January 2026 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of January 22

Vendor risk is resilience risk. AI and cybersecurity are emerging as core operational risks with AI use reaching deep into governance, policy, and core business functions. Vendor and technology provider risk is increasingly seen as inherent operational risk, requiring stronger oversight and integration into risk programs rather than being treated as a separate category. Downstream and technology-related vendor risk must be actively addressed as part of broader resilience and governance efforts 

Asking tougher questions of third-party vendors is key. High-profile cyber incidents over the past year, from the Marks & Spencer help desk breach to large-scale Salesforce and SAP compromises, underscore how attackers are increasingly exploiting third-party providers, trusted integrations, and human workflows as the fastest path into organizations. As reliance on IT vendors, SaaS platforms, and automation grows, traditional perimeter defenses and one-time due diligence are falling short. Asking tougher questions, validating how controls work in practice, and embedding security expectations into contracts and ongoing oversight ensures greater third-party oversight. 

Third-party AI demands a proactive approach to vendor management. As organizations move toward enterprise-wide AI maturity, many are discovering a critical gap in their governance efforts: third-party and vendor risk. AI systems depend on complex, often vague ecosystems of external data, models, cloud platforms, and APIs. Traditional vendor due diligence and contract-heavy approaches aren’t keeping pace. To reduce exposure, rethink third-party risk by diversifying vendors, strengthening cross-functional oversight, investing in AI literacy, and shifting toward continuous monitoring and transparency rather than one-time check-the-box reviews. 

Third parties accessing increasing amount of sensitive data. New research shows third-party web applications are quietly becoming a major data exposure risk, with 64% now accessing sensitive information without a clear business need — up from 51% just two years ago. Marketing pixels, analytics tools, and tag managers are over-permissioned or deployed without security oversight, expanding the attack surface and putting sensitive data at risk. Despite 81% of security leaders ranking web attacks as a top priority, fewer than 40% have implemented effective controls, highlighting the urgent need for stronger third-party oversight, least-privilege access, and ongoing monitoring across digital and vendor ecosystems.  

Recently Added Articles as of January 15

AI is complicating vendor management for financial institutions. For financial institutions, the real AI risk challenge isn’t adoption or intent — it’s control. Most AI capability now enters the institution through vendors, updates outside change management cycles, and models that can’t be fully inspected or frozen. That breaks familiar risk assumptions around validation, documentation, and accountability, even when outcomes look acceptable. Managing this requires extending governance into vendor contracts, monitoring model behavior over time instead of point-in-time reviews, and treating AI risk as an ongoing third-party risk — not a one-time model approval.  

NCUA’s updated AI resource hub signals higher expectations oversight. The NCUA’s updated AI Resource Hub reinforces that credit unions are expected to govern AI use with the same discipline applied to other high-risk activities, particularly when AI is embedded in third-party solutions. Rather than issuing new rules, the agency is pointing institutions to established risk, cybersecurity, and data-governance frameworks and signaling that AI oversight should be integrated into existing compliance, vendor management, and risk management programs.  

The takeaway: AI doesn’t require a standalone program, but it does require clearer documentation, stronger third-party oversight, and evidence that institutions understand how AI-driven tools affect members, data, and operational risk — whether built internally or sourced from vendors. 

Merrill Lynch warns financial firms: AI brings real operational and oversight risks. An updated disclosure from Merrill Lynch highlights that while financial advice firms are increasingly turning to AI and machine learning to streamline operations, these technologies carry specific hazards that must be governed with the same rigor applied to other third-party tools. AI systems can be flawed, produce biased or hallucinated outputs, and introduce cyber and operational risks, especially when sourced from external vendors and beyond traditional change management.  

Merrill points out that limited transparency into third-party AI, evolving legal and regulatory expectations, and susceptibility to cybersecurity incidents mean firms must build robust supervision, testing, and governance frameworks — extending vendor due diligence, monitoring, and controls — to manage AI risk responsibly rather than treating it as a standalone efficiency play. 

Third parties a top risk for the insurance industry. Third-party risk is moving squarely into the spotlight for insurers. Regulators are making it clear that vendors are extensions of an insurer’s own risk profile, with no tolerance for “we outsourced it” defenses. Heightened scrutiny around third-party data, models, suitability oversight, cybersecurity, and vendor governance means insurers must treat vendor risk management as a core strategic function, not a compliance afterthought. The best positioned insurers for 2026 will be those that industrialize third-party oversight, align it with enterprise risk management, and maintain clear accountability as vendor ecosystems grow more complex. 

Third-party risk lessons from a recent breach. A data exposure tied to Korean Air highlights how breaches increasingly originate in trusted third-party systems. In this case, a critical vulnerability in a catering vendor’s software allowed risk to flow downstream. The lesson extends beyond software to AI, where dynamic models, APIs, and data pipelines create “intelligence supply chains” that are harder to see, govern, and contain. With AI adoption outpacing governance, limited visibility into data flows and dependencies is becoming a major risk, pushing CIOs and boards to rethink accountability, resilience, and third-party oversight. 

Managing third-party and other risks in M&As. As bank M&A activity accelerates, cybersecurity due diligence is becoming just as critical as financial review. Hidden security gaps, weak data stewardship, and poorly governed third-party relationships can turn an acquisition into a costly risk, especially when institutions rely on paperwork instead of real security maturity. The focus should be on how cybersecurity frameworks are actually used, how engaged leadership and boards are, and how well customer data and vendor ecosystems are managed. In M&A, you inherit every cyber risk and third-party exposure, so asking the right questions upfront can help avoid expensive surprises after the deal closes. 

Recently Added Articles as of January 8

As federal oversight decreases, mortgage companies must prepare for increased state scrutiny. Mortgage compliance has entered a “state-centric” era. State regulators are now driving oversight, enforcement, and guidance given the CFPB’s recent changes. State exams are becoming deeper, broader, and more frequent, with particular attention on third-party arrangements, including technology vendors and contractors. Many former CFPB regulators are now taking positions as state regulators in some areas. Mortgage companies must demonstrate robust due diligence, ongoing monitoring, and policies. Adopt state-by-state compliance strategies, maintain detailed documentation, and proactively engage regulators as compliance partners.  

SEC Regulation S-P amendments take effect: What large firms needs to know. Amendments to SEC Regulation S-P took effect on December 3, significantly strengthening requirements around how financial organizations oversee third parties that access customer data. This includes investment advisors and companies. The updates require firms to tighten service provider contracts and monitoring, including mandating that vendors notify them of any unauthorized access to customer information within 72 hours. With strict customer notification and documentation expectations now in place for larger institutions — and smaller firms facing a June deadline — third-party risk management is no longer optional, but a regulatory expectation. 

FINRA’s 2026 report emphasizes risks of Generative AI and AI vendors. FINRA’s 2026 Annual Regulatory Oversight Report highlights generative AI as a growing focus for wealth managers, emphasizing a risk-based approach that integrates oversight, documentation, and governance. Wealth management firms are urged to implement formal review and approval processes before deploying AI tools, ensure human oversight, and address issues like privacy, business records, and compliance. The report also underscores third-party considerations: vendors providing AI tools must be evaluated for security, risk management, and adherence to regulatory expectations. For wealth managers, responsible AI adoption requires robust policies, vendor oversight, and governance frameworks to protect clients and maintain fiduciary duties. 

Third-party breach compromises information at crypto software provider. Crypto tax software provider Koinly is warning users that a third-party data breach may have exposed user data such as names, email addresses, general location, and device information. Koinly said sensitive information like wallet details, transaction history, and tax data was not shared or accessed. The company has stopped using the third party, launched a broader review of its other vendors, and cautioned users to watch for phishing attempts. 

Stepping up third-party access management to avoid breaches. Many breaches don’t start with a company’s own systems but rather with trusted third parties that retain access long after it’s needed. Weak identity and access management practices, such as delayed access revocation, poor authentication, and excessive exceptions, quietly expand the attack surface. Organizations need to treat third-party identities with the same rigor as their internal workforce by tightening onboarding and offboarding, reducing standing access, and continuously reviewing permissions to prevent small gaps from turning into major incidents. 

Third-party breach exposes email addresses at Celsius. Crypto lender Celsius is warning customers that a data breach at its email delivery vendor exposed email addresses — the same incident that previously impacted OpenSea. The breach stemmed from an employee at the vendor who abused legitimate access, and while no other customer data was compromised, Celsius is urging users to stay alert for phishing attempts. The incident underscores a familiar third-party risk lesson: even limited data exposure, like email addresses, can fuel downstream fraud and scams when vendor access controls and oversight fall short. 

Third parties increasingly held responsible for losses. As cyberattacks grow more costly, insurers are increasingly trying to recover breach losses from the vendors that may have contributed to an incident. After paying a claim, insurers can pursue cybersecurity providers when weak controls, missed security obligations, or delayed incident response make the damage worse. It’s important to carefully vet vendors, clearly define security and insurance responsibilities in contracts, and document vendor oversight. Gaps in third-party management can now lead to real financial and legal consequences after a breach. 

Third-party cybersecurity incident exposes Goldman Sachs client data. Some Goldman Sachs clients may have had data exposed following a cybersecurity incident at a third-party law firm, Fried Frank, highlighting ongoing third-party risk concerns. Goldman said its own systems weren’t impacted, and that the law firm secured its network, addressed the vulnerability, and believes the data is unlikely to be misused. Both organizations emphasized swift response efforts, but the incident reinforces a broader trend: attackers increasingly target vendors to reach their primary targets, with industry reports showing a growing share of breaches tied to third parties — a timely reminder that vendor security is just as critical as internal controls. 

Third-party data breach exposes personal information at Ledger. A breach at a third-party payment processor exposed limited personal data at Ledger. No financial information, wallet details, or private seed phrases were accessed, though names and contact information may have been exposed. 

Baltimore lawsuit against digital lender marks growing shift in regulatory landscape. Baltimore filed a lawsuit against digital lender Dave Inc., accusing the company of using misleading marketing and high fees to push residents into costly, short-term loans. The city claimed the lender traps users in debt cycles, with interest rates far exceeding legal limits and optional “tips” misrepresented as charitable contributions. This action is part of a broader crackdown on digital lenders, following similar lawsuits against MoneyLion, DraftKings, and FanDuel. It also marks a growing shift in regulatory scrutiny — where federal regulators have taken a step back, states and cities are taking action.