SecurityScorecard

Only 26% of organizations incorporate incident response into their supply chain cybersecurity programs.

Nearly 40% of respondents identified data overload and the inability to prioritize issues and threats as their biggest supply chain cybersecurity challenge

79% of organizations state that less than half of their nth-party supply chain is currently covered by cybersecurity programs.

88% of cybersecurity leaders are concerned about supply chain cyber risks.

More than 70% of organizations reported experiencing at least one material third-party cybersecurity incident in the past year.

5% of organizations suffered ten or more third-party cybersecurity incidents.

Fewer than half of organizations monitor cybersecurity across even 50% of their nth-party supply chains.

Technology products and services were linked to 63.9% of third-party breaches. File transfer software and cloud platforms were the most frequent points of compromise within this category.

Application Security and DNS Health were the most common weaknesses, with 46.4% of fintech companies scoring lowest in application security.

28.2% of fintech companies that experienced publicly reported breaches had multiple incidents.

Fourth-party exposures accounted for an additional 11.9% of breaches on fintech companies, which is more than double the global average.

41.8% of breaches impacting top fintech companies originated from third-party vendors.

18.4% of fintech companies experienced publicly reported breaches.

Fintech firms had the strongest security posture of any industry analysed, with a median score of 90 and 55.6% earning an “A” rating.

41.8% of breaches impacting top fintech companies originated from third-party vendors.

35.5% of all breaches in 2024 were third-party related. This figure is noted as likely conservative due to underreporting and misclassification.

The technology industry had the second-highest third-party breach rate at 47.3%.

46.75% of third-party breaches involved technology products and services. This represents a drop from the previous year's 75%, indicating a diversification of attack surfaces.

Japan had a third-party breach rate of 60%.

Singapore had the highest third-party breach rate globally at 71.4%.

41.4% of ransomware attacks now start through third parties

The retail & hospitality industry saw the highest third-party breach rate at 52.4%.

The energy and utilities industry had a third-party breach rate of 46.7%.

The healthcare sector had the most third-party breaches (78) but a below-average rate of 32.2%.

The Netherlands had the second-highest third-party breach rate at 70.4%.

The U.S. reported a lower third-party breach rate of 30.9%, falling 4.6% below the global average.

28% of federal contractors had at least one observable malware infection or compromised device on their networks in the past year.

Third-party software & IT caused 50% of breaches at insurance companies.

Application security was the most significant vulnerability for 41% of federal contractors, with nearly half (46%) of the most impactful security issues originating from this area.

More than half (56%) of insurance companies had at least one compromised credential in the past two years.

28% of insurance companies reported breaches—higher than the S&P 500 (21%) and double the U.S. energy industry (14%).

State-sponsored groups accounted for 35% of attributable breaches, but their role in third-party breaches rose to 39.5%.

58% of breaches impacting the top 100 U.S. federal contractors involved third-party attack vectors. This is double the global average of 29%.

35% of federal contractors experienced publicly reported breaches, with 14% having multiple incidents (2–5 breaches each).

Ransomware operators accounted for 41.25% of all breaches, with their share rising to 46.5% in third-party incidents.

59% of breaches among the top 150 insurance companies involved third-party attack vectors.

59% of insurance companies' breaches involved third-party attack vectors, more than double the global cross-industry average of 29%.

Insurance carriers represented 50% of the companies hit by third-party incidents, despite making up about 27% of the total sample.

Malware infections and device compromises affected 17% of insurance companies last year.