Third-party breaches now account for 35.5% of all confirmed data breaches globally, up from 29% the year before, according to SecurityScorecard’s latest Global Third-Party Breach Report. The gap between those two figures represents thousands of incidents, billions in losses, and a fundamental shift in where enterprise risk actually lives.
Regulators have caught up. DORA entered into force in January 2025 with explicit continuous monitoring requirements for ICT third-party providers. OFAC’s enforcement posture has shifted toward gatekeeper liability, holding organizations accountable for what their vendors do on their behalf. For companies in regulated industries, third-party risk monitoring is now a compliance requirement.
What's Inside:
- What Is Third-Party Risk Monitoring?
- Why Does Continuous Monitoring Outperform Periodic Assessment?
- Where Does Third-Party Risk Monitoring Fit in the TPRM Lifecycle?
- What Are the Five Domains of Third-Party Risk Monitoring?
- What Do Regulators Now Require from Third-Party Monitoring Programs?
- What Are the Most Common Gaps in Third-Party Monitoring Programs?
- How Do You Build a Third-Party Risk Monitoring Program?
- Frequently Asked Questions
What Is Third-Party Risk Monitoring?
Third-party risk monitoring (TPRM monitoring) — sometimes called third-party vendor monitoring or vendor risk monitoring — is the practice of continuously gathering and analyzing externally observable data on vendors, suppliers, and service providers to identify cybersecurity, financial, reputational, operational, and geopolitical risks before they affect your organization. It is a core component of any mature third-party risk management (TPRM) program, and sits at the center of both vendor risk management (VRM) and supply chain risk management methodology.
The distinction between monitoring and assessment is fundamental. A risk assessment is periodic: a point-in-time questionnaire or audit conducted at onboarding or on a defined schedule. Monitoring is continuous: an ongoing feed of signals about what is actually happening to your vendors between assessment cycles.
The two are complementary. Each serves a distinct function that the other cannot replace. An assessment tells you what a vendor says about their security controls. Monitoring tells you whether their actual posture matches those claims, and whether that posture has changed since the last time you asked.
Why Does Continuous Monitoring Outperform Periodic Assessment?
Vendor questionnaires capture a snapshot. They tell you what your vendor’s controls looked like when they completed the form. Between that form and your next scheduled assessment, a vendor can experience a data breach, incur a regulatory fine, be named in a modern slavery audit, face secondary sanctions exposure, or undergo a leadership change that alters their risk posture entirely. None of that surfaces in your program unless you are actively watching.
The gap between assessment cycles is where most third-party incidents occur.
Closing that gap requires ongoing outside-in intelligence — continuous monitoring of what is actually observable about your vendors in the world, not only what they report about themselves.
Pressure-test your program against every stage of the vendor lifecycle.
Get the ChecklistWhere Does Third-Party Risk Monitoring Fit in the TPRM Lifecycle?
Third-party risk monitoring is most effective when it functions as the continuous thread running through the full vendor lifecycle: connecting onboarding due diligence, ongoing assessment, contract management, and offboarding into a single, evolving picture of vendor risk. Monitoring is what keeps that picture current between scheduled touchpoints.
What Are the Five Domains of Third-Party Risk Monitoring?
-
- Cybersecurity Risk: Cyber vulnerabilities are the highest-frequency risk type in third-party monitoring programs and the fastest-moving. Threat actors target vendor ecosystems specifically because a single point of compromise provides access to multiple downstream organizations.Effective monitoring requires scanning for exposed credentials on the dark web, open vulnerabilities in internet-facing systems, and signals from criminal forums and paste sites. Vendor Threat Monitor automates this surveillance across vendor portfolios and should extend to fourth-party relationships, where regulatory blind spots most commonly create breach exposure.
- Financial and Reputational Risk: A vendor’s financial instability can disrupt your ability to receive contracted services. A regulatory fine or high-profile ethics violation creates brand exposure by association. Both require monitoring capabilities that operate outside standard cybersecurity intelligence tools.Continuous financial and reputational monitoring tracks public and private financial disclosures, adverse media, regulatory enforcement actions, and legal proceedings. The goal is early warning: know before a vendor’s situation escalates into a crisis that affects your operations or reputation.
- Labor, Modern Slaver, and ESG Risk: Regulators in multiple jurisdictions now require organizations to conduct ongoing due diligence across their supply chains for human rights and environmental violations, with documented processes for identifying, preventing, and remediating violations.Key frameworks include the UK Modern Slavery Act of 2015, the Australian Modern Slavery Act, the California Transparency in Supply Chains Act, and the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz, or LkSG), in force since January 2023 for companies with 3,000+ employees and expanded to 1,000+ employees from January 2024. The EU Corporate Sustainability Due Diligence Directive (CS3D), originally adopted in 2024 and materially amended by the EU Omnibus I directive in February 2026, now applies to companies with over 5,000 employees and €1.5 billion in turnover, with member states required to transpose it by July 26, 2028 and compliance obligations beginning July 26, 2029. Monitoring in this domain combines survey-based assessment of supplier labor practices with ongoing external intelligence that validates whether representations match operational reality.
- Geopolitical Risk: Ecosystem risk is the defining feature of modern sanctions exposure. The April 2026 designations of Hengli Petrochemical and over 40 affiliated shipping entities, sanctioned by OFAC for participation in Iran’s oil shadow fleet, shows how regulators increasingly target entire supply chain networks simultaneously: buyer, logistics intermediaries, and vessels. Firms end up exposed through relationships several tiers removed from the primary violation.Cascading tariff and third-party onboarding risk are emerging from a different direction. USTR’s parallel Section 301 investigations, one covering 16 countries for manufacturing overcapacity and a second covering 60 for forced labor enforcement failures, target completion by July 24, 2026, when Section 122 emergency tariffs expire. Companies shifting sourcing in response are onboarding new vendors faster than standard due diligence cycles allow, introducing unvetted relationships into critical supply positions.
Six Geopolitical Triggers Your TPRM Program Should Be Tracking
- Monitor real-time OFAC, EU, UN, and UK sanctions list changes: flag whether any current vendors or their sub-processors appear on updated lists
- Screen for secondary sanctions exposure: whether your vendors transact with designated entities or with counterparties in comprehensively sanctioned countries, even if your vendors themselves are not designated
- Track USTR Section 301 and tariff investigation developments affecting vendor-country relationships
- Watch for export control changes, data localization mandates, and foreign investment restrictions in jurisdictions where key vendors operate
- Identify geopolitical instability events — armed conflict, regime change, or government expropriation — in jurisdictions where key vendors or their critical suppliers are concentrated
- Screen for politically exposed persons (PEPs) and state-owned enterprise (SOE) exposure: PEP screening identifies individuals in or connected to positions of public authority; SOE screening flags government-owned and government-linked entities that may introduce regulatory or reputational risk. Corruption Perception Index (CPI) scores provide additional country-level context for vendor relationships in high-risk jurisdictions.
- Fourth-Party and Nth-Party Risk: Fourth parties are the vendors of your vendors. They are not contractually bound to your organization, but they can affect your risk posture significantly. Extending monitoring visibility to fourth parties requires systematic intelligence gathering on the extended supply chain, including passive scanning. Passive scanning should map the technologies fourth parties use and surface that intelligence against your direct vendor profiles to identify concentration risk before it becomes a breach vector.
What Do Regulators Now Require from Third-Party Monitoring Programs?
The frameworks below were written specifically for environments where vendor risk profiles can change materially between annual assessment cycles. Their monitoring requirements presuppose continuous visibility, not calendar-driven snapshots. For organizations in scope, periodic assessment alone is a compliance gap.
DORA, the EU Digital Operational Resilience Act, entered into application on January 17, 2025. Article 28 requires EU financial institutions to maintain a comprehensive register of contractual arrangements with ICT third-party service providers, conduct continuous monitoring of those providers’ compliance, and establish documented exit strategies for critical ICT providers. DORA designates Critical Third-Party Providers (CTPPs) under direct oversight of the European Supervisory Authorities. National Competent Authorities submitted initial ICT registers to the ESAs by April 30, 2025.
The German Supply Chain Due Diligence Act (LkSG), in force since January 2023, requires companies meeting its scope thresholds to implement ongoing human rights and environmental due diligence across direct and indirect supply chains, with documented processes for identifying, preventing, and remediating violations. The Act mandates an annual risk analysis plus immediate reassessment when supply chain conditions change materially.
The UK Financial Conduct Authority and Prudential Regulation Authority’s operational resilience requirements, which took full effect in March 2025, establish impact tolerances for important business services and require demonstrable testing of resilience, including vendor dependencies. Firms must map their important business services to the third-party arrangements that underpin them and demonstrate they can remain within tolerance.
OFAC‘s sanctions compliance guidance requires organizations to maintain risk-based compliance programs that include vendor screening.
What Are the Most Common Gaps in Third-Party Monitoring Programs?
- Risk profiles frozen at onboarding
Most organizations invest heavily in pre-onboarding due diligence and conduct limited monitoring once a vendor is active. A monitoring program that treats the initial assessment as a fixed state systematically misses the most common driver of vendor risk evolution. - Monitoring scoped only to tier-1 vendors
Organizations with strong direct supplier programs often have no visibility into fourth-party relationships. This is the gap regulators are closing. If your program ends at the first-tier contract, it ends before the risk does. - Cybersecurity monitoring treated as the complete solution
Cybersecurity intelligence is the most mature monitoring capability in most programs but it is also often the most narrowly scoped. Programs built on cybersecurity monitoring alone are blind to the risk categories that drive supply chain disruption and regulatory liability. - Alert volume without triage logic
Without tiered escalation logic organized by vendor criticality and risk domain, monitoring surfaces more noise than insight. Define escalation paths by alert type and vendor criticality tier before the first alert arrives. - Geopolitical monitoring treated as ad hoc
Most programs have no structured process for tracking sanctions list changes or trade policy shifts as they affect specific vendor relationships. Today, that gap is a compliance risk, not an operational shortcoming.
How Do You Build a Third-Party Risk Monitoring Program?
Building an effective program means making the right decisions across six areas, roughly in this order.
- Segment your vendor inventory first. Configure monitoring against your criticality and risk tier structure before selecting any tooling. Critical vendors with data access or operational dependency warrant full-spectrum continuous monitoring; lower-tier vendors may need lighter coverage supplemented by periodic assessment. Treat the inventory as a living document: onboarding triggers enrollment, and any material change to vendor scope triggers reassessment of monitoring depth.
- Map your monitoring domains before selecting tooling. Match domains to your vendor risk taxonomy. Cybersecurity covers a different profile than financial distress or sanctions screening; programs that default to cybersecurity-only are blind to the regulatory and geopolitical categories that increasingly drive supply chain liability.
- Combine outside-in intelligence with inside-out assessment data. Both need to be readable in a single risk view, not managed as parallel processes with separate owners. Source assessment data from questionnaires and audits alongside external intelligence. When a vendor’s self-reported controls diverge from their observable posture, that gap is where your exposure lives.
- Define alert triage logic before the first alert arrives. Specify what constitutes a material alert for each risk domain, assign clear ownership, and build escalation paths by alert type and vendor criticality tier. Without tiered logic, continuous monitoring surfaces noise faster than decisions.
- Map fourth-party dependencies for your highest-criticality vendors. Prioritize visibility into sub-contractor relationships where fourth parties have direct access to your systems or data, then expand coverage by risk tier.
- Integrate monitoring alerts with assessment, remediation, and offboarding workflows. Define which alert types trigger contract review, remediation, or offboarding — and who has authority to act. Offboarding is the most underbuilt integration point in most programs: a vendor relationship that ends without revoking access and confirming contractual closure introduces residual risk that monitoring can no longer address.
Mitratech’s TPRM platform is built to operationalize each of these steps at scale, from tiered vendor inventory and multi-domain risk monitoring to automated alert triage and offboarding workflows. Vendor Threat Monitor, integrated within Mitratech’s TPRM platform, delivers continuous dark web and threat intelligence surveillance across your vendor portfolio, covering the criminal forums, paste sites, and threat feeds that manual programs miss.
For teams without dedicated TPRM capacity, Mitratech’s Risk Operations Center (ROC) can operationalize these steps on your behalf, from assessment execution through to remediation coordination and ongoing monitoring. For teams building or maturing a third-party risk monitoring function, Mitratech provides the structure to move from point-in-time assessment to continuous, risk-tiered coverage.
Learn how Mitratech supports your TPRM program
Talk to an ExpertFrequently Asked Questions
What is the difference between third-party risk monitoring and vendor risk assessment?
A vendor risk assessment is a periodic, questionnaire-based process that evaluates a vendor’s security controls, compliance practices, and risk posture at a point in time. Third-party risk monitoring is continuous: it gathers externally observable signals about a vendor’s cybersecurity posture, financial condition, reputational standing, and regulatory exposure on an ongoing basis between assessments. The two are complementary: assessments provide depth; monitoring provides continuity.
What types of risk should a third-party monitoring program cover?
A comprehensive program monitors across five domains: cybersecurity (dark web exposure, vulnerability intelligence, credential leaks), financial and reputational risk (adverse media, regulatory actions, financial instability), labor and ESG risk (modern slavery, supply chain due diligence mandates), geopolitical risk (sanctions list changes, secondary sanctions exposure, trade policy developments), and fourth-party risk. Programs that monitor only cybersecurity miss the categories that increasingly drive supply chain disruption and regulatory liability.
Does DORA require continuous third-party monitoring?
Yes. DORA, which entered into application on January 17, 2025, requires EU financial institutions to maintain a comprehensive register of ICT third-party service provider arrangements and to continuously monitor those providers’ compliance. Critical ICT Third-Party Providers (CTPPs) face additional oversight administered directly by the European Supervisory Authorities. Organizations subject to DORA must also document exit strategies for critical providers and conduct ICT concentration risk assessments.
How does geopolitical risk monitoring connect to OFAC sanctions compliance?
OFAC’s enforcement posture has shifted toward gatekeeper liability, holding organizations responsible for sanctions violations that occur through their vendor relationships, not only their direct transactions. A monitoring program that tracks real-time OFAC, EU, UN, and UK sanctions list updates and screens vendors and their sub-processors against those lists is a material component of a defensible sanctions compliance program.
What does effective fourth-party risk monitoring look like?
Fourth-party monitoring starts with mapping: identifying the sub-contractors, suppliers, and service providers that your direct vendors rely on, particularly where those fourth parties have access to systems or data that affect your organization. Monitoring involves intelligence gathering on the extended supply chain — cybersecurity posture, sanctions exposure, operational events — rather than direct questionnaire-based assessment. Organizations should prioritize fourth-party visibility for their highest-criticality vendor relationships first, then expand coverage based on risk tier and regulatory obligation.
Editor’s Note: This post was originally published on Prevalent.net. In October 2024, Mitratech acquired the AI-enabled third-party risk management, Prevalent. The content has since been updated to include information aligned with our product offerings, regulatory changes, and compliance.
