Third-Party Risk Management Governance Trends in 2025

September 17, 2025

This blog is the first part in a three-part series on third-party risk management (TPRM).

Third-Party Cyber Risk Management Governance

With third-party related cybersecurity breaches impacting organizations both large and small, the need for organizations to have a robust third-party risk management program has become paramount. Organizations across sectors have an increasing reliance on third-party vendors for critical services and solutions and cybercriminals are exploiting vulnerabilities in these extended networks. This has led to significant concerns regarding data breaches and operational risks that organizations must navigate.

Drawing from industry analysis and insights from security assessments done by Optiv’s TPRM team in 2025, we have identified the following trends in TPRM:

Key Trends in Third-Party Risk Management Governance

Growing Demand for Risk-Based and Automated Third-Party Vendor Assessments

• Automated tools for real-time assessments of third-party vulnerabilities are gaining traction
• 73% of organizations have implemented continuous monitoring solutions to track the security performance of vendors throughout the contract lifecycle and leveraging security posture insights to prioritize assessments

Compliance and Regulatory Pressures Drive Adoption of Risk Management Frameworks

• Regulatory requirements from Digital Operational Resilience Act (DORA) and Network and Information Systems Directive 2 (NIS2) are influencing multi-national organizations to enhance their risk management frameworks
• 62% of organizations report the need to demonstrate their TPRM capabilities to meet regulatory compliance

Third-Party Data Breaches Push Companies Toward More Stringent Contractual Agreements

• Organizations have re-evaluated and updated their contractual agreements to include stricter cybersecurity clauses and breach notification requirements to protect their operations

Increasing Adoption of Cybersecurity Certification Requirements for Vendors

• Vendors are increasingly required to provide audit attestations like Service Organization Control 2 (SOC 2) and certifications like International Organization for Standardization (ISO) 27001 as a prerequisite for business engagements
• 67% of organizations now require vendors to show evidence of their cybersecurity readiness through certifications

Emphasis on Incident Response Plans and Business Continuity Plans for Vendors

• Response times and vendor breach notifications have been established as part of service-level agreements (SLAs) with third parties
• 85% of organizations have integrated vendor-specific incident response protocols into their broader cybersecurity incident response plans

Notable Findings from Vendor Risk Assessments

From the 1000+ vendor risk assessments that Optiv’s TPRM team conduct every year, the below findings are commonly recurring resulting in weak or immature TPRM programs.

Image

While organizations increasingly rely on vendors to drive efficiency and innovation, many lack consistent controls to safeguard against cyber, operational, and compliance risks. Insights show there is uneven maturity in vendor monitoring, with gaps in program management, program leadership and incident response preparedness.

How Can Optiv Help?

Optiv’s TPRM offering is enabled by an industry-tested framework that includes leading practices adopted by organizations across various industries. These codified practices are leveraged to support organizations in building robust TPRM programs including governance components such as standard operating procedures, contract reviews and roles and responsibilities for each participant of the TPRM program. Managing suppliers needs a well-orchestrated program that includes interactions with procurement, legal, IT and the information security team. Our repository of TPRM program templates and tailored questionnaires enable teams to get an accelerated start on their TPRM maturity journey.

Reach out to our risk management experts to learn more.