An overwhelming majority of organizations (97%) have been negatively impacted by a supply chain breach, according to a new survey by BlueVoyant.
This is a significant increase from 2024, when 81% of respondents to the same annual survey from the third-party risk management (TPRM) provider said they suffered from such an incident.
Third-Party Risk Management Programs Grow in Maturity
Despite this concerning situation, the State of Supply Chain Defense: Annual Global Insights Report 2025, published on November 20, revealed that many organizations are accelerating their efforts to prevent, mitigate and resolve supply chain incidents more effectively.
For instance, almost half of respondents (45%) are collaborating with third parties to remediate issues, either working directly with them (23%) or by providing support for them to find a solution on their side (22%).
The report showed that organizations understand the criticality of TPRM programs, with nearly half of organizations (46%) claiming they have a mature program in place.
Additionally, organizations increasingly recognize supply chain risk as a cybersecurity imperative, with 36% of programs now housed within either cyber/information security or information technology teams – an upward share compared to previous years.
Main Challenges: Lack of Buy-In and Compliance-Only Approaches
However, maturity does not necessarily guarantee effectiveness. The BlueVoyant report revealed TPRM program managers face many challenges, starting with a lack of internal support, which is considered a top hindrance by 60% of respondents.
The relationship between security managers and the senior leadership team on security matters is also somewhat distant, with only 24% of organizations briefing senior leadership on security matters monthly or more often. The majority (59%) only hold these briefings every three to six months.
Also, the report suggested that some organizations are building TPRM programs based on compliance check boxes, rather than truly reducing risk, with only 16% of respondents listing risk reduction as the primary program driver, while cyber insurance requirements, contractual obligations and board mandates came out on top.
Another pain point highlighted in the report is the lack of integration of TPRM programs – even mature ones – into broader enterprise risk frameworks, particularly in sectors like financial services, manufacturing, defense and retail.
Finally, while over 96% of organizations plan to expand their third-party ecosystems, the report emphasizes that many are adding vendors faster than they’re adding visibility, validation or remediation capacity.
BlueVoyant’s State of Supply Chain Defense: Annual Global Insights Report 2025 is the company’s sixth annual survey. It was conducted by Opinion Matters with 1800 IT and cybersecurity leaders in organizations with over 1000 employees across a range of industries, including financial services, healthcare and pharmaceutical, utilities and energy, retail, manufacturing and defense.
The survey process occurred in September 2025 across Australia, Austria, Canada, Germany, Japan, Malaysia, the Philippines, Singapore, Switzerland, the UK and the US.
