BlueVoyant Warns Supply Chain Breaches Soar as Cyber Liability Insurance Requirements Shape Risk Strategy

Estimated reading time: 6 minutes

Record Supply Chain Breaches Put Risk Programs Under Pressure

BlueVoyant’s latest State of Supply Chain Defense report delivers a message that’s hard to ignore. Ninety-seven percent of surveyed organizations suffered negative impacts from at least one supply chain cyber breach in the past year. That figure represents a double-digit increase from 81% in 2024. These attacks and their impacts occurred despite most firms increasing budgets and claiming to have mature third-party risk management programs.

“As the attack surface expands, an effective third-party risk management program is more important than ever,” said Joel Molinoff, Global Head of Third-Party Risk Management at BlueVoyant. He noted that “there is still more work to be done to ensure we can start closing this gap between program maturity and organizational commitment.”

From “Do We Need TPRM?” to “Why Isn’t It Working?”

The report’s foreword calls 2025 a turning point. Organizations now accept that they must run structured third-party risk management (TPRM) programs. The question now focuses on execution.

Nearly half of respondents (46%) describe their programs as established or optimized. Yet 60% identify internal resistance, poor collaboration, or weak executive support as their top challenges.

We concern ourselves with what we know, so the fact that only 24% brief senior leadership on third-party cyber risk monthly or more often is concerning. Many boards see snapshots only once or twice a year. That schedule limits their ability to link cyber strategy, supply chain resilience, and cyber liability insurance requirements.

Compliance, Cyber Insurance, and the Risk Reduction Gap

The report shows that compliance drivers often outrun security goals. Only 16% of respondents name risk reduction as the primary purpose of their TPRM program.

You could argue it’s a distinction without a difference, but motivation isn’t irrelevant. Most leaders point instead to cyber insurance requirements, contractual obligations, or board mandates. Those pressures push teams toward audit readiness and checkbox exercises.

“Integrated systems and genuine commitment to risk reduction over simply meeting compliance requirements will be the difference in delivering positive security outcomes and drowning in box checking,” said Brendan Conlon, Global Director of Third-Party Risk Management at BlueVoyant.

For cyber insurers, this trend matters. Underwriters increasingly demand evidence of continuous third-party monitoring, clear vendor tiering, and proven remediation plans before they bind coverage. The report notes that sectors such as energy and utilities now list cyber insurance requirements as the top driver of their TPRM programs.

Integration Gaps, Siloed Tools, and Expanding Vendor Lists

Organizations keep buying tools, but across sectors, respondents cite a lack of integration with enterprise risk or GRC platforms as the top operational challenge.

The result is a patchwork of point solutions. Teams run questionnaires, external ratings, SBOM scans, and breach reporting feeds. Many then fail to combine those feeds into shared dashboards or decision workflows.

A graphic on page 18 shows the consequences. Almost every region reports around 97% of organizations impacted by supply chain breaches, with a global mean of 3.7 incidents per firm.

At the same time, 96% of respondents expect their vendor ecosystems to grow in the next year. Many already consider 30-50% of their suppliers “critical,” which dilutes that label’s meaning.

This growth raises the bar for cyber liability insurance requirements. Carriers now look for disciplined vendor tiering, not broad “critical vendor” lists that suggest weak prioritization.

Sector Snapshots: Leaders and Laggards

The report’s vertical analysis reveals sharp contrasts.

Defense

• Stands out as the maturity leader.
• 60% of defense organizations report established or optimized TPRM programs.
• 30% brief senior leaders monthly or more.
• 47% work directly with vendors on remediation efforts.
• Still face an average of 3.5 supply chain breaches per year.

Healthcare and Pharmaceutical

• Shows rapid progress but carries heavy exposure.
• Operates the fastest-growing vendor ecosystem, averaging 11% annual expansion.
• Reports the highest average breach count, at 4.1 incidents per organization.

Financial Services

• Once set the benchmark, but now lags.
• 64% of firms describe their programs as early or developing.
• 99% report negative impacts from supply chain compromises.
• Program ownership often sits in finance.
• This ownership structure can tilt efforts toward compliance and contract value over risk reduction.

Retail

• Reports the lowest average number of breaches, at 3.1 per organization.
• Often relies on vendor self-attestation to assess risk.
• 1 in 5 retail respondents use questionnaires without any external validation.

Manufacturing

• Uses many tools across its TPRM environment.
• Still averages 3.8 supply chain breaches per year.
• Leaders cite integration challenges between systems.
• Leaders also report internal resistance, even as boards demand stronger oversight.

Energy and Utilities

• Shows some of the most encouraging results.
• Reports the lowest breach impact rate, at 95%.
• Relies heavily on outsourcing remediation to specialist partners.

These sector patterns send signals to both regulators and insurers. Industries that depend on operational continuity, such as defense and energy, typically invest earlier and more deeply.

TWO MINUTE WATCH 🚨 Supply Chain Cybersecurity Crisis 2025 | Shocking Stats Every Business Must Know!

Regional Differences Highlight Culture and Governance

The U.S. and Canada lead in program maturity, with 54% of organizations reporting that their TPRM is established or optimized. They also show the highest rate of monthly executive briefings, at 34%. Yet 99% still report negative impacts from supply chain breaches.

The U.K. posts the highest mean breach count at 4.1 per firm, even though 45% of firms claim to have mature programs. Only 16% of U.K. organizations brief their leadership monthly or more often.

DACH countries report the lowest breach impact at 94%, but many rely solely on vendor attestation, without external validation.

APAC shows the widest spread. Singapore demonstrates strong maturity and frequent executive briefings, while the Philippines reports 100% breach impact and far weaker programs.

Across all regions, 95% of organizations say TPRM budgets increased over the past year.

What BlueVoyant Recommends Next

BlueVoyant closes the report with practical guidance. It urges organizations to monitor all vendors continuously and refine vendor tiering based on inherent risk, not contract size.

The company also calls for greater reporting and collaboration among internal stakeholders, as well as more frequent executive briefings. It recommends direct collaboration with vendors to close remediation loops and the use of AI-driven assessment workflows tailored by vendor type.

For buyers and brokers reviewing cyber liability insurance requirements, these steps offer a roadmap. They align with carrier expectations and support measurable reductions in third-party cyber exposure.

Related Cyber Liability Insurance Posts

• BOXX Insurance Unveils Cyberboxx Assist to Strengthen Small Business Cybersecurity
• Cyber Insurance Brokers: New CyberCube–Envoy Partnership Adds Real-Time Analytics
• Cyber Resilience Under Fire: New Data Exposes a Global Confidence Gap
• Cyber Insurance News Podcast: Willis’ Peter Foster on Pixels, Privacy and Claims
• Retailers Push Cyber Resilience to the Fore as AI Threats Accelerate