In May 2023, a zero-day vulnerability in a file-transfer tool called MOVEit was exploited by a ransomware group. Progress Software patched it within 48 hours. By then, the damage was done: 2,700 organizations were compromised, 93 million records were exposed, and 84% of the victims were not direct MOVEit customers. They were hit through their vendors.

Colorado State University did not use MOVEit. Its data was exposed six times by six different suppliers. Every one of those suppliers had passed an onboarding risk assessment. Every assessment was irrelevant the moment it was signed.

59%of companies do zero cybersecurity monitoring of third parties
30%of all data breaches now involve a third party — double the prior year
$4.91Maverage cost of a third-party data breach

What supplier risk monitoring actually means

Supplier risk monitoring is the continuous collection and analysis of external signals about a vendor's financial health, cybersecurity posture, compliance standing, and operational stability. It is not a questionnaire. It is not an annual review. It is an always-on layer of intelligence that detects when a supplier's risk profile shifts — before that shift becomes a disruption.

The key distinction: onboarding assessments capture what a supplier claims about itself at a single point in time. Continuous monitoring captures what external data reveals in real time. Credit rating downgrades, vulnerability disclosures, dark web credential leaks, regulatory enforcement actions, key personnel departures — none of these wait for the annual review cycle.

Only 4% of organizations have high confidence that their supplier risk questionnaires reflect actual risk.

The four costs of onboarding-only risk assessment

The gap between periodic assessments is where real damage accumulates. The Verizon 2025 Data Breach Investigations Report found that 30% of all breaches now involve a third party — double the prior year. Third-party breaches cost an average of $4.91 million, 40% more than internal breaches. The average time to detect and contain a breach is 277 days — longer than any quarterly review cycle.

Financial deterioration is equally dangerous. A global enterprise nearly lost $14 million when a fraudster hacked a supplier's email and requested a bank change. apexanalytix reports the average loss per supplier fraud instance is $1.5 million. Credit rating declines, payment failures, and going-concern warnings evolve between annual reviews, and companies without continuous monitoring carry 14% excess buffer stock as insurance against supplier failure.

Onboarding-only assessment

Point-in-time questionnaire. 364 days of blindness between reviews. 73% of risk effort spent on vetting, 27% on monitoring. Suppliers self-report. No external validation. Catches zero risks that emerge after signing.

Continuous monitoring

Always-on external intelligence. Detects vendor deterioration 70% faster. Cyber ratings, financial health scores, dark web alerts, and regulatory filings tracked in real time. Triggers reassessment only when material change occurs.


How the failure pattern unfolds: the timeline of a supplier breach

Month 1
Supplier passes onboarding assessment
Questionnaire completed. Security rating acceptable. Filed. Not reviewed again for 12 months.
Month 4
Supplier acquires smaller company
Acquisition inherits legacy systems with unpatched vulnerabilities. No notification required under the contract. Buyer has no visibility.
Month 7
Credentials appear on dark web
Infostealer malware captures employee credentials. Listed for sale. Continuous dark web monitoring would have detected this. Annual review will not.
Month 9
Breach occurs — buyer learns from the news
Attackers use stolen credentials to access supplier systems. Buyer data compromised. 75% of breached third parties do not proactively notify their customers.

What continuous monitoring looks like in practice

Continuous monitoring operates on a tiered frequency model. Critical suppliers get daily cyber ratings checks, real-time breach notifications, and weekly financial health scans. High-risk suppliers get weekly cyber and monthly financial monitoring. Medium-risk suppliers get monthly checks. Low-risk suppliers get quarterly signal checks. The cost scales with risk exposure — not with supplier count.

The signals to track fall into four domains. Cybersecurity: external security ratings from BitSight or SecurityScorecard, vulnerability disclosures, dark web credential exposure, certificate health. Financial: credit rating changes, late payment patterns, debt-to-equity ratios, going-concern warnings. Operational: SLA performance, business continuity plan currency, key personnel departures, geographic concentration risk. Compliance: regulatory enforcement actions, sanctions screening changes, ESG violations, adverse media.


The most common failure: treating monitoring as a technology problem

The most common misapplication is not skipping continuous monitoring entirely — it is buying a tool and calling it done. Organizations deploy a risk monitoring platform, integrate it with nothing, alert nobody, and generate dashboards nobody reads. The tool is the easy part. The hard part is routing alerts to the right teams, integrating risk signals into category strategies, and building the organizational muscle to act on what the data shows.

Integration with category management is where monitoring produces procurement value. A credit downgrade triggers a dual-sourcing review. A cyber rating decline triggers a contract amendment requiring enhanced security controls. A key person departure triggers a relationship health check. These are procurement actions, not compliance checkbox exercises.


What correct execution looks like

Organizations that do this well treat continuous monitoring as an input to procurement decisions, not an output of the compliance function. Automated alert routing sends cyber signals to InfoSec, financial signals to procurement finance, compliance signals to legal. Category dashboards overlay risk scores onto spend analytics, making concentration risk and single points of failure visible to category managers in their daily workflow.

The operational outcome: mean time to detect vendor incidents drops by 70-80%. Buffer stock requirements decline. Supplier financial distress triggers mitigation before bankruptcy, not after. The ROI is not in the monitoring tool — it is in the disruptions that never happen.


What this means in practice

Audit your supplier risk assessment cadence. Count how many critical suppliers were assessed only at onboarding and have not been re-evaluated in the past six months. Those are your blind spots.

Start with your top 20 suppliers by spend and criticality. Implement a minimum viable continuous monitoring program: external cyber ratings, financial health scores, and adverse media screening updated monthly. The cost is a fraction of a single third-party breach.

Build the routing. Define who receives which alert. Cyber alerts go to InfoSec. Financial alerts go to procurement. Compliance alerts go to legal. A tool without routing is a dashboard. A tool with routing is a risk management system.


Frequently asked questions

What percentage of companies only assess supplier risk at onboarding?

Veridion analysis shows 59% of companies do not monitor third parties for cybersecurity risks at all. Gartner reports 73% of risk identification effort goes to due diligence and recertification, leaving only 27% for ongoing monitoring. RiskRecon research finds just 4% of organizations trust their periodic assessments capture real risk.

What is continuous supplier risk monitoring?

Continuous risk monitoring shifts from point-in-time questionnaires to always-on external intelligence tracking vendor security ratings, financial health, dark web exposure, compliance status, and operational performance. It detects deterioration between annual reviews — closing the gap when most vendor breaches occur — and triggers reassessment only when material changes are detected.

What are the biggest supplier risk failures in recent years?

The MOVEit breach (2023) exposed 93 million records across 2,700 organizations through a single file-transfer tool. CDK Global ransomware (2024) paralyzed 15,000 auto dealerships for weeks. Change Healthcare (2024) disabled US healthcare claims processing nationwide. Snowflake credential theft (2024) impacted 165 customers through valid stolen credentials — no system compromise was needed.


Data sources

  1. Recorded Future — Third-Party Risk Statistics 2025-2026. Accessed July 16, 2026.
  2. Cybersecurity Dive — The MOVEit Meltdown: Statistics and Analysis. Accessed July 16, 2026.
  3. apexanalytix — Supplier Risk Assessment: Beyond the Annual Questionnaire. Accessed July 16, 2026.
  4. Safe Security — 8 Third-Party Risk Examples Every 2026 Security Team Should Know. Accessed July 16, 2026.
  5. Veridion — Vendor Risk Assessment Challenges and Continuous Monitoring. Accessed July 16, 2026.
  6. JAGGAER — How Procurement Is Moving From Reactive to Predictive Risk Management in 2026. Accessed July 16, 2026.