Application security, Governance, Risk and Compliance, Critical Infrastructure Security, Third-party code, Supply chain, Risk Assessments/Management

Most organizations had a third-party breach in the last year

Organizations face an average of 12 third-party breaches per year, or about one per month, according to ProcessUnity’s State of Third-Party Risk Assessments 2026 report published Tuesday.

The report is based on a survey of 1,465 third-party risk practitioners, managers and leaders — including information technology (IT), security, risk and compliance staff — conducted by the Ponemon Institute.

While 53% of respondents expressed confidence that their third-party risk management (TPRM) programs were effective, 90% of respondents said their organizations faced a third-party breach within the past year. Additionally, only 49% of respondents said they formally measured the effectiveness of their third-party assessments.

Survey results also indicated lagging third-party risk assessment timelines and incomplete coverage, with 60% of organizations reporting their assessments took four months or longer on average and organizations only assessing 36% of their third-party vendors on average.

“This research shows that many third-party risk programs still lack maturity and fall short on outcomes. Organizations of all sizes invest in TPRM, but that effort doesn’t always translate into efficient, effective assessments or consistent risk reduction,” Scott West, vice president of product marketing at ProcessUnity, said in a statement.


Related reading:


Assessments were reported to take up more than 40 personnel-hours each for most of respondent organizations (63%), with 28% saying assessments took more than 160 hours on average. More than two-thirds (64%) reported using spreadsheets for their risk assessments, indicating continued reliance on manual processes for most organizations.

However, the adoption of AI to assist with TPRM processes is reportedly growing, with 25% partially adopting the technology to support their third-party risk assessments, 19% reporting full adoption, and 37% reporting plans to adopt AI in the future.

AI was reported to help free up staff for higher-value tasks by 53% of respondents, while 48% said it provided real-time intelligence and 42% said it led to better management.

When it comes to fourth-party risk, less than half (42%) of respondents reported performing any fourth-party assessments as part of their TPRM program, and only 23% reported extending these assessments beyond critical suppliers.

Remediation of third-party risk assessments findings also showed lag, with only 16% saying remediation was 90% to 100% complete upon onboarding on average, and 18% saying no remediation activities were typically completed before onboarding.

Lack of remediation due to resource constraints was reported by 66% of respondents, while 46% said an immediate need to onboard the vendor accounted for a lack of remediation.

Organizations also reported difficulties in receiving vendor responses to risk assessment questionnaires, contributing to longer assessment times. Sixty-one percent said vendors typically took four or more months to respond, while, on average, 27% of vendors did not respond at all to assessment requests.

ProcessUnity concluded that organizations could improve outcomes by adopting automation to scale risk assessment processes, prioritizing access to actionable risk data to make more informed risk decisions, and measuring the effectiveness of their TPRM programs through metrics like remediation completion, assessment cycle time, vendor population coverage and reduction of repeat findings.

Third-party breaches pose a major threat to organizations, with SecurityScorecard reporting last year that third-party compromises accounted for more than a third (36%) of data breaches in 2024. Third-party breaches are estimated to cost organizations about $42,000 on average, based on Coalition’s 2025 Cyber Claims Report.

You can skip this ad in 5 seconds