Supply Chain Statistics

66% of incidents involve the supply chain or a third party, up from 45% in 2024.

In MCP registries, for every server provided by a verified technology vendor there are up to 15 lookalike servers from untrusted sources.

Top AI-related cybersecurity concerns are data leakage through copilots and agents (22%), third-party and supply chain risks (21%), evolving regulations (20%), shadow AI (18%), and prompt injection attacks (18%).

Confidence in data security falls to 40% when data passes through third-party provider networks.

32% of leaders do not know the locations of all of their data centers, rising to 49% when including third-party providers.

11% of leaders say they are aware of definite weak points when their data travels across third-party infrastructures.

63% of respondents that prioritize SBOM validation say they're highly prepared to evaluate third-party software.

70% of organizations experienced at least one material third-party cyber incident in the past year.

97% of organizations reported negative impacts from supply chain breaches over the past twelve months, an increase from 81% in 2024.

47% of retail executives reported having very low to moderate visibility into their software supply chain.

33% of leaders at financial services firms say they are unprepared to recover effectively from a Supply chain attack.

Supply chain attacks against healthcare organizations decreased significantly from 68% in 2024 to 44% in 2025.

44% of healthcare organizations say their organizations experienced an attack against its supply chains, which is a significant decline from 68% in 2024.

Healthcare organizations that experienced supply chain attacks, on average, experienced four supply chain attacks in the past two years.

57% of healthcare organizations say their organizations are very or highly vulnerable to supply chain attacks.

38% of organizations identify runtime as their most vulnerable phase in AI supply chain security.

31.2% of organizations expect AI Supply Chain Security to require the most new investment in AI security over the next 12 months.

29% of organizations identify external APIs and SaaS-embedded AI features as their greatest AI supply chain risk.

31% of organizations identify data sources and embeddings as their greatest AI supply chain risk.

Over 31% of organizations are planning to allocate their security budgets to AI supply chain security over the next 12 months.

Only 13% of organizations rank model sourcing and provenance as concerns regarding AI supply chain risk.

27% of organizations view AI supply chain risks as spanning the entire AI supply chain from sourcing through runtime deployment.

16% of organizations rank plugins and extensions as their greatest AI supply chain risk.

Just 9% of organizations rank orchestration layers and agents as their greatest AI supply chain risk.

3% of organizations are unsure which aspect of the AI supply chain poses the greatest risk to their organization.

31% of organizations are redirecting their largest security investments toward AI supply chain security over the next 12 months.

CISO confusion about cyber insurance policy coverage for supply-chain attacks decreased from 58% in 2024 to 43% in 2025.

Business associates (including billing vendors, imaging firms, and outsourced IT providers) were involved in 17 of the 107 email-related breaches in healthcare. This represents 16% of all incidents.

68% of healthcare leaders cited third-party software as the top risk.

68% of healthcare leaders cited third-party software as the top risk.

73% of security leaders reported receiving at least one notification of a software supply chain vulnerability or incident within the past year.

68% of security leaders are concerned about the risks associated with third-party software tools and components integrated into their tech stacks.

68% of CISOs consider supply chain risk and generative AI security to be top concerns, viewing them as intertwined challenges that are redefining the attack surface.

In Latin America, 50% say they are prepared for software supply chain attacks.

80% of organizations with low visibility of their software supply chain view critical factors like custom code, commercial off-the-shelf software, and API integrations as "very risky" or "somewhat risky".

About half (49%) of companies say they lack the visibility to fully understand – or even identify – software supply chain risks.

40% of CEOs believe that the biggest security risk the organization faces today is from the software supply chain, compared with 29% of CIOs and 27% of CTOs.

Despite high investment in enhanced software supply chain security, Europe ranks lowest at 23% in prioritizing engaging with software suppliers about security credentials

39% of CEOs say AI adoption presents a greater risk to the software supply chain.

57% of North American organizations say they are prepared for software supply chain attacks.