ORGANIZATIONS worldwide continue to face widespread supply chain cyber breaches despite rising budgets and more mature third-party risk management programs, according to a 2025 global study commissioned by cybersecurity firm BlueVoyant.
The State of Supply Chain Defense: Annual Global Insights Report 2025, conducted by independent research firm Opinion Matters, found that 97 percent of organizations were negatively impacted by at least one supply chain breach in the past year, a sharp increase from 81 percent in 2024. The findings point to a growing disconnect between investment, compliance-driven programs and actual risk reduction.
The study surveyed 1,800 chief information, security, operations, technology and procurement officers from companies with at least 1,000 employees across financial services, health care and pharmaceuticals, utilities and energy, retail, manufacturing and defense. Respondents came from the United States, Canada, Europe and the Asia-Pacific region, including the Philippines. Data was collected from Sept. 16 to 25, 2025.
“It’s no longer a question of ‘should we build this program?’ but now, ‘how do we do this effectively?’” the report said. “As organizations invest heavily in tools, teams and processes, the gap between program maturity and organizational commitment is widening.”
A key finding of the report is that many organizations remain focused on compliance rather than reducing real-world cyber risk. Only 16 percent of respondents identified risk reduction as the primary driver of their third-party risk management, or TPRM, programs. Most cited cyber insurance requirements, contractual obligations and board mandates as stronger motivators.
“Organizations are building TPRM programs to check a compliance box and not necessarily reduce risk,” the report said. “Compliance is step one, not necessarily the end goal.”
Despite widespread adoption of TPRM tools, nearly all respondents reported experiencing at least one third-party cyber incident. The report warned that compliance-focused approaches can create a false sense of security, noting that “with 97 percent of organizations experiencing at least one breach in their supply chains, checking the compliance box can lead to a false sense of security.”
The study also highlighted weak executive engagement as a persistent challenge. While 46 percent of organizations described their TPRM programs as established or optimized, only 24 percent said they brief senior leadership on third-party cyber risk on a monthly or more frequent basis. Most organizations provide updates every three to six months.
“Without this visibility, executives likely won’t throw their support behind a program they don’t understand or aren’t fully aware of,” the report said.
Internal barriers remain significant. Sixty percent of respondents cited internal resistance to change, lack of collaboration among stakeholders and insufficient executive support as the top obstacles to improving supply chain cyber resilience.
Financial investment, however, continues to rise. Ninety-five percent of respondents said spending on TPRM activities increased over the past year, consistent with previous survey results. Yet the report stressed that funding alone is insufficient without better integration.
“Investment without integration leads to fragmented programs,” the report said. “Deploying tools like sophisticated monitoring, continuous assessments and security ratings platforms is helpful, but if they operate in silos, they can’t provide actionable results.”
Industry results varied widely. The defense sector emerged as the most mature, with 60 percent of organizations reporting established or optimized programs. Defense organizations also showed stronger executive engagement and closer collaboration with vendors, though they still averaged 3.5 supply chain breaches, underscoring the sophistication of current threats.
By contrast, financial services organizations reported among the highest breach rates, while only 17 percent briefed senior leadership monthly or better. Many programs in the sector are housed within finance departments and driven by contract value rather than risk exposure, a structure the report suggested may limit effectiveness.
Results across the Asia-Pacific region were uneven. Singapore led globally in program maturity and executive involvement, while the Philippines recorded one of the lowest maturity rates at 23 percent, with all surveyed organizations reporting they were affected by breaches.
“Looking at results out of Singapore and the Philippines tells us that organizational culture and economic context are critical to success — not just technology,” the report said.
Despite the challenges, the study noted increased collaboration between organizations and their vendors. Forty-five percent of respondents said they now work directly with third parties to remediate identified security issues, a trend the report described as “a step in the right direction.”
Still, the report concluded that without organizational alignment, stronger executive engagement and integrated risk systems, even well-funded and technologically advanced programs will continue to fall short.
“Without organizational alignment, even the most sophisticated programs will fail to thrive,” the report said. “Integrated systems and genuine commitment to risk reduction over simply meeting compliance requirements will be the difference between delivering positive security outcomes and drowning in box checking.”