Each year, Whistic surveys more than 500 Information Security and Risk Management decision-makers to understand how the processes and approaches relating to third-party risk management (TPRM) impact the business. The result is the TPRM Impact Report, a comprehensive benchmark of trends in third-party risk affecting both buyers and their vendors.

Since we’re just past the halfway point of 2025, it’s a perfect time to look at some of the stats and trends that are defining the year in TPRM. Here are the ways third-party risk is impacting your peers right now.

Note: The following article contains spoilers for the full 2025 TPRM Impact Report…but you can get your own free copy here!

Immediate Impact: The Necessity of TPRM Excellence

The threat posed by cyber risk has never been higher: potential operational disruptions, loss of intellectual property, reputational harm, and the added expense of response resources all mean that the cost of a security incident is greater than ever. In their annual “Cost of a Data Breach” report, IBM found that the cost of a security breach has risen to $4.88M per incident—up $400K since last year.

So what role do third parties and vendors play in this story? Let’s dive in.

Key Risk Trends for Third Parties

Your vendor ecosystem has the potential to create a massive threat surface for your business. Here are a few numbers that capture the scope of the challenge:

For the third straight year, security incidents are on the rise. In 2023, the number of organizations that reported a security breach over a three-year period was 55%. Today, that number is 70%.
Third-party vulnerabilities are a huge culprit in these incidents. Over the past three years, 77% of all security breaches originated with a vendor or other third party.
Vendor ecosystems continue to grow despite the risks. In 2025, 56% of companies have more than 100 vendors. That’s a 6% increase since last year. The average number of vendors each company works with is now 286—that’s a 21% YoY increase.

Key Takeaways on Vendor Risk

These trends have clear implications for TPRM teams juggling competing business priorities like meeting compliance requirements, mitigating risks, and satisfying a growing demand for third-party services. Here are some key takeaways that strategic TPRM teams must reckon with as they evolve:

New technologies increase demand for and reliance on third parties.
Some 25 years on from the dawn of the “Digital Transformation” era, rapid change is still a constant—and is driving consistent growth in the size of vendor inventories. There are several reasons for this:

The increased demand for Software-as-a-Service (SaaS) offerings has created new markets for developers. This specialization fueled a move away from monolithic solution stacks toward more narrowly focused, niche tools. In practice, this means that modern business requires more vendors than previously.
End users see the value in tools that are purpose-built for their needs, making them more effective and efficient than a consolidated platform that may be a jack-of-all-trades but a master of none.
New macro-scale classes of technology tend to require re-investment in software and vendor solutions. Since 2000, we’ve seen this take place with the mobile revolution and the dominance of cloud computing—and it’s happening right now (at unprecedented speed) with AI.

More vendors, more problems?
Well, it certainly looks that way, but it’s not that simple. It’s true that companies use more vendors than ever and experience a very high volume of vendor-related breaches. But complexity is also increasing. This leaves businesses more exposed to third-party risk for a number of reasons:

Diffuse ownership across the vendor ecosystem that jeopardizes a consistent approach to risk.
Poor visibility across the vendor ecosystem due to incomplete, decentralized vendor inventories.
High demand for services and solutions puts pressure on Procurement teams to move quickly—sometimes to the detriment of a thorough TPRM assessment. And traditional, manual approaches to vendor assessments amplify this challenge.

Evolving your third-party risk management discipline helps organizations overcome these issues. Next, we’ll take a look at how companies are executing their TPRM strategies in 2025.

The “Who” and “How” of TPRM in 2025

The strategic and tactical decisions companies make about building, leading, and supporting a vendor risk program can have huge effects on business outcomes. Team composition and organization, resource allocation, cross-functional collaboration, business-process excellence, and technology all play a role. Here’s how organizations are approaching that task in 2025.

Key Organizational Trends for TPRM

The ways TPRM teams are constructed and function is evolving just like the vendor landscape:

TPRM teams are growing. The size of the average TPRM team has grown in the last year to 8.5 individuals (compared with 5.6 in 2024)—though 75% of companies still have a lean TPRM team of fewer than 10.
…and so is the cost. The average cost to hire for your TPRM team this year is nearly $116K annually, an increase of $6K over last year. 80% of respondents in our survey say they intend to add headcount to their TPRM staff this year.
Additional resources are desperately needed. With an average vendor inventory of 286 third parties and an average TPRM team of 8.5, the average vendor risk professional is responsible for assessing 33.6 vendors. This does not include vendors that are procured throughout the year.
The vendor experience is paramount. 99% of respondents say that vendor experience is at least somewhat important during the assessment and onboarding process—and 70% say it is critically important. This impacts the way TPRM teams interface with vendors during assessment and onboarding.
Assessment teams are looking to augment the traditional security questionnaire. The move away from a questionnaire-only approach to vendor assessments is slowly taking place, while an appetite for supplementary data sources to conduct risk assessments is increasing:
- 75% of companies are using a customized questionnaire for their assessments, which is down from 79% in 2024. Questionnaire-only approaches to collecting security intel can be cumbersome, and TPRM leaders are beginning to see the need for an alternative approach.
- 83% of companies now use some kind of exchange—a centralized repository for on-demand vendor security documentation—as part of their assessment process.
- 88% of companies leverage security risk ratings in their process, while 74% of companies accept a previously completed standard (like SIG, ISO, or CAIQ) in lieu of their typical questionnaire, 93% of companies will at least begin an assessment with a previously completed standard.

Key Takeaways for TPRM Organizations

The trends on team construction and risk-assessment methodology have implications for TPRM leaders in 2025—and into the future:

Traditional TPRM teams struggle to keep up with demand. Even as teams grew in the last year, companies still see the need to increase their investment in TPRM resources. That’s because the gains in headcount struggle to keep pace with the increase in vendors.
The questionnaire has become a chokepoint in the process. With such high demand, a single source for collecting vendor intelligence is simply not effective for doing a proper assessment; 94% of companies report that they do not have the time or resources to assess all their vendors, while 97% of companies would do a more thorough assessment if they could. This suggests that the manual, questionnaire-based approach isn’t cutting it.
Better vendor experience, better assessments? Companies are betting that if they can make the assessment process more streamlined for their vendors, they will improve TPRM outcomes. When the burden of the assessment is eased, vendors are much more likely to respond fast to assessment requests and become more engaged partners during the process.

Modern TPRM: Making the Transition

More vendors, more complexity, more risk, and more at stake. That’s what TPRM teams in 2025 are facing—and many of them are facing it with the same lean resources and processes that they always have.

And they’re falling behind.

Traditional, heavily-manual TPRM simply can’t keep pace with the need for strong vendor risk management. The alternative? Modern TPRM.

These pillars make up a modern approach to the growing challenges of third-party risk management:

Speed and automation. Manually collecting vendor security intelligence and conducting an assessment can take weeks or months of back and forth. Modern TPRM automates up 90% of the steps in an assessment so you can assess more vendors in a fraction of the time.
Diverse data sources. The questionnaire can’t be the only source of security information. Trust Centers, audit reports, risk ranking services, completed standards, web sources, or even previously completed questionnaires are much easier to collect and provide an enormous range of information that can be more readily processed, provided your team is…
AI first. When AI is integrated into every phase of your assessment process, you can more quickly source decision-making intelligence, process that information to surface deeper insight, and increase the visibility and reporting capacity of your program.

The Whistic Platform is the only Modern, AI-First third-party risk management platform in the industry. Whistic AI makes it simple to collect, analyze, and make decisions on vendor risk in minutes—not weeks. Plus, our AI is built on a foundation of transparency, so every AI-generated response includes a confidence score, rationale, and full citation. That means you maintain control and lead with trust.

For more trends into the state of TPRM in 2025, be sure to download the complete report for free. If you’re looking to modernize your TPRM program and make it challenge-proof for 2026, set up some time with our team for an in-depth demo and see the Whistic difference for yourself.