Why Threat-Informed TPRM is Essential for Supply Chain Security Today

Third-party attacks: A growing threat

In our interconnected digital world, third-party attacks have surged to the forefront as a significant threat to organizational security. Cybercriminals are increasingly targeting vulnerabilities within external vendors, suppliers, contractors, and service providers to bypass direct defense measures. This indirect approach often leads to devastating consequences, including data breaches, operational disruptions, regulatory fines, and considerable reputational damage. Thus, Third-Party Risk Management (TPRM) is now essential for safeguarding sensitive data and maintaining customer trust, elevating it to a board-level priority rather than a mere IT concern.

According to our 2025 State of the Underground report, there has been a staggering 43% increase in data breaches shared on underground forums compared to the previous year, with U.S. organizations accounting for nearly 20% of all identified victims. This trend emphasizes the increasing sophistication of cybercriminal strategies and their ability to exploit vulnerabilities in third-party relationships.

Moreover, the report highlights a shocking revelation: throughout 2024, 2.9 billion unique sets of compromised credentials were leaked, compared to 2.2 billion in 2023. This drastic rise underscores the urgent need for organizations to establish comprehensive TPRM frameworks that extend visibility and control beyond their own digital perimeters.

Why your GRC team needs access to CTI, too

As the landscape of cyber threats evolves, Security Operations Centers (SOCs) find themselves inundated with the responsibility of patching, monitoring, and responding to threats directed at their organization. However, today’s risks extend beyond straightforward perimeter defenses. Attackers are increasingly preying on weaknesses within an organization’s broader ecosystem, including their vendors, partners, and service providers.

Herein lies the crucial role of Governance, Risk, and Compliance (GRC) teams. Charged with overseeing vendor risk, GRC teams have an essential role in ensuring corporate resilience. By integrating Cyber Threat Intelligence (CTI), equipped with advanced AI capabilities, GRC teams can evolve from passive oversight into active defense. They can pinpoint potential vulnerabilities within the supply chain and flag them before they escalate into significant security incidents.

A real-world example: CVE-2025-10035

One recent example highlighting these issues is the identification of a critical vulnerability (CVE-2025-10035) in GoAnywhere MFT, a widely employed file transfer solution for handling sensitive data like financial records, HR files, and personally identifiable information (PII).

• Severity: This vulnerability carries a CVSS score of 10.0 (critical) and 9.23 on Bitsight’s Dynamic Vulnerability Exploit (DVE) scale.
• Impact: Its implications mirror those of the infamous MOVEit breach, illustrating how a single flaw can trigger a cascading series of security breaches across a multitude of organizations.

Even organizations that have fortified their internal systems may find themselves vulnerable due to weak links in their third- and fourth-party vendors. Just one unpatched vendor instance has the potential to jeopardize sensitive data and create ripple effects throughout the entire ecosystem.

Why this matters for TPRM

The analysis of CVE-2025-10035 highlights TPRM’s vital role as a frontline defense mechanism. Vulnerabilities like this one don’t merely jeopardize internal operations; they expose the entire supply chain to risk. For GRC teams, this presents both challenges and opportunities:

• Vendor Assessments: Shift from traditional, often superficial check-the-box questionnaires toward leveraging real-time intelligence regarding vendor vulnerabilities.
• Prioritization: Utilize CTI and risk analytics to distinguish crucial vulnerabilities amidst the noise, focusing on those most likely to be exploited.
• Proactive Defense: Collaborate closely with SOCs to identify risks in the extended ecosystem before they can be exploited by attackers.

SOCs cannot tackle these threats in isolation. By incorporating CTI into GRC workflows, organizations gain a formidable additional layer of defense—one that ensures backdoors are secured, even while vendor ecosystems are under scrutiny.