Research Conducted with the Ponemon Institute Reveals High Confidence in TPRM Program Maturity Despite Large Numbers of Breaches and Lengthy Assessment Processes

ProcessUnity, The Third-Party Risk Management Company, today released its State of Third-Party Risk Assessments 2026 report in partnership with the Ponemon Institute. Based on responses from 1,465 third-party risk leaders and practitioners worldwide, the study reveals a widening gap between confidence in third-party risk management (TPRM) program effectiveness and real-world results. While respondents claim a high degree of confidence in their assessment processes to reduce breach risk, they reported their organizations average of 12 third-party breaches or security incidents per year highlighting third-party risk as a persistent and material operational challenge.

Download the full ProcessUnity State of Third-Party Risk Assessments 2026 Report here, and register for our webinar to learn more about the data behind the report.

Although many respondents report established assessment processes, policies, and frameworks, the data suggests that many equate the presence of a program with effective assessments. Despite this belief, most surveyed organizations apply no metrics to evaluate whether those programs actually reduce risk. Frequent breaches, prolonged assessment timelines, slow vendor responses, incomplete remediation, and limited visibility highlighted in this study indicate that effective TPRM maturity remains elusive. The disconnect is particularly pronounced in the financial services and technology & software sectors, where organizations report strong confidence in their TPRM programs while experiencing some of the longest assessment timelines and highest breach exposure (90% of financial services organizations and 85% of technology and software companies reported third-party breaches in 2025).

The findings expose systemic weaknesses that continue to undermine third-party risk programs across organizations worldwide. The following highlights illustrate where programs break down in practice, with the full set of findings detailed in the complete report.

• Manual program execution remains the norm, slowing assessment cycles and requiring human resources. Nearly two-thirds of organizations still utilize spreadsheets and homegrown or IT-built tools as part of their assessment management and tracking.
• Delayed vendor responses slow down risk decisions. 60% of organizations report vendor response timelines range from four months to more than 12 months.
• Non-response remains a persistent barrier. 27% of vendors fail to respond to assessments at all, leaving critical gaps in portfolio visibility.
• AI adoption emerges as a major accelerator. 50% of organizations reported adopting AI to support third-party risk assessments, and 21% plan to adopt AI in the near future.

“This research shows that many third-party risk programs still lack maturity and fall short on outcomes. Organizations of all sizes invest in TPRM, but that effort doesn’t always translate into efficient, effective assessments or consistent risk reduction,” said Scott West, Vice President of Product Marketing at ProcessUnity. “We invite TPRM leaders and practitioners to use this research to benchmark their programs and build plans to improve measurement, speed, scalability, and visibility to manage third-party risk more effectively.”

The research translates these findings into a blueprint for scaling third-party risk assessments. Organizations can improve outcomes by evolving from periodic reviews to continuous oversight, applying inherent risk to prioritize vendors that introduce the greatest exposure, enforcing accountability for response and remediation, and extending visibility beyond direct vendors to include downstream dependencies and concentration risk. In addition, accelerating AI adoption now enables resource-constrained TPRM teams to reduce manual effort while increasing speed, consistency, and insight across the assessment lifecycle.

“Our research is dedicated to helping organizations improve oversight as third-party ecosystems expand,” said Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. “These findings show why scalable execution and measurable outcomes are essential. We surveyed third-party risk leaders and practitioners globally to examine how organizations assess vendors in practice and where modernization is most needed.”

Detailed findings in the report explore assessment timelines, tooling reliance, budget ownership, fourth-party risk, industry and company-size breakouts, and more.

ProcessUnity to Host Webinar to Discuss the Findings in the Report

West will join Mike Fitzpatrick, Distinguished Fellow of the Ponemon Institute, to present additional research findings, including industry benchmarks and practical recommendations, during a webinar on February 18, 2026 at 11:00AM ET.

• Register for the webinar
• Download the full report

About ProcessUnity

ProcessUnity is The Third-Party Risk Management (TPRM) company. Our software platforms and data services protect customers from cybersecurity threats, breaches, and outages that originate from their ever-growing ecosystem of business partners. By combining the world’s largest third-party risk data exchange, the leading TPRM workflow platform, and powerful artificial intelligence, ProcessUnity extends third-party risk, procurement, and cybersecurity teams so they can cover their entire vendor portfolio. With ProcessUnity, organizations of all sizes reduce assessment work while improving quality, securing intellectual property and customer data so business operations continue to operate uninterrupted.

About Ponemon Institute

Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260127900475/en/

Survey respondents report an average of 12 third-party breaches a year.