Alarming Increase in Supply Chain Gaps
According to BlueVoyant’s annual State of Supply Chain Defense: Annual Global Insights Report 2025, an overwhelming majority of organizations (97%) have been negatively impacted by a supply chain breach. This data represents a significant increase compared to the 81% recorded in 2024, pointing out the growing vulnerability of companies to third-party risks.
Increasing Maturity in Third Party Risk Management (TPRM)
Despite the worrying outlook, the report highlights that organizations are intensifying their efforts to prevent, mitigate and resolve supply chain incidents more effectively.
- Active Collaboration: Almost half of respondents (45%) collaborate with third parties to remedy problems. Of those, 23% work directly with third parties, while 22% provide support so they can find a solution on their own.
- Mature Programs: 46% of organizations report having a mature third-party risk management (TPRM) program in place.
- Cybersecurity Integration: Supply chain risk is increasingly recognized as a cybersecurity imperative. 36% of TPRM programs are now housed within cybersecurity/information security or information technology teams, an upward trend from previous years.
Main Challenges: Lack of Internal Support and Focus on Compliance
Despite the reported maturity, the BlueVoyant report reveals that the effectiveness of TPRM programs is hampered by significant challenges:
- Lack of Internal Support: 60% of those surveyed consider the lack of internal support as the main obstacle.
- Disconnection with Senior Management: Communication between security managers and the senior leadership team is limited. Only 24% of organizations report to senior management on security issues monthly or more frequently; the majority (59%) do so every three to six months.
- Focus on Compliance over Risk Reduction: The report suggests that some organizations build TPRM programs based on “compliance checkboxes,” rather than focusing on actual risk reduction. Only 16% of respondents listed risk reduction as the top program driver, while contractual obligations, cyber insurance requirements, and board mandates are top priorities.
- Lack of Business Integration: Often, TPRM programs (even mature ones) are not integrated into broader business risk frameworks, especially in sectors such as financial services, manufacturing, defense and retail.
- Rapid Vendor Expansion: More than 96% of organizations plan to expand their third-party ecosystems. However, the report warns that they are adding suppliers faster than they are increasing visibility, validation or remediation capacity.
Conclusions
The State of Supply Chain Defense 2025 report highlights a paradox: while supply chain breaches are nearly universal and organizations recognize the threat, the effectiveness of their risk management programs is undermined by a lack of senior management support and a mindset focused on regulatory compliance rather than proactive risk reduction. The continued expansion of third-party ecosystems without proper validation capabilities represents a growing risk.
References
- Report: State of Supply Chain Defense: Annual Global Insights Report 2025
- Source: BlueVoyant
- Study Methodology: Survey of 1,800 IT and cybersecurity leaders in organizations with more than 1,000 employees, conducted in September 2025 in 11 countries.