for attackers.
Some of the vulnerabilities that leave 3rd parties vulnerable include:
Software Supply Chain Vulnerabilities
Widespread Vendor Patching Gaps
Sub-Processor Data Breaches
Critical Service Provider Downtime
Financial Instability at Key Vendors
Embedded Fourth-Party Exposure
Credential Misuse By Outsourced Teams
Compliance Failures By Global Contractors
Cybersecurity Training Matters More Than Ever. Insider threats are still the biggest vulnerability, and with the emergence of AI, the vulnerabilities will only increase, and hackers will become more sophisticated. The companies best prepared for cyber threats invest in training across multiple levels. Most were preventable. Some cyber challenges include. Untrained employees, Misconfigured systems, Weak security processes, Skills gaps in IT and security teams
Reputational damage is the biggest challenge of all. It takes time to build trust, and yet it only takes a second to lose it.