Here’s a stat that should ruin your morning: The average organization experienced 12 third-party breaches last year. One per month. Not from their own systems—from the vendors, suppliers, and SaaS providers they trusted with access to sensitive data.
This comes from ProcessUnity’s State of Third-Party Risk Assessments 2026 report, surveying nearly 1,500 risk practitioners. But here’s where it gets interesting: 53% of those same organizations said they were confident their third-party risk programs were working.
Ninety percent got breached. Half thought they were fine.
That gap between perception and reality is where careers end and companies bleed money.
The Money Part
Let’s talk dollars, because that’s what finally gets executive attention.
Coalition’s 2025 Cyber Claims Report found that 52% of miscellaneous first-party losses came from vendor incidents. The average third-party breach runs about $42,000 to remediate. Sounds manageable until you realize that’s just the direct costs—before legal fees, forensic investigations, breach notifications, regulatory fines, and the customers who quietly take their business elsewhere.
When breaches originate from third-party systems, the full remediation bill averages $4.8 million. These incidents also take 26 days longer to detect than internal breaches. That’s almost a month of attackers roaming around before anyone notices.
Remember Change Healthcare? A phishing email triggered a ransomware attack that became the largest healthcare breach ever—190 million people affected. UnitedHealth spent over $2 billion responding. Hospitals couldn’t process claims. Patients couldn’t get prescriptions.
One vendor. One phishing email. Billions in damage.
Why Your Vendor Assessments Aren’t Working
The ProcessUnity data exposes an uncomfortable truth: Most organizations assess only 36% of their vendors. Two-thirds of your vendor relationships operate in a complete security blind spot.
Even when assessments happen, they take forever. Six out of ten organizations report that assessments take four months or longer. More than a quarter say each assessment burns 160+ hours of staff time.
Four months. In cybersecurity terms, that’s geological time. The threat landscape you assessed in January looks nothing like the one you’re facing in May.
And the tools? Nearly two-thirds of organizations still run their vendor risk programs on spreadsheets. Spreadsheets. In 2026.
It gets worse. On average, 27% of vendors never respond to assessment questionnaires at all. You send the security questionnaire. They ignore it. You onboard them anyway because the business needs the integration live by Q2.
Only 16% of organizations complete remediation before onboarding new vendors. The rest document the risks, shrug, and move forward.
The Email Problem Nobody Wants to Solve
While everyone obsesses over ransomware, the Coalition data reveals something most security teams don’t want to hear: Email is still the front door.
Business email compromise and funds transfer fraud account for 60% of all cyber insurance claims. Ransomware? Just 20%.
Email isn’t sexy. There’s no dramatic incident response war room. Just someone in accounting who clicked a link that looked like it came from a trusted vendor, and now $185,000 is sitting in an overseas account that doesn’t exist anymore.
The intersection of email compromise and third-party risk is particularly brutal. Attackers who compromise a vendor’s email system get to impersonate people your employees already trust. The phishing email comes from a real address at a real company you actually do business with.
Good luck training your way out of that.
The Consolidation Math
Here’s something the security vendor industrial complex doesn’t want you to think about: Every tool in your stack is also a risk.
You’ve got one vendor for secure email, another for file sharing, a third for managed file transfer, a fourth for web forms, and probably six more you’ve forgotten about. Each one has its own security model, its own access controls, its own vulnerabilities, and its own third-party dependencies.
When 52% of losses come from vendor incidents, the number of vendors you rely on directly correlates with your exposure. That includes your security vendors.
Organizations are starting to do the math. Unified platforms that consolidate sensitive data flows under one security architecture reduce complexity and attack surface simultaneously. Fewer vendors mean fewer access points, fewer assessment cycles, and fewer gaps between systems that don’t talk to each other.
What Does Work
The organizations getting this right share a few common traits:
They tier their vendors ruthlessly. Not every supplier needs the same scrutiny. Concentrate intensive due diligence on vendors touching sensitive data or critical operations. Everyone else gets lighter monitoring with automated red-flag detection.
They automate the grunt work. Spreadsheets can’t scale. Modern platforms can run continuous monitoring, track remediation, and flag emerging risks without burning hundreds of staff hours per assessment.
They look past their vendors to their vendors’ vendors. Fourth-party risk is real. Less than half of organizations assess it at all. The Snowflake breach showed how one compromised vendor can cascade across dozens of enterprises.
They treat email like critical infrastructure. Not a commodity. Not “good enough.” Enterprise-grade protection with encryption, threat detection, and audit trails that actually mean something when regulators come asking questions.
They consolidate aggressively. Every vendor relationship you can eliminate is one less attack surface to monitor, one less assessment to run, one less potential breach source.
The Uncomfortable Bottom Line
Your vendors are getting hacked. Probably more often than you know. The question isn’t whether one of your third parties will have an incident—it’s whether you’ll find out in time to do anything about it.
The 53% who think their programs are working? They’re not lying. They just don’t have visibility into what’s actually happening.
That’s the real risk.