64% of organizations fail to continuously assess vendor and supplier security after onboarding.

38% of successful Canadian software buyers evaluated a vendor's reputation for incident response before purchase.

49% of successful Canadian software buyers paid close attention to a vendor’s history of breaches or attacks before purchase.

41% of successful Canadian software buyers considered patching and update practices before purchase.

99% of satisfied Canadian software buyers narrowed their choices to five vendors or fewer, compared to 90% of disappointed buyers.

32% of successful Canadian software buyers checked encryption standards of vendors before purchase.

Successful Canadian software adopters typically complete vendor selection in about three months, while disappointed buyers take four to five months.

9 working weeks per year are spent on vendor security reviews and risk assessments, compared to 7 weeks the previous year.

11% of leaders at financial services firms say they are unprepared to recover effectively from a Vendor or third-party breach.

18 S&P 500 companies cited third-party and vendor exposure as a cybersecurity risk tied to AI.

Despite a drop in notifications, vendor-related claims still accounted for 15% of incurred losses estimated so far in 2025.

Vendor-driven cyber insurance claims notifications fell from 37% to 26% of all claims, representing a 30% drop.

39% of organizations actively pursuing CMMC 2.0 certification cite vendor compliance as a top concern. This is 7 percentage points higher than non-CMMC organizations.

Vendor compliance ranks as the second-highest challenge for the organizations actively pursuing CMMC 2.0 certification (scoring 73 out of 100).

Compromised third-party vendors (31.6%) was among controls with the highest failure rates in enterprise fraud attacks.

Nearly all organisations (99%) assess vendor risk.

Black Kite researchers found that 31 out of 140 third-party vendors have at least one critical vulnerability with a CVSS at or above 8. 15 vendors show an extremely high risk with CVSS scores above 9.

90 third-party vendors are flagged with high-risk threat categories. Among these, 35 vendors are marked with Known Exploited Vulnerabilities (KEV) tags.

65% of third-party vendors are not maintaining current patch levels, which exposes financial institutions to inherited risk from known vulnerabilities (CVEs) and potentially unpatched zero-day vulnerabilities in legacy technologies.

The overall reporting rate for advanced text-based email threats was just 1.46%.