Third Party Blind Spots: 85% Of CISOs Lack Visibility

Estimated reading time: 5 minutes

Security leaders today face a ‘see no evil’ problem. They cannot protect what they cannot see. Panorays calls third-party cyber risk and defense a “critical challenge” for 2026. Their new CISO survey reveals a big gap between incidents and awareness. While 60% of CISOs have seen more third-party security incidents, only 15% say they have full visibility. This leaves much of the supply chain risk hidden from view. The lack of visibility quickly affects discussions on cyber insurance.

Underwriters want to see controls, monitoring, and response plans. Many insured companies still have trouble mapping their vendor dependencies. This adds more pressure to security leaders who are already stretched thin. Too many tools, not enough staff, and constant alerts make the job harder. When leaders are overwhelmed, burnout becomes a real business risk.

Key Findings: Visibility Collapses Where Risk Multiplies

Panorays surveyed 200 CISOs from US companies in finance, insurance, technology, healthcare, and software development. An independent research firm ran the study in October 2025.

Eighty-five percent of organizations do not have a full view of supply chain threats. There was some progress: full visibility increased to 15% from 3% last year. Still, most teams have blind spots.

These gaps in visibility hurt preparedness. Seventy-seven percent see third-party exposure as a major risk, but only 21% have tested their crisis response plans for vendor incidents. Without testing, outages and ransomware are harder to handle, and even small vendor problems can affect many customers.

Pencil sketch in black and white of a CISO sitting at a desk contemplating third-party risk and supply chain risk they can't be sure of or see.

Most Teams Watch Only The Front Door

The survey shows that most teams only monitor the first level of their supply chains. Only 41% look at risks beyond direct suppliers, so deeper layers are mostly ignored. Fourth parties often have access through integrations and shared tools. Attackers target these hidden areas because defenses are weaker there.

Panorays explains that teams focus on the obvious risks, while bigger dangers remain hidden. These include inherited credentials, unmanaged connections, and vendors that often change owners, tools, or hosting.

For cyber insurers, this situation increases accumulation risk. If one popular provider is affected, many insured companies can be impacted at the same time. Losses can add up across portfolios during a shared vendor incident. Gaps in visibility make it harder to set prices for this risk.

Shadow AI Creates New Third-Party Attack Paths

Hidden third-party risks are also a problem with new technologies. As more companies use AI, confusion about how to manage it increases. Panorays points out that ‘shadow AI’ is a growing challenge, with only 22% of organizations formally checking third-party AI tools. Teams often start using black-box AI quickly, and security may not know until after it is already in use.

The survey found that 60% see shadow AI as especially risky. The risk often starts with access. AI tools can take in sensitive data and keep it. They can also connect to email, tickets, code, and cloud storage. These connections quickly make the attack surface larger.

Panorays CEO Matan Or-El linked this trend to unmanaged adoption, saying vulnerabilities “aren’t going away” because of “a dangerous lack of visibility,” especially since only 15% can map their full supply chains.

Watch Our Podcast On AI Risk: The Cyber Insurance Industry Faces a Faster, Bigger Ransomware Repeat

GRC Frustration Rises As Manual Work Returns

Many organizations have invested in GRC platforms. Panorays found that 61% use these solutions, but 66% say they do not work well for fast-changing vendor risks. This gap forces teams to use manual workarounds, which can miss important signals and waste time.

Panorays also pointed out a paradox: even though more companies adopted GRC tools this year, visibility still went down. Buying more tools does not always lead to better insight.

This burden falls on security leaders. CISOs already handle audits, incidents, and board demands. Vendor problems add public pressure and legal risks. Burnout increases when the job feels like a constant crisis. Fatigue also makes it harder to make quick decisions during breaches.

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

Questionnaire Fatigue Gives Way To AI Assessments

Static assessments now have a credibility problem. Seventy-one percent say traditional questionnaires are not enough. Panorays says they cause fatigue instead of clarity. Questionnaires often become outdated as soon as they are signed.

CISOs are now turning to automation. Sixty-six percent say they use AI-driven assessment tools. Panorays reports that AI use for third-party risk management jumped from 27% to 66%. This shift shows a need for ongoing, scalable visibility.

What This Means For Cyber Insurance And Security Buyers

Supply chain attackers go after shared vendors because it gives them more leverage. The survey provides data that underwriters can use and points out control gaps that insured companies can address.

Security teams should take several steps: run tabletop exercises to test third-party crisis response plans; keep detailed maps of key vendors, including deeper fourth-party links; set up formal approval for any third-party AI tools and integrations; move from static questionnaires to systems that give ongoing signals when possible; and connect GRC records with active monitoring and response workflows. These actions can improve visibility, lower claim severity, and help with risk assessment for renewals.