Third-party cyber risk continues to concern security leaders as vendor ecosystems grow, supply chains stretch, and AI plays a larger role in business operations. A recent Panorays survey of U.S. CISOs shows rising third-party incidents and growing regulatory attention, while visibility beyond direct vendors and the resources to manage that risk continue to fall short.
Ranking of third-party cyber risk compared to other cybersecurity risks
Third-party risk remains a top concern
CISOs rank third-party cyber risk among their highest-impact threats. Vendor relationships touch nearly every core business function, from cloud infrastructure and software development to data processing and AI services. Each added dependency expands the attack surface and increases the number of organizations involved in protecting sensitive systems and data.
Security leaders describe third-party exposure as a core risk management issue that affects business continuity. This view reflects growing awareness that failures outside the organization can disrupt internal operations.
Reported third-party incidents continued to rise over the past year. CISOs say these events stem from a mix of direct vendors and deeper supply chain relationships. Many incidents traced back to fourth parties or more distant connections, including subcontractors and affiliates.
This pattern shows how attacks move through layered ecosystems. Many organizations focus oversight on direct vendors, while activity further downstream receives less attention. Attackers take advantage of these less visible links, where monitoring and accountability weaken.
Visibility fades beyond direct vendors
Only a small portion of organizations report visibility across third-, fourth-, and nth-party relationships. Most operate with partial insight limited to direct vendors or a narrow segment of the extended supply chain.
CISOs say limited visibility complicates incident response, risk prioritization, and compliance planning. When a breach emerges several layers removed from a known vendor, security teams may struggle to understand exposure, timelines, and downstream impact.
The data shows that extended supply chain oversight remains one of the most persistent gaps in third-party risk programs.
Regulatory pressure outpaces preparedness
CISOs report rising regulatory scrutiny tied to third-party cyber risk. Regulatory frameworks place greater expectations on organizations to demonstrate oversight across vendor ecosystems, including indirect relationships.
Only a minority of organizations feel ready to meet upcoming requirements without major changes. Most report progress underway, with further work needed to align processes, tooling, and internal coordination.
Third-party risk management involves legal, procurement, compliance, and executive leadership alongside security teams. CISOs point to growing expectations for documented oversight and faster response during vendor incidents.
Common tools struggle with layered risk
Governance, risk, and compliance platforms are widely used to manage vendor risk. CISOs say these tools support reporting and compliance tracking, though they often fail to reflect fast-changing exposure across complex supply chains.
Traditional vendor security questionnaires show similar limitations. CISOs describe them as static and poorly suited to ongoing assessment. Periodic reviews often miss changes that occur between cycles, especially when vendors rely on their own extended networks.
As vendor counts grow into the hundreds or thousands, manual workflows add strain to security teams and increase the likelihood that emerging risks go unnoticed.
AI changes how organizations view vendor risk
CISOs view AI vendors as carrying a distinct risk profile. Concerns focus on data handling practices, limited transparency into models, and unpredictable behavior in AI-driven systems.
Despite this awareness, many organizations still onboard AI vendors through general third-party processes. Dedicated onboarding policies for AI vendors remain limited, particularly among smaller enterprises.
“The rise of AI has only made supply chains more complex, and the connected nature of these data-dependent systems is expanding the attack surface. CISOs are increasingly seeing the value of AI-driven solutions to increase clarity around the evolving threat landscape,” said Matan Or-El, CEO of Panorays.
At the same time, AI adoption accelerates within vendor risk management itself. Organizations use AI-based tools to support assessments and monitoring. CISOs say these tools reduce repetitive work and allow teams to focus on higher-risk findings as vendor ecosystems expand.
Only a small share of organizations report having a comprehensive, tested response plan for third-party breaches. Most rely on plans with limited scope or remain in development.
CISOs link this gap to longer containment timelines and greater operational disruption during vendor incidents. Larger organizations report higher levels of preparedness, though response planning remains uneven across company sizes.