Compliance & Governance · Vendor Risk · Updated 2026

Third-Party Risk Management in IT Contracts

Your security posture now includes every vendor with access to your data or systems — and in 2025, 97% of organisations suffered a supply-chain breach. Third-party risk management is no longer a questionnaire exercise; it is a contractual discipline that decides whether a vendor's failure becomes your incident. This guide sets out the controls, the cadence, and the clauses that matter.

📋 1,300 words ⏱ 7 min read 📅 Updated June 2026 🔗 Compliance & Governance Cluster
By Morten Andersen
In This Article
  1. The Scale of Third-Party Risk
  2. Tiering and Assessment Cadence
  3. The Contract Controls That Matter
  4. From Point-in-Time to Continuous
  5. Where TPRM Sits, and Why It Keeps Failing

The Scale of Third-Party Risk

Third-party risk management has become one of the defining security disciplines of the enterprise, because the numbers have turned decisively. In 2025, 97% of organisations experienced at least one supply-chain breach — a 20% increase on 2024 — and nearly 30% of all reported data breaches involved a third party, double the prior year. Verizon's 2025 DBIR put the third-party share of breaches at 30%, up from roughly 15% the year before. The cost is escalating in parallel: software supply-chain attacks are projected to cost businesses $60 billion in 2025, rising toward $138 billion by 2031, with supply-chain compromise averaging $4.91 million per incident.

The uncomfortable finding behind these figures is that spending alone is not solving it: 90% of organisations are increasing TPRM budgets, yet 97% were still breached. The gap is rarely a missing tool — it is weak vendor oversight, inadequate monitoring, and contract terms that never required the controls in the first place. That is why third-party risk belongs at the centre of the compliance and governance operating model, not in a security silo.

Tiering and Assessment Cadence

Not every vendor warrants the same scrutiny, and treating them identically wastes effort on low-risk suppliers while under-examining the dangerous ones. The foundation of an effective programme is tiering: classifying vendors by the data they access, the systems they touch, and the operational dependency they create. A Tier 1 vendor processing sensitive data on critical systems demands deep, recurring assessment; a low-risk tool with no data access needs far less.

Cadence follows tier. High-risk vendors, those processing sensitive data, and mission-critical services should be reassessed annually; medium-risk vendors every two years; and all vendors on an event basis — a security incident, a major product change, a new sub-processor, a new data type, or an acquisition. This structured approach links directly to vendor due diligence at onboarding and to the financial-controls overlay in SOX vendor management. The Microsoft vendor hub is a reminder that even the largest, most trusted vendors sit within this discipline — scale is not a substitute for assessment.

90% of organisations are increasing third-party risk budgets, yet 97% were still breached. The gap is not tooling — it is oversight, monitoring, and contract terms that never required the controls.

The Contract Controls That Matter

Third-party risk is ultimately enforced through the contract, and a programme that assesses vendors without contracting for controls is documentation without teeth. The agreement should require the vendor to maintain defined security controls and its own third-party risk programme; grant audit or assessment rights, or at minimum require current independent attestation such as a SOC 2 Type II; impose time-bound breach-notification obligations; and flow these requirements down to the vendor's own sub-contractors. Liability and indemnity terms should reflect the real exposure rather than a token cap, given a per-incident cost approaching $4.91 million.

A newer frontier is AI: 40% of organisations have now added contract language addressing third-party AI use, reflecting concern about how vendors deploy AI against customer data — the same issue that runs through the EU AI Act analysis. Building these controls into the contract is the difference between a vendor failure that is contained and one that becomes your reportable incident. The Vendor Audit Defence Handbook and CIO Contract Governance white paper set out the clause sets in full.

From Point-in-Time to Continuous

The decisive shift in mature programmes is from point-in-time assessment to continuous monitoring. A questionnaire answered at onboarding describes a vendor's posture on one day; a year later it may bear little relation to reality. Yet 54% of organisations are not confident in their ability to assess risk across the vendor lifecycle, and 41% still rely on spreadsheets — even as 64% have adopted a dedicated TPRM platform, up 19% year on year.

Continuous monitoring closes that gap by surfacing changes in a vendor's security ratings, breach disclosures, and control posture between formal assessments, so deterioration is caught early rather than at the next annual review. Combined with the tiering and contract controls above, it turns third-party risk from a compliance ritual into a live defence — and gives procurement the evidence base to make risk-informed decisions about which vendors to onboard, renew, or replace. To embed these controls into your highest-risk contracts, request a confidential briefing.

Where TPRM Sits, and Why It Keeps Failing

One structural finding helps explain why third-party risk keeps escalating despite rising investment: 64% of TPRM programmes now sit outside the security function, in finance, legal, or procurement. That placement has advantages — it puts risk decisions close to the contract and the commercial relationship — but it can also push programmes toward satisfying requirements rather than reducing exposure, treating assessment as a box to tick before signature rather than a control to operate throughout the relationship.

The deeper issue is that third-party risk, supply-chain risk, cyber risk, and compliance risk no longer live in separate silos; they converge into a single current that touches every part of the enterprise. A vendor breach is simultaneously a security incident, a compliance event, a contractual matter, and a financial loss. Programmes that treat these as separate workstreams — security assesses controls, legal drafts terms, procurement manages the relationship, and none of them shares a view — leave the gaps that attackers exploit. The organisations reducing exposure are those that integrate the four, so that the assessment, the contract, and the ongoing monitoring describe one coherent posture.

Practically, that means a single owner accountable for the third-party risk position, a shared record that legal, security, and procurement all draw on, and a programme measured by exposure reduced rather than assessments completed. With 46% of organisations describing their programmes as established and optimised even as breaches climb, the lesson is that maturity measured by process is not the same as maturity measured by outcome. The contract is where the two meet: an assessment that never becomes a binding obligation is documentation, and a binding obligation that is never monitored is a promise no one checks. Closing that loop — assess, contract, monitor, repeat — is what separates a programme that reduces risk from one that merely records it.

Common Questions

Third-Party Risk Management: FAQ

How common are third-party breaches?
Very. In 2025, 97% of organisations experienced at least one supply-chain breach — a 20% rise on 2024 — and nearly 30% of all reported data breaches involved a third party, double the prior year. Verizon's 2025 DBIR put the third-party share at 30%, up from around 15%. Supply-chain attacks are projected to cost $60 billion in 2025, with individual incidents averaging $4.91 million, which is why third-party risk is now a board-level concern.
How often should we reassess our vendors?
By tier. High-risk vendors, those processing sensitive data, and mission-critical services should be reassessed annually; medium-risk vendors every two years; and all vendors on an event basis — a security incident, major product change, new sub-processor, new data type, or acquisition. Point-in-time assessment alone is insufficient, which is why mature programmes add continuous monitoring to catch changes between formal reviews.
What third-party risk controls belong in an IT contract?
Require the vendor to maintain defined security controls and its own TPRM programme; grant audit or assessment rights or require current independent attestation such as a SOC 2 Type II; impose time-bound breach-notification obligations; flow these requirements down to sub-contractors; and set liability and indemnity terms that reflect real exposure rather than a token cap. Increasingly, contracts also address how the vendor uses AI against customer data.
Why isn't more TPRM spending reducing breaches?
Because the gap is usually oversight and contract terms, not tooling. 90% of organisations are increasing TPRM budgets, yet 97% were still breached — most incidents trace to weak vendor oversight, inadequate monitoring, or contracts that never required the relevant controls. Spending on platforms helps only when paired with proper tiering, continuous monitoring, and enforceable contractual obligations that make the vendor responsible for its own security.

Make a Vendor's Failure Their Problem, Not Yours

With 97% of organisations breached through the supply chain, oversight without contract teeth is exposure. We embed the security, audit, and liability terms that contain a vendor failure.

Request a Confidential Briefing Read the Compliance Guide

Compliance & Governance Intelligence

Monthly briefings on vendor risk, supply-chain security, and contract governance — from advisors who negotiate these terms for enterprise buyers.