Recommends TPRM solutions that “analyze internal security controls [and] provide more quantifiable insights”

It’s official. We’re in a Third Party Risk Management (TPRM) crisis. The authoritative Verizon DBIR (Data Breach Investigations Report) for 2025 just released opens with the words “Third-party involvement in breaches was an ever-present subject in incidents throughout this past year.”
According to the Verizon DBIR, breaches involving third parties have doubled since last year and now rank among the top attack vectors.
The DBIR continues:
“While software vendors have long played a part in unintentionally increasing the attack surface for those who use their products and services, over the last two to three years, it has moved from the occasional (and typically minor to moderate) mishap to a much more widespread and insidious problem.”
4 Tips from the Verizon DBIR for Third-Party Cyber Risk Management
For TPRM managers and analysts, the report suggests several actionable directions:
1. Automate to speed the vendor assessment process
The standard approach to TPRM is nearly unmanageable, requiring an analyst to chase down inconsistent reporting and documentation from different sources through email communication, then try to assess questionnaires and other reporting manually. Automation and AI now make it possible to quickly execute on all the information-gathering steps for vendor risk management. AI agents, for instance, can fill in the bulk of a questionnaire based on publicly available information.

Questionnaire scan by SAFE TPRM
2. Go beyond questionnaires for a true risk-based, quantitative view of the third party’s risk posture
The common tool in third-party risk management has been a questionnaire that the vendor answers detailing compliance with standard cybersecurity controls frameworks. But compliance is an indirect and incomplete measure of risk exposure. “Of course, risk questionnaires are a part of evaluating those vendors,” the DBIR says, “but a growing number of solutions in Third-Party Cyber Risk Management, especially ones that analyze internal security controls, should provide more quantifiable insights.”
3. Have a systematic “security outcome component as part of the vendor selection process
Assessing the security risk of a third-party partner has often been left to incomplete and inexact methods, such as rating systems based on proprietary, black box algorithms. A thorough “security outcome” should be generated through a recognized standard for risk quantification such as FAIR.
4. Consolidate vendor assessment on a single platform
The vendor assessment process can now live on a single platform, with multiple processes run autonomously in the background by AI agents. A consolidated view helps the third-party risk analyst efficiently manage onboarding but also helps a counterpart on the vendor side, who is typically buried under piles of questionnaires and other information demands. As the DBIR says, “It is only through collaborating with transparency and increased information sharing that organizations can build good structured frameworks for threat modeling, and as a result, make better and more sustainable decisions.”
Secondly, a TPRM platform is an effective tool for communicating to business leaders on third-party risk in relation to enterprise risk. The DBIR says, the “proliferation” of SaaS providers “brings the Venn diagram overlap of cybersecurity risk and operational risk uncomfortably close to a single circle.” Recent third-party breaches like the UnitedHealthcare case “caused substantial downtime,” the report notes.
Learn about the SAFE solution for third-party cyber risk management
We offer a Third Party Risk Management solution that shifts TPRM from a compliance-checkbox exercise to a risk-based, strategic business enabler.
SAFE TPRM:
- Automates every step in the third party risk management lifecycle for a coherent end-to-end approach that eliminates delays and can be scaled without adding headcount.
- Stays continuously risk-aware through an AI-driven, zero-touch approach. A live dashboard gives a real-time view of third-party risk across your ecosystem.
- Provides a single platform for questionnaires, contracts and other essential data, minimizing redundant assessments and clarifying what needs fixing at the vendor to improve risk posture.
See SAFE TPRM in Action