Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of February 12
With rise of AI, FINRA emphasizes strong risk management. FINRA is seeing rapid growth in “agentic AI” — autonomous AI systems that can plan, make decisions, and act with limited human intervention — across member firms. This includes fraud detection, AML and trade surveillance, and workflow automation, among others. While these tools promise faster processing, broader data integration, and lower costs, they also introduce meaningful risks, including acting beyond intended authority, limited transparency and auditability, and data sensitivity concerns. FINRA emphasized the importance of strong governance, supervision, and proactive regulatory engagement to ensure firms can harness the benefits without exposing themselves.
Federal Reserve workshop reviews oversight of growing third-party risks. A recent Federal Reserve–hosted workshop highlighted growing concerns around third-party service provider risk. While outsourcing delivers efficiency and specialization, it also introduces concentration risk, cyber vulnerabilities, and interconnectedness that can amplify disruptions. Participants emphasized prioritizing oversight based on vendor criticality, strengthening service level agreements, improving transparency into “nth-party” relationships, and conducting regular incident response tabletop exercises. As innovation increases, firms must balance resilience with growth, improve supply chain visibility, and take a more proactive, systemic view of third-party risk.
Fraudulent emails sent to customers after third-party breach. A third-party data breach with a marketing and operations platform led to the sending of fraudulent crypto emails to customers at Betterment. While the firm says customer accounts, passwords, and login credentials were not compromised, a breach tracking analysis said 1.4 million email addresses may have been exposed.
Third-party breach compromises information of 35 million. A breach with a third-party email service provider compromised about 35 million customers’ information at Flickr, including emails, IP addresses, and location data. The platform shut down access to the affected system within hours, but the incident underscores how vendor weaknesses can create risks like phishing and social engineering, even when core systems remain secure.
Third-party data breach exposes sensitive data. The sensitive data of over 17,000 was compromised after a third-party breach at Anywhere Real Estate. It exposed sensitive data including names, addresses, dates of birth, Social Security numbers, and job details tied to employees and affiliates across several subsidiaries.
Strengthening vendor management with continuous oversight. Vendor risk management has evolved into a strategic priority as organizations recognize that outsourcing services does not outsource accountability. Relying on questionnaires or annual check-the-box reviews is no longer enough. Effective oversight requires ongoing, risk-based monitoring, tested recovery objectives, validated evidence of controls, and clear escalation processes.
Integrating cyber and third-party risks into ERM. While most organizations recognize cyber risk as a major financial threat, only 41% have meaningfully integrated cybersecurity into enterprise risk management — and just 23% apply unified risk oversight to third parties, according to new research. Organizations that embed cyber risk into governance, translate exposure into financial impact, connect controls to business processes, and extend ERM principles to high-risk vendors are better positioned to detect issues earlier and respond faster.
Recently Added Articles as of February 5
Almost a third of financial data breaches involve third parties. Financial services once again led all industries in data breaches in 2025, highlighting a risk environment that continues to intensify. New data shows that roughly 30% of breaches now involve third parties, with vendors increasingly used to gain access to financial institutions. Concentration risk in a small number of critical technology providers raises the stakes of any single failure. Stronger third-party oversight, better visibility into supply chains, and more proactive information sharing are essential to managing evolving cyber risks.
AI legislation speeds up across the states. Just one month into 2026, state lawmakers are already moving aggressively on AI and privacy, with hundreds of bills under consideration across the country. Legislatures are especially active in states with short sessions, accelerating momentum around regulations for AI chatbots, algorithmic and surveillance-based pricing, health-related AI use, children’s privacy, data brokers, and consumer data protection. State-level action on AI transparency, pricing practices, and privacy rights is far from slowing down. The regulatory patchwork is growing more complex and keeping pace with evolving state requirements around AI governance, data use, and third-party impacts will be critical throughout 2026.
Third-party risk management needs to evolve as risks become more complex. As financial institutions deepen partnerships with fintech and crypto-native firms, third-party risk is becoming more complex and more critical to get right. While collaborations unlock innovation and growth, they also expand the attack surface, introducing new cybersecurity, financial crime, operational, and regulatory risks. One-size-fits-all TPRM programs no longer work. Organizations need tailored, risk-based approaches that improve visibility, strengthen due diligence and onboarding, and align third-party oversight with enterprise risk programs. Thoughtful third-party risk management helps institutions protect trust, meet regulatory expectations, and safely pursue new opportunities in a rapidly evolving landscape.
Third-party risk is inherently a customer service issue. As organizations rely on SaaS providers for everything from identity verification to payments and data storage, third-party failures or breaches quickly become customer-facing issues, directly impacting trust and brand reputation. Cybersecurity and vendor risk management should be treated as core customer disciplines, not just compliance exercises. Map vendors to customer journeys, prioritize risks based on customer impact, and build accountability into procurement and governance. By breaking down silos between customer service, IT, and security, organizations can better protect customer data, strengthen trust, and deliver more resilient, customer-centric experiences.
Improving TPRM practices to address increasing risks. Third-party risk now lives across ecosystems of vendors, cloud providers, fintechs, and digital asset partners, where failures can quickly cascade into regulatory, operational, and reputational fallout. Even trusted, top-tier vendors can become single points of failure. Move toward continuous, risk-based oversight that prioritizes critical third and fourth parties, strengthens governance and contractual controls, improves real-time visibility across supply chains, and integrates AI responsibly with human judgment.
