Third Party Cyber Risk Oversight and Assessment 2025

Report - December 2025

Financial institutions rely on a complex and ever-growing ecosystem of third and nth parties to support their digital transformation, resulting in a rapidly evolving cyber risk profile. This paper explores how cyber third party risk management has evolved since our last study on this topic in 2021 and identifies some key areas of focus for the next 12-18 months.

This study builds on our 2021 Supplier Cyber Risk Management and Oversight report and a recent wider study from ORX on Third Party Ecosystem Risk Management. The report examines: 

• The role of cyber teams within the wider TPRM process
• The third party cyber risk assessment process, including: Timing, tiering, and techniques
  • Further insights into the use of cyber risk questionnaires
  • Certifications, automation, and outsourcing
  • Results and actions from assessment and oversight activities
• Specific third party challenges
• Third and fourth party inventories 

Our full report on Third Party Cyber Risk Oversight and Assessment is available to all ORX Cyber subscribers.

Contacts: