You Are Not Regulated. You Are Still Exposed: Why Every Company Needs Vendor Risk Management
By ArvexLab Team — Compliance Research
The Assumption That Will Cost You
There is a persistent belief in the mid-market that vendor risk management is a compliance obligation — something you do because a regulator tells you to. NIS2 entities do it. DORA-regulated financial institutions do it. SOC 2-audited SaaS companies do it.
If you are not in one of those categories, you might assume you are off the hook.
You are not. The risk does not check your regulatory status before arriving.
The Verizon 2025 Data Breach Investigations Report found that 30% of all breaches now involve a third party — doubled from 15% the year before. That is the fastest-growing attack vector in cybersecurity, and it does not discriminate between regulated banks and unregulated startups.
This article is for the CTO, CISO, or operations lead at a company that has no regulatory obligation to manage vendor risk — but has 50, 100, or 300 vendors whose security posture directly affects their business.
The Numbers That Should Change Your Mind
Let us start with the data. These are not projections — they are 2024-2025 actuals from Verizon, IBM, Gartner, SecurityScorecard, and BlueVoyant.
| Metric | Number | Source |
|---|---|---|
| Breaches involving third parties | 30% of all incidents | Verizon DBIR 2025 |
| Organisations with at least one supply chain breach in 2025 | 97% | BlueVoyant |
| Organisations with relationships to breached vendors | 98% | SecurityScorecard |
| Average cost of a third-party breach | $4.91 million | IBM/Ponemon 2025 |
| Cost premium vs. internal breaches | +40% | Gartner |
| SMB breaches containing ransomware | 88% | Verizon DBIR 2025 |
| Organisations effectively managing third-party risk | 16% | Gartner 2025 |
| Organisations not using dedicated TPRM software | 60% | Prevalent |
| Fourth-party breaches (your vendor's vendor) | 38% of third-party incidents | RiskRecon/Ponemon |
Read that last row again. 38% of third-party breaches are actually caused by a fourth party — not your direct vendor, but their subcontractor, their cloud provider, or their security tool. Your vendor's vendor is your risk, and you almost certainly do not know who they are.
The Concentration Risk You Cannot See
On 19 July 2024, a single faulty update from CrowdStrike crashed 8.5 million Windows systems worldwide. Delta Air Lines lost $500 million. Healthcare systems lost $1.94 billion. The total damage to Fortune 500 companies alone: $5.4 billion, with cyber insurance covering only 10-20% of losses.
CrowdStrike had approximately 24,000 customers, including nearly 60% of the Fortune 500. Most of the companies affected did not choose CrowdStrike — their vendors did. And when it went down, everyone went down.
This is concentration risk. It is invisible unless you map it.
If 80% of your vendors run on AWS, you have a single point of failure. If your payment processor, your CRM, and your email provider all use the same identity provider, a compromise there cascades to you through three different paths simultaneously.
The question is not whether you will experience a vendor-related disruption. The question is whether you will see it coming.
What Your Spreadsheet Cannot Tell You
Most mid-market companies track vendors in a spreadsheet — a list of names, contract dates, maybe a risk rating column that was last updated six months ago. 50% of organisations still use spreadsheets for vendor assessment according to Venminder's 2025 survey.
A spreadsheet tells you who your vendors are. It does not tell you:
- Which vendors share the same cloud infrastructure
- Which vendors use the same compromised security tool
- What happens to your operations if two vendors go down simultaneously
- Whether your vendor's SOC 2 report actually covers the services you use
- Which vendors have been breached since your last review
This is the difference between a vendor list and a vendor risk programme. The list gives you a false sense of visibility. The programme gives you the ability to act before a cascade reaches you.
Your Customers Are Regulated — Even If You Are Not
Here is the angle that catches most non-regulated companies off guard: your customers may be regulated, and their obligations flow downstream to you.
NIS2 Article 21(2)(d) requires regulated entities to address "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." In practice, this means NIS2-regulated hospitals, energy companies, and digital infrastructure providers will contractually require their vendors — including you — to demonstrate cybersecurity risk management.
This is already happening. Bitsight estimates that millions of organisations within and outside the EU will have to comply with NIS2 requirements as a supplier. EY confirms that NIS2 entities are now inserting cybersecurity clauses into vendor contracts that require documented risk management programmes.
If you sell to healthcare, energy, transport, financial services, or digital infrastructure in the EU, your customers will send you a vendor security questionnaire. One section will ask about your own vendor risk management programme. If you cannot answer it, you will fail the questionnaire and risk losing the contract.
The same dynamic applies to SOC 2. Over 60% of businesses are more likely to partner with a SOC 2-certified company. When your enterprise prospect asks "How do you manage your own vendor risk?" and the answer is "We have a spreadsheet," the deal is in jeopardy.
The Insurance Reality
Cyber insurers have noticed what the data is showing. In 2024, more than 40% of cyber insurance claims were denied — many involving vendor-related gaps where the policyholder could not demonstrate adequate third-party risk oversight.
Insurance applications now require documented evidence of vendor management: risk assessment records, current risk registers, framework scorecards. The days of self-reported security posture are over.
After the CrowdStrike outage, insurers tightened terms for systemic events. Policies increasingly exclude vendor breaches unless specific endorsements cover third-party systems and outages. Companies with documented TPRM programmes get lower premiums and better coverage terms.
The logic is simple: if your payroll provider, software vendor, or cloud host suffers a breach, insurers put the liability back on you unless you can prove you assessed and monitored the risk.
What Actually Needs to Change
If you have made it this far, the question is no longer "why" but "how." Here is what a practical vendor risk programme looks like for a non-regulated company — no compliance framework required.
1. Know Who Your Vendors Are (and Who Their Vendors Are)
Start with a complete inventory. Not just the vendors you pay — include free tools, open-source dependencies, and services your team signed up for without procurement approval. The average company now manages 286 vendors, up 21% year-over-year.
Then go one level deeper. For your critical vendors (the ones whose outage would stop your operations), identify their key dependencies. This is fourth-party mapping, and only 10% of organisations do it today.
2. Assess Risk Based on Impact, Not Just Probability
Traditional risk assessments ask "How likely is this vendor to be breached?" That is the wrong question. The right question is: "If this vendor goes down, what happens to us?"
A small vendor that processes your customer PII is higher risk than a large vendor that provides your office Wi-Fi — even if the large vendor has a worse security rating. Tier your vendors by business impact, not just by security score.
3. Collect Evidence, Not Just Answers
Security questionnaires are necessary but insufficient. 75% of vendors either do not answer questionnaires or do so untimely. Only 4% of organisations are highly confident that vendors actually meet security requirements based on questionnaire responses alone.
Supplement questionnaires with evidence: SOC 2 reports, ISO 27001 certificates, penetration test summaries, security policies. Parse them for actual coverage rather than just checking the box that they exist.
4. Monitor Continuously, Not Annually
Annual vendor assessments cannot keep pace with a threat landscape that changes daily. The Trivy supply chain attack in March 2026 compromised 1,000+ enterprise environments in eight days. If your last vendor review was six months ago, the data is stale.
Set up continuous signals: certificate expiry alerts, contract renewal reminders, news monitoring for vendor breaches, and automated reassessment triggers based on risk tier.
5. Model the Cascades
The most dangerous risks are not the ones that affect a single vendor — they are the ones that cascade. When a shared dependency fails, multiple vendors go down simultaneously, and the combined impact exceeds what you planned for.
Run scenario exercises: "If AWS eu-west-1 goes down for 6 hours, which of our vendors are affected? Which of our services fail? What is our customer impact?" If you cannot answer these questions, you have a concentration risk you have not sized.
The Real Cost of Doing Nothing
Let us do the arithmetic. The average mid-market company has 100-300 vendors. The average cost of a third-party breach is $4.91 million. The probability of experiencing at least one supply chain incident in a given year is 97%.
A basic TPRM programme costs a fraction of that:
| Approach | Annual Cost | What You Get |
|---|---|---|
| Spreadsheet + annual questionnaires | ~$0 (staff time only) | A vendor list. No risk visibility. No cascade analysis. Stale data. |
| Dedicated TPRM platform | $5,000-$15,000/year | Automated assessment, document parsing, risk scoring, fourth-party mapping, continuous monitoring, evidence management |
| Full in-house TPRM team | $400,000-$500,000/year | Dedicated analysts, custom processes, comprehensive coverage — but expensive and hard to scale |
The gap between "spreadsheet" and "platform" is where most mid-market companies should land. The platform does not eliminate risk — no tool does. But it gives you the visibility to understand your exposure, the evidence to prove you are managing it, and the speed to respond when something breaks.
Key Takeaways
- 30% of breaches now involve third parties — and this number doubled in a single year
- 97% of organisations experienced a supply chain breach in 2025 — this is near-universal, not a regulated-industry problem
- Fourth-party risk (your vendor's vendor) accounts for 38% of third-party incidents — and 90% of companies do not assess it
- The CrowdStrike outage cost $5.4 billion because of concentration risk that was invisible to most affected companies
- Your regulated customers will increasingly require you to demonstrate TPRM — NIS2 supply chain obligations flow downstream
- Cyber insurers are denying 40%+ of claims involving vendor-related gaps
- A dedicated TPRM platform costs less than 1% of the average third-party breach
Frequently Asked Questions
Q: We only have 30 vendors. Is TPRM overkill for us?
It is not about the number of vendors — it is about the impact of the critical ones. If one of your 30 vendors processes customer data, handles payments, or provides infrastructure that your product depends on, their breach is your breach. Start with your top 10 highest-impact vendors and work outward.
Q: Can we just use our existing GRC tool or spreadsheet?
A spreadsheet tracks vendors. It does not parse their SOC 2 reports, map fourth-party dependencies, calculate cascade risk, or alert you when a vendor is breached. If you have fewer than 20 vendors and simple relationships, a spreadsheet may suffice. Beyond that, the manual effort compounds faster than most teams can sustain — 94% of companies report they cannot assess all vendors they want to due to resource constraints.
Q: We are not subject to NIS2, DORA, or SOC 2. Why would we pay for TPRM tooling?
Three reasons. First, your customers may be regulated and will require you to demonstrate vendor risk management — this is already happening as NIS2 supply chain requirements cascade downstream. Second, cyber insurers increasingly require documented TPRM for coverage. Third, the breach cost ($4.91M average for third-party incidents) dwarfs the cost of any TPRM platform. You are not paying for compliance — you are paying for visibility into risk that exists regardless of your regulatory status.
Q: What is fourth-party risk and why should I care?
Fourth-party risk is the risk from your vendors' vendors — their cloud providers, security tools, subcontractors, and infrastructure dependencies. When CrowdStrike crashed in July 2024, most affected companies had no direct relationship with CrowdStrike — they were hit because their vendors used it. 38% of third-party breaches originate at the fourth-party level, yet 27% of organisations do not assess fourth parties at all. If you do not map these dependencies, you have blind spots in your risk posture that no amount of vendor questionnaires will reveal.
Sources and References
- Verizon 2025 Data Breach Investigations Report
- IBM/Ponemon Cost of a Data Breach Report 2025
- Gartner — Perfect Storm Driving TPRM Growth (May 2025)
- SecurityScorecard — Third-Party Risk Management Guide 2025
- BlueVoyant — Supply Chain Breach Statistics 2025
- Venminder — State of Third-Party Risk Management 2025 Survey
- Whistic 2025 TPRM Impact Report
- RiskRecon/Ponemon — Third-Party Risk Study
- Wikipedia — 2024 CrowdStrike IT Outages
- Fortune — CrowdStrike Outage: $5.4B in Fortune 500 Damages
- Bitsight — NIS2 Supply Chain Requirements
- Secureframe — 100+ Third-Party Risk Statistics
- NACD 2025 Board Practices Survey — Cybersecurity Oversight
Ready to assess your NIS2 readiness?
Use our free self-assessment tool or speak with our compliance team.