120+ Third-Party Risk Management Statistics

The average organization shares confidential data with nearly 300 third-party vendors. Yet 97% of these organizations experienced at least one supply chain breach in 2025, a staggering 20% increase from 2024. As digital transformation accelerates and vendor ecosystems expand exponentially, third-party risk management (TPRM) has evolved from a compliance checkbox to a strategic imperative that can make or break an organization's resilience.

This comprehensive guide compiles 120+ critical TPRM statistics for 2025, revealing the current state of vendor risk management, emerging threats, and the growing role of AI in transforming how organizations protect themselves against third-party vulnerabilities.

Market Growth and Financial Impact

The TPRM market is experiencing explosive growth as organizations recognize that vendor security is crucial. Understanding the financial landscape helps justify TPRM investments and demonstrates the massive business case for robust vendor risk management programs.

1. The global third-party risk management market was valued at $8.3 billion in 2024 and is projected to reach $18.7 billion by 2030, growing at a CAGR of 14.5%. (GlobeNewswire)
2. Another analysis values the TPRM market at USD 7.92 billion in 2024, expected to reach USD 30.82 billion by 2032, with an 18.50% CAGR. (Research Nester)
3. The global vendor risk management market size is valued at $8.3 billion in 2026 and is projected to grow to $22.77 billion by 2035 at an 11.6% CAGR. (Market Growth Reports)
   
   
4. The U.S. TPRM market alone was valued at $3.1 billion in 2024. (GlobeNewswire)
5. The China TPRM market is forecasted to grow at an impressive 18.0% CAGR to reach $1.3 Billion by 2030 (GlobeNewswire)
6. China's TPRM market is forecasted to grow at an impressive 18.0% CAGR to reach $1.3 billion by 2030. (GlobeNewswire)
7. North America is projected to collect $39.4 billion revenue share by 2035, attributed to increasing cybersecurity threats and digital tool adoption. (Research Nester)
8. Software supply chain attacks are predicted to cost businesses $60 billion in 2025, up from $46 billion in 2023, with costs reaching $138 billion by 2031. (Cybersecurity Ventures)
9. Organizations lose an estimated $8 billion annually from IT technologies that cause inefficiencies, delayed care, data breaches, and related issues in healthcare alone. (Modern Healthcare)
10. Organizations can lose up to 90% of the expected value of a sourcing relationship if they mismanage the vendor. (Gartner)
    
    

    Third-Party Data Breaches and Cyber Incidents

    Third-party breaches have become the Achilles' heel of modern cybersecurity. Even organizations with robust internal security can fall victim when vendors lack adequate protections. These statistics reveal the scope and severity of the third-party breach epidemic.

11. 96% of organizations believe there is ROI for third-party risk management activities. (Venminder)
12. 97% of organizations experienced at least one supply chain breach in 2025, up dramatically from 81% in 2024. (BlueVoyant)
13. 98% of organizations have a relationship with a third party that has experienced a breach. (SecurityScorecard)
14. 70% of companies have experienced a data breach in the last three years, with 77% of those breaches originating with a third party. (Whistic)
15. 30% of all breaches now involve a third-party or supply chain compromise, doubling from 15% in 2024. (Verizon DBIR 2025)
16. At least 29% of breaches have third-party attack vectors. (SecurityScorecard)
17. Third-party breaches rose 49% year over year, increasing threefold since 2021. (Prevalent)
18. 75% of third-party breaches targeted the software and technology supply chain. (SecurityScorecard)
19. 64% of all third-party breaches occurred in North America. (SecurityScorecard)
20. 60% of healthcare data breaches in 2023 were caused by third-party vendors, costing organizations an average of $10 million per incident. (Perimeter)
21. By 2024, the healthcare sector accounted for 28% of all third-party breaches across industries. (Perimeter)
22. 54% of data breaches in 2024 were linked to third-party vendors, spurring demand for automated risk platforms. (Market Growth Reports)
23. 73% of organizations have experienced at least one significant disruption caused by a third party within the past 3 years. (KPMG)
24. 74% of attacks originated from members of the software supply chain that companies were unaware of or did not monitor before the breach. (BlackBerry)
25. 75% of software supply chains have experienced cyberattacks in the last 12 months according to 2024 data. (BlackBerry)
26. Software supply chain attacks doubled again in 2024, indicating the industry remains defenseless against growing risks. (Sonatype)
27. The number of supply chain attacks increased from an average of 13 per month (Feb-Sept 2024) to 16 per month (Oct 2024-May 2025), a 25% increase. (Cyble)
28. 79 supply chain attacks in the first half of 2025 alone affected 690 organizations and 78.3 million individuals, demonstrating the cascading impact of vendor compromises (ITRC Annual Data Breach Report
29. In 2024, approximately 183,000 customers were affected by supply chain cyberattacks worldwide. (Statista)
30. Only 34% of respondents have confidence that a primary third party would notify them of a data breach. (RiskRecon and Ponemon Institute)
    
    

    Financial Cost of Third-Party Breaches

    When a vendor is compromised, the financial fallout extends far beyond the initial incident. These statistics quantify the devastating economic impact of third-party breaches and why prevention is infinitely more cost-effective than remediation.

31. The global average cost of a data breach was $4.44 million in 2025, down 9% from the record high of $4.88 million in 2024. (IBM)
32. In the United States, the average breach cost reached $10.22 million per incident in 2025. (Integrate.io)
33. Third-party breach costs exceed internal incident costs by 40% due to multi-party investigation complexity (Integrate.io Data Sharing Statistics)
34.  Third-party vendor and supply chain compromises cost $4.91 million on average, ranking as the second most expensive breach type after malicious insider threats (IBM, 2025)
35. Supply chain incidents cost 17 times more to remediate than first-party breaches according to SecurityScorecard data. (SecurityScorecard)
36. Healthcare data breaches cost an average of $7.42 million in 2025, down from $9.77 million in 2024 but still the most expensive sector for the 14th consecutive year. (IBM)
37. Financial services data breaches averaged $6.04 million in 2024. (GetTrusted)
38. Ransomware attacks averaged $5.08 million in 2025, a 3% increase year-over-year. (IBM)
39. Vendor-related incidents accounted for 32% of claims notices in 2023, but resulted in 0% of incurred losses. (Resilience)
40. Business interruption caused by vendor outages accounted for 22% of total losses in Resilience's 2024 portfolio, though it dropped to 15% in H1 2025. (Resilience)
41. The average ransomware claim in early 2025 was $1.18 million, up 17% from 2024. (Help Net Security)
42. Data breaches exposed a record $145.5 million health records in 2024, costing organizations an average of $4.35 million. (Perimeter)
43. In 2023, $1.3 billion in total ransom payments were made across the healthcare industry. (Commerce Healthcare)
44. Average hospital and health system data breach costs per incident reached $11 million in 2023. (Commerce Healthcare)
45. Small businesses face $3.31 million average breach costs in 2024. (Integrate.io)
46. 60% of small businesses close within six months of a major breach. (Integrate.io)
    

    Vendor Ecosystem Growth & Management Challenges

    As organizations expand their digital footprints, vendor ecosystems grow at an alarming rate. Managing hundreds or thousands of vendors with limited resources creates a perfect storm for overlooked risks and compliance gaps.

47. In 2025, the average company works with 286 vendors, up 21% year-over-year. (Whistic)
48. 56% of companies have more than 100 vendors in 2025, a 6% increase since 2024. (Whistic)
49. In 2024, 62% of global enterprises worked with more than 100 vendors, up from 48% in 2021. (Market Growth Reports)
50. The number of TPRM programs managing at least 250 vendors doubled between 2020 and 2023. (RiskRecon)
51. Those managing 1,000 or more vendors grew by 16% compared to last year's survey. (Venminder)
52. The average vendor in 2025 responds to 37.3 assessment requests each month, up from 29.5 per month last year, spending 179 hours monthly—equivalent to one full-time employee. (Whistic)
53. Vendor onboarding typically takes 10-15 business days, though risk-tiered workflows can reduce this to 24-72 hours. (PaymentWorks)
54. Nearly 80% of companies face challenges when adopting new technologies from vendors. (Business Wire)
55. 79% of enterprises note vendor cybersecurity as their top concern, particularly in regulated industries like healthcare, banking, and defense. (Market Growth Reports)
    
    

    TPRM Program Staffing and Resource Challenges

    Even as vendor portfolios balloon, TPRM teams remain critically understaffed. This resource crunch forces difficult trade-offs between comprehensive risk coverage and operational efficiency, leaving many organizations vulnerable.

56. 73% of financial institutions have two or fewer full-time employees managing vendor risk, despite half overseeing 300+ vendors. (Ncontracts)
57. Most organizations reported having just one or two employees dedicated to TPRM. (Venminder)
58. 63% of respondents reported understaffing was the biggest obstacle to safeguarding their organizations from third-party breaches. The average respondent said they need to double their current staff. (Prevalent)
59. 37% of respondents had between 1-4 people assessing third parties, but said they needed between 5-9 people. (Prevalent)
60. Less than half (43%) of survey respondents say their TPRM program is adequately staffed. (RiskRecon)
61. TPRM teams added an average of 3 full-time employees over 2024 at an average cost of $109,000 per FTE. In 2025, the cost has risen to $116,000 per FTE. (Whistic)
    
    
62. 80% of companies plan on hiring more TPRM staff in 2025. (Whistic)
63. 94% of companies aren't assessing all the vendors they'd like because they don't have the resources. (Whistic)
64. 97% would do more in-depth assessments if they could. (Whistic)
65. Companies are spending more time on the assessment process than last year, and more money on headcount, but accepting more risk and experiencing more third-party breaches. (Whistic)
66. Healthcare organizations dedicate roughly 10.9% of their IT budgets to third-party risk management. (Perimeter)
67. 70% of survey respondents say third-party risk management is a growing investment in terms of headcount and budget. (Moody's Analytics)
    
68. 90% of organizations are increasing their TPRM budgets and investing in sophisticated tools, yet 97% still experienced supply chain breaches. (BlueVoyant)
    
    

    TPRM Program Maturity and Adoption

    The gap between TPRM program maturity and organizational needs continues to widen. While most companies recognize the importance of vendor risk management, implementation lags behind, and truly mature programs remain rare.

69. Only one third of respondents indicated their third-party security programs were highly coordinated. (Prevalent)
70. Only 38% strongly believe their risk monitoring program is meeting contractual and regulatory requirements. (Supply Wisdom)
71. 90% of organizations are making investments to improve their TPRM program's effectiveness. (EY)
72. 62% of financial services organizations are more likely to use a centralized TPRM program structure  (EY)
73. 63% of organizations plan to enhance inherent risk assessments by integrating external data providers and automation in the next two to three years. (EY)
74. Less than one-third of survey participants have run a TPRM program for longer than five years. (EY)
75. Only 39% of respondents rate their company's third-party risk mitigation as highly effective. (RiskRecon and Ponemon Institute)
76. 22% of organizations have fully defined and operational metrics to measure their TPRM programs. (Venminder)
77. A third (33%) of organizations have already established and implemented TPRM programs, while 38% are committed to improving existing programs. (Venminder)
    
    
78. 90% of organizations consider TPRM a growing priority, up from 63% in 2020. (RiskRecon)
79. 52% of organizations use a hybrid TPRM operating model, up 41% from the previous year. (Ncontracts)
80. 90% of organizations are moving toward centralized risk management. (EY)
    

     

    Risk Assessment Practices and Challenges

    The quality of risk assessments often determines whether organizations catch vulnerabilities before they become breaches. Yet many companies struggle with incomplete inventories, infrequent assessments, and overreliance on questionnaires that vendors may not answer honestly.

81. Respondents reported assessing or monitoring only 33% of their vendors. (Prevalent)
82. 86% of organizations have a defined set of criteria to identify their critical vendors. (Venminder)
83. Only 36% of respondents say their company evaluates the security and privacy practices of all vendors before sharing sensitive information. (RiskRecon and Ponemon Institute)
84. Nearly 50% of companies do not rank their vendors and third-party providers by risk level at all. (Supply Wisdom)
85. 58% of respondents updated their inherent risk assessments within the last year, 25% within 1-2 years, 10% every three years or longer, and 7% didn't conduct any inherent risk assessments. (Venminder)
    
    
86. Only 29% of companies remediate risks found during the vendor sourcing and selection stage. (Prevalent)
87. 49% of organizations report their current method cannot assess risk at every stage of the vendor lifecycle. (Prevalent)
88. 66% of respondents have formal processes to assess residual risk, while 34% don't have an established process or are uncertain about residual risk. (Venminder)
89. Only 44% of respondents say their organizations conduct audits and assessments of third-party data handling practices. (RiskRecon and Ponemon Institute)
90. Only 35 percent of respondents monitor third-party data handling practices with Nth parties. (RiskRecon and Ponemon Institute)
91. 28% of organizations review and re-assess vendor risk on an annual basis. (Venminder)
92. 52% of organizations review and re-assess vendor risk profiles and documentation depending on the risk. (Venminder)
93. Only 48% of organizations have exit strategies or contingency plans for high-risk third parties. (EY)
    
    

    Vendor Questionnaires and Assessments

    Security questionnaires remain the most common risk assessment method, yet they're also one of the most problematic. Lengthy questionnaires, delayed responses, and unverified answers create a false sense of security while consuming massive resources.

94. Security questionnaires are the most popular method of assessing third-party risk, with 84% of respondents using them. (RiskRecon)
95. Up to 75% of vendors either do not answer security questionnaires or fail to do so in a timely manner. (Viso Trust)
96. 35% of TPRM programs include at least 100 questions in their vendor questionnaires, up from 19% in 2020. (RiskRecon)
97. 57% of TPRM programs use custom security questionnaires, versus just 18% that use an industry standard such as SIG. 42% use a modified industry standard. (RiskRecon)
    
    
98. Only 4% of respondents are highly confident that vendors are actually meeting security requirements based on their questionnaire responses. (RiskRecon)
99. 75% of companies are using a customized questionnaire for their assessments, down from 79% in 2024. (Whistic)
100. 83% of companies now use some kind of exchange—a centralized repository for on-demand vendor security documentation—as part of their assessment process. (Whistic)
101. 88% of companies leverage security risk ratings in their process. (Whistic)
102. 74% of companies accept a previously completed standard (like SIG, ISO, or SOC 2) as part of their evaluation, up from 70% last year. (Whistic)
103. 52% of companies say it takes 31-60 days to perform control assessments of third parties. 38% say 61-90 days, while just 8% can perform assessments within 7-30 days. (EY)
104. 77% of organizations send between 101 and 350 questions on third-party control assessments. (EY)
105. 37% of organizations are not currently monitoring AI usage among their third-party vendors, while 15% monitor usage through security questionnaires. (Venminder)
     
     

     Ongoing Risk Monitoring and Visibility

     Initial vendor assessments are just the beginning. Continuous monitoring is essential to catch deteriorating security postures, but many organizations lack the tools and processes to maintain real-time visibility into their vendor ecosystems.

106. Only 32% of respondents say their organization maintains a comprehensive inventory of third-parties with whom it shares sensitive information. 61% do not have such an inventory, and 6% are unsure. (RiskRecon and Ponemon Institute)
     
     
107. Nearly 90% of companies track risks from the sourcing and selection phases, but fewer than 80% track SLAs and offboarding risks later in the relationship lifecycle. (Prevalent)
108. 50% of survey respondents say their companies do not monitor the security and privacy practices of vendors, or they are unsure. The primary reason for not monitoring is confidence in the third party's ability to secure information (49%). (RiskRecon and Ponemon Institute)
109. Of the 50% who do monitor, 53% do so via random tests or spot checks. (RiskRecon and Ponemon Institute)
110. Only 40% of respondents say their organizations regularly report to the board about the state of their TPRM programs and the risks facing them. (RiskRecon and Ponemon Institute)
     
     

     Fourth-Party and Nth-Party Risk

     The vendor security challenge extends far beyond your direct relationships. Your vendors' vendors—fourth parties and beyond—create a cascading chain of risk that few organizations adequately monitor or control.

111. 59% of organizations currently examine and assess their vendors' third-party risk management practices to manage fourth-party risk. (Venminder)
112. Only 10% of organizations conduct direct risk assessments of fourth parties. 27% do not assess or monitor fourth parties at all. (Venminder)
113. Only 36% of respondents say their organizations are notified when third parties share their information with Nth parties with whom they have no direct relationship. (RiskRecon and Ponemon Institute)
114. Only 29% of respondents say their organizations have visibility into Nth parties that have access to sensitive information. Of this 29%, 56% rely on contractual agreements and 53% trust the third party to notify them. (RiskRecon and Ponemon Institute)
     
     
115. Of organizations that experienced a third-party data breach, 38% say the breach was caused by an Nth party, indicating flaws in third-party security controls for downstream vendors. (RiskRecon and Ponemon Institute)
     
     

     AI in TPRM and Vendor Management

     Artificial intelligence promises to revolutionize how organizations manage vendor risk, from automating questionnaire responses to predicting emerging threats. However, AI adoption in TPRM remains in its early stages, and new risks around vendor AI usage are emerging.

116. While only 5% of companies are currently leveraging AI for their TPRM programs, 61% of organizations say they are actively investigating its uses for TPRM. (Prevalent)
     
     
117. 54% of organizations say their top goal in investigating AI for TPRM is to speed up questionnaire completion by automatically completing responses using existing questionnaires and available evidence. (Prevalent)
118. Over 50% of respondents not currently using AI in risk monitoring acknowledge the need to monitor for AI-related risks, indicating growing awareness of technology's impact on risk management. (Supply Wisdom)
119. 39% of organizations plan to integrate automation into their ESG function to better manage risks over the next two years. (EY)
120. More than half of the organizations (54%) report that they include ESG in risk inventory reporting. (EY)
121. 45% of TPRM leaders stated that continued investment in technology, automation, and data for TPRM is important. (Deloitte)
122. Although most organizations report having TPRM programs in place, 60% of respondents are not using a dedicated TPRM platform. (Prevalent)
     
     

Key Takeaways 

The data paints a clear picture: third-party risk management has reached an inflection point. With 97% of organizations experiencing supply chain breaches and vendor ecosystems growing 21% year-over-year, the traditional approaches to TPRM are failing.

The most successful organizations in 2025 will:

• Invest in dedicated TPRM platforms to replace manual, spreadsheet-based processes
• Implement continuous monitoring instead of relying solely on periodic assessments
• Extend visibility beyond direct vendors to fourth and Nth parties
• Leverage AI and automation to manage growing vendor portfolios with limited staff
• Move from reactive questionnaires to proactive risk intelligence
• Integrate TPRM into enterprise risk management with board-level visibility

As the statistics demonstrate, the gap between leading and lagging TPRM programs is widening. Organizations that modernize their approach will be better positioned to prevent breaches, maintain compliance, and build resilient vendor ecosystems. Those that don't risk becoming the next cautionary tale in next year's breach statistics.

The question is no longer whether to invest in TPRM, but how quickly you can transform your program to meet the demands of an increasingly complex and threat-filled vendor landscape.