BRENTWOOD, Tenn.–When it comes to managing vendors, most financial institutions are reporting they are doing so with pretty lean teams, while nearly half are also reporting having experienced vendor-related cyber-risks, according to a new survey.
Some 73% of FIs reported having two or fewer full-time employees managing vendor risk, even though more than half oversee more than 300 vendors, according to the survey by Ncontracts. The survey took place between November 2024 and January 2025 and included more than 170 banks, credit unions and mortgage companies across a “range of asset sizes,” the company said.
Key Findings
Among the other findings:
- 66% report feeling pressure to enhance their TPRM programs, with nearly half citing auditors and regulators as primary drivers
- 49% of financial institutions experienced a vendor-related cyber incident in the past year, with recovery times ranging from under 60 days (66%) to more than 90 days (8%).
- Artificial intelligence ranks as the second-biggest TPRM risk heading into 2025, with institutions increasingly adding AI usage language to contracts and implementing specific due diligence measures, Ncontracts reported.
- Collecting and analyzing vendor documents is a top bottleneck.
- 85% of financial institutions report moderate to high value from their TPRM programs, with benefits ranging from improved cybersecurity to enhanced vendor performance and cost control.
‘Perfect Storm’
“Financial institutions are caught in a perfect storm—managing more vendors with fewer resources while facing heightened cyber threats and regulatory scrutiny,” Ncontracts Founder and CEO Michael Berman said in a statement. “The surge in hybrid TPRM models and dedicated risk management software adoption shows that forward-thinking institutions are responding strategically.
“What’s particularly encouraging is that 85% of respondents see tangible ROI from their TPRM investments. This isn’t just about compliance anymore—robust vendor management is becoming a competitive differentiator that enhances operational resilience, strengthens cybersecurity posture, and drives cost efficiencies,” Berman added.
