Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more
blog

The Breach Already Happened. Your Vendor Just Hasn't Told You Yet.

Published

Apr 28, 2026

Authors

Bob Maley

In this article

In this article

See Black Kite in action

Book a Demo

Introduction

I've been doing third-party cyber risk for 25 years. These days, as CSO at Black Kite, I sit at an unusual intersection: I run a TPCRM program, and I work for the company that builds the platform I use to run it. When our annual breach report comes out, I’m looking for what the data confirms, what it challenges, and what it means for how programs need to operate.

What the Black Kite Research Group™ found this year should be clarifying for every CISO and TPCRM program manager running a program right now. The numbers expose a gap between what most programs assume is happening and what is actually happening — and that gap is where organizations get hurt.

Here's what I took away, and what I think you should do about it.

YouTube video thumbnail

3 moves CISOs need to make now based on data from the 2026 Third-Party Breach Report:

Move 1: Stop assuming your vendors will tell you first.

The report found that bad actors detect a breach in about 10 days. Vendor disclosure takes 73. That's a 63-day window where your vendor knows there's a problem affecting your data and you don't.

This isn't a new pattern. I've watched it play out for decades. Breached organizations delay. They want to control the narrative before they go public. In the meantime, you're exposed and you don't even know it.

Regulations around disclosure have not solved this. There's always wiggle-room language about when disclosure becomes "required," and organizations know how to use it.

The move: 

  • Build operational visibility that doesn't depend on self-reporting. 
  • If you can see indicators of a problem before a vendor discloses (compromised credentials in stealer logs, anomalous signals in the ecosystem) you can take internal protective action without waiting for the notification that may be 60 days away. 
  • The goal is to lock down before exposure becomes damage.

Move 2: A grade tells you how a vendor looks. It doesn’t tell you what a threat actor sees.

Among the 200,000 vendors in this year’s data set, 54% have at least one critical vulnerability detected and 23% have corporate credentials circulating on the dark web. Those vendors aren’t failing their assessments. Many of them are carrying A ratings.

Call it grade inflation. A program built primarily around letter-grade ratings creates the comfortable illusion that coverage equals posture. It doesn’t. A grade is a weighted composite. It smooths over the single-point exposures that bad actors actually care about — the one unpatched CVE that maps to an active exploit kit, the credential set sitting in a stealer log right now that nobody has revoked. Those aren’t low-scoring vendors. They’re well-scored vendors with specific, exploitable weaknesses your rating methodology isn’t surfacing.

The question isn’t what grade your critical vendors are carrying. It’s whether you can see what a threat actor sees when they look at those same vendors. Active credential exposures. Ransomware susceptibility indicators. Exploitable vulnerabilities in production infrastructure. That’s risk intelligence. A grade is a comfort level, not a decision.

The move: 

  • Audit your top-tier vendors specifically for single-point exposures your rating methodology might not surface. 
  • If you find them — and you will — that’s not a failure of the program. That’s the program working. Act on it.

Move 3: Map your concentration exposure — and make explicit decisions about it.

The report is clear on this: concentration risk is not a theoretical concern. It is the weapon bad actors are actively using.

The attacker's logic is straightforward: 

  • Breach one company, get paid once. 
  • Breach one company that sits at the center of 50 other companies' supply chains, and the math changes completely. Smaller ransoms per target, but a much larger total take. 

This is why supply chain attacks keep scaling. It's not random. It's strategic.

The challenge for CISOs is that the vendors with the highest concentration risk are often the ones with the least accountability. They're too large to pressure, too embedded to replace easily, and often indifferent to the security concerns of smaller customers.

But there is a right process. 

  • Third-party risk teams identify and quantify the exposure. The business makes the decision. Is the risk acceptable given what the vendor provides? 
  • If yes, accept it formally and document it. If you have enough spend to get their attention, negotiate. Push for compensating controls (field-level encryption, enhanced logging, data masking) even if the vendor won't change their base posture. 
  • If the risk is genuinely unacceptable, start the conversation about alternatives, even knowing that switching vendors is painful.

The move: 

  • Don't let concentration risk sit as an implicit assumption in your program. 
  • Make it visible, put it in front of business leadership, and force an explicit decision. 
  • Accepting risk knowingly is a defensible position. Ignoring it is not.

Visibility Beats Notification Every Time

Sun Tzu wrote that the supreme art of war is to subdue the enemy without fighting. For TPCRM, the equivalent is this: the supreme art is to contain the loss before it occurs.

That’s what these three moves are about. Not reacting to breach notifications. Not feeling reassured by grades. Not hoping your highest-concentration vendors take your security requirements seriously. It’s about building a program with enough visibility and enough rigor to get left of the problem before it becomes one.

The breach already happened. Your vendor just hasn’t told you yet. Your job is to already know.

Read the 2026 Third-Party Breach Report