BlueVoyant Report: 97% of Firms Hit by Supplier Breach in Past Year, Up from 81%

Executive Summary

A 2025 report from cybersecurity firm BlueVoyant indicates a critical disconnect in enterprise security: while organizations are investing more in Third-Party Risk Management (TPRM), the frequency of supply chain breaches is increasing dramatically. The study found that 97% of organizations suffered a security breach originating from their supply chain in the last 12 months, up from 81% in 2024. This suggests that current TPRM strategies, while more mature on paper, are failing to produce actionable risk reduction, often due to tool fragmentation and internal organizational friction.

Report Details

The "Supply Chain Defense Report" from BlueVoyant surveyed organizations globally and found several key trends:

• Breaches are Increasing: The percentage of firms experiencing a supply chain breach rose from 81% in 2024 to 97% in 2025.
• TPRM Maturity vs. Efficacy: While 46% of organizations describe their TPRM programs as "established and optimized," this maturity is not translating into fewer breaches.
• Manufacturing Sector at High Risk: The manufacturing industry, with its vast and complex supply chains, is the most affected, averaging 3.8 supply chain breaches per organization annually.
• North America Hit Hard: In North America, 99% of organizations were negatively impacted by a supply chain breach, with an average of 3.9 incidents per firm.

Key Challenges Identified

The report highlights two primary reasons why maturing TPRM programs are failing:

1. Lack of Actionable Insights: Many organizations use a variety of disparate tools for monitoring, but they lack the integration needed to correlate data and generate a clear, actionable picture of third-party risk.
2. Internal Silos: A significant barrier to effective TPRM is organizational friction. 60% of respondents cited resistance or misalignment between key departments—such as procurement, legal, IT, and security—as a major obstacle. These silos prevent the holistic approach needed to manage supply chain risk effectively.

Impact Assessment

The findings of this report suggest that many organizations have a false sense of security regarding their supply chain. The rising number of breaches indicates that current investments are not yielding the desired results, leading to wasted resources and continued high risk. For sectors like manufacturing, frequent disruptions from supplier breaches can lead to production halts, financial losses, and reputational damage. The report serves as a crucial warning that TPRM is not just a compliance checkbox but requires deep integration into business processes and a collaborative organizational culture to be effective.

Lessons Learned

1. Tool Sprawl is Ineffective: Simply buying more monitoring tools without a strategy for integration and data correlation does not reduce risk.
2. TPRM is a Team Sport: Supply chain risk cannot be managed by the security team alone. It requires active collaboration and shared ownership with procurement, legal, and business units.
3. Continuous Monitoring is Key: Point-in-time assessments and questionnaires are insufficient. Effective TPRM requires continuous monitoring of the supply chain's security posture.

Mitigation Recommendations

Based on the report's findings, organizations should:

1. Consolidate and Integrate TPRM Tools: Adopt a platform-based approach to TPRM that can ingest data from multiple sources (e.g., security ratings, vulnerability scans, threat intelligence) and provide a single, correlated view of risk.
2. Establish a Cross-Functional TPRM Committee: Create a formal governance body with representatives from security, IT, legal, and procurement to ensure alignment and shared responsibility for managing supply chain risk.
3. Focus on Actionability: Shift the focus of TPRM from simple monitoring and reporting to driving concrete risk reduction actions, such as working with suppliers to remediate critical vulnerabilities or enforcing security clauses in contracts.
4. Automate Where Possible: Use automation to continuously monitor suppliers and trigger alerts or workflows when a supplier's risk posture changes significantly.