Third-party risk has been a fixture of security program conversations for years. Most organizations with a mature GRC function have a vendor risk management process — tiering, assessments, questionnaires, contractual requirements. The process exists. The problem is that the scale and nature of supply chain attacks have outpaced what those processes were built to handle.
Over the past five years, major supply chain and third-party breaches have quadrupled, according to IBM’s X-Force Threat Intelligence Index 2026. That’s not a marginal increase. It’s a fundamental shift in how threat actors approach enterprise targets — and it has direct implications for how third-party risk programs need to be structured. ID Quantique
Why Supply Chain Is the Preferred Attack Vector
The logic is straightforward. Targeting a large enterprise directly means engaging with their security controls — EDR, network monitoring, MFA, a funded security team. Targeting a smaller vendor with access to that enterprise means engaging with a much smaller security investment while achieving the same result: access to the enterprise’s data or systems.
Recent incidents have involved attackers leveraging compromised platforms to pivot into enterprise environments through legitimate, trusted integrations — the kind of access that doesn’t trigger standard detection rules because it looks like normal vendor activity.
This is the core challenge with supply chain risk. The attack doesn’t look like an attack at the point of entry. It looks like a vendor doing what vendors do. By the time the lateral movement begins, the initial compromise may already be weeks old.
Where Traditional TPRM Falls Short
Most third-party risk management programs were designed around point-in-time assessments. You onboard a vendor, complete a risk questionnaire, review their SOC 2, assign a risk tier, and schedule a reassessment in 12 months. That model made sense when the threat environment was relatively stable and supply chain attacks were less targeted.
The current environment breaks several of those assumptions. A vendor that passes an annual assessment in January may have a material security incident in March, a leadership change that affects their security program in May, and a compromised integration in your environment by July — all without triggering a reassessment under a traditional annual cadence.
The gap isn’t process design. It’s the frequency and the triggers. Annual assessments measure a vendor’s security posture at one point in time. They don’t provide visibility into changes between assessments. For your highest-risk vendors, that gap is where your exposure lives.
The Continuous Monitoring Problem
Continuous third-party monitoring is the conceptual answer to the assessment cadence problem, but implementation is where most programs struggle. Monitoring every vendor continuously isn’t feasible. Monitoring no vendors between assessments isn’t sufficient. The practical solution is tiered monitoring — applied more frequently and more deeply to the vendors with the most access to your most sensitive systems.
For Tier 1 vendors — those with direct access to production systems, sensitive data, or critical operational dependencies — consider a quarterly touchpoint that includes a brief security posture check, a review of any public incidents or vulnerability disclosures, and a confirmation that contractual security requirements are still being met. That’s not a full reassessment. It’s a structured check-in that catches material changes before they become your incident.
For Tier 2 and below, the annual cadence may still be appropriate, but your offboarding process matters as much as your assessment process. Vendors that are deprovisioned but not formally removed from your environment — with integrations left active and credentials never revoked — are a persistent risk that assessments don’t address.
The Contractual Foundation
Before monitoring can be meaningful, the contractual foundation needs to exist. Your vendor contracts should specify security requirements — not vague commitments to “reasonable security,” but documented obligations around specific controls, incident notification timelines, right-to-audit provisions, and data handling requirements.
Incident notification timelines are particularly important in the current environment. If a vendor has a security incident that may affect your data or systems, how quickly are they contractually obligated to notify you? Twenty-four hours? Seventy-two? Many vendor contracts are silent on this, which means the vendor controls the timeline and you may not find out until they’ve contained the incident internally — or until you read about it in the news.
Right-to-audit provisions are similarly important and similarly absent from many vendor agreements. If you can’t audit a vendor’s security controls on request, your only view into their posture is what they self-report in questionnaires — which is not the same thing.
Practical Steps
- Tier your vendors by access and criticality, not just data classification. A vendor with privileged access to production systems is Tier 1 regardless of how much data they touch.
- Implement quarterly check-ins for Tier 1 vendors. Structure them around material changes, public incidents, and contractual compliance — not a full reassessment.
- Audit your offboarding process. Identify vendors that have been deprovisioned in your procurement system but still have active integrations or credentials in your technical environment.
- Review your notification timeline requirements. Do your Tier 1 vendor contracts specify how quickly they must notify you of a security incident? If not, that’s a contract renewal priority.
- Add supply chain scenarios to your tabletop exercises. Most tabletops simulate direct attacks on your environment. Running a scenario where the initial compromise is at a trusted vendor tests a different set of detection and response capabilities.
The supply chain threat environment has structurally changed. The programs that were adequate three years ago are operating with assumptions that no longer hold. Adjusting the cadence, the monitoring approach, and the contractual foundation to reflect the current threat landscape isn’t a future roadmap item — it’s an active gap most programs need to close.
Discussion Questions
- Does your current third-party risk program include continuous or quarterly monitoring for Tier 1 vendors, or does it rely primarily on annual assessments? What would it take to add interim touchpoints for your highest-risk vendors?
- Do your Tier 1 vendor contracts specify incident notification timelines and right-to-audit provisions? When were those contracts last reviewed against your current security requirements?
- When did you last audit your vendor offboarding process? Are there deprovisioned vendors with active integrations or credentials still present in your environment?
Further Reading
- IBM X-Force Threat Intelligence Index 2026: https://www.ibm.com/reports/threat-intelligence
- NIST SP 800-161 Rev. 1 – Supply Chain Risk Management: https://csrc.nist.gov/publications/detail/sp/800-161/rev-1/final
- CISA Supply Chain Risk Management Essentials: https://www.cisa.gov/supply-chain-risk-management
Leave a Reply