Verizon's 2026 DBIR: Third-Party Risk Is Now Breach Risk

Every May, the security industry waits for one report more than any other: the Verizon Data Breach Investigations Report. For nineteen years the DBIR has been the closest thing the field has to an actuarial table, built on tens of thousands of real incidents rather than survey opinions. When the DBIR says a pattern is changing, it is worth changing your strategy to match.

The 2026 edition, released on May 19, delivered a finding that should reshape how organizations think about vendor risk: a third party was involved in 48% of breaches — a 60% increase year over year. Put plainly, nearly half of all breaches now reach through someone else's door. Third-party risk is no longer a specialized subdiscipline of security. It is the breach.

The Headline Number, In Context

The jump to 48% did not come out of nowhere. It follows a previous year in which third-party involvement had already roughly doubled to around 30%. Two consecutive years of sharp increases turn what might have looked like a blip into an unmistakable trend: attackers are systematically routing through the supply chain because it works. Compromise one well-connected vendor, and you gain a path into all of its customers at once.

The pain is not evenly distributed. The DBIR found the effect even more pronounced for smaller organizations, where third parties were involved in a majority of breaches. That makes sense: small and mid-sized businesses run on other people's software and services almost entirely, which means their attack surface is overwhelmingly made of third parties they do not control and cannot fully inspect.

The Other Finding That Should Worry TPRM Teams

The 2026 DBIR also reported that exploitation of vulnerabilities had become a leading path into breaches, with the report describing vulnerability exploitation surpassing stolen credentials as an initial access vector for the first time in nearly two decades — involved in roughly 31% of breaches. Verizon paired that finding with a warning that attackers are using AI to accelerate the time between a vulnerability becoming public and it being weaponized, compressing the defender's window "from months to mere hours."

Stack those two findings together and a clear picture emerges. Attackers are increasingly getting in by exploiting unpatched software, and they are increasingly doing it through third parties. That is not two separate problems — it is one problem wearing two hats. The unpatched, internet-facing system that lets an attacker in often belongs to a vendor, not to you.

What This Means For Your TPRM Strategy

1. Move budget and attention to match the data

If half your breach risk arrives through third parties, your program's effort should reflect that. For many organizations the security budget is still overwhelmingly inward-facing — endpoint, network, identity — with vendor risk handled by a thin team drowning in spreadsheets. The DBIR is a quantitative argument for rebalancing. Third-party risk is not where you spend what is left over; it is where roughly half the incidents originate.

2. Stop relying on point-in-time questionnaires

A vulnerability that goes from disclosure to exploitation in hours cannot be managed by an annual questionnaire. By the time a vendor fills out next year's form, the exposure that mattered has come and gone. The DBIR's compressed timelines are a direct argument for continuous monitoring over annual reviews — watching your vendors' real external posture between assessments, not just collecting their self-attestations once a year. This is exactly why questionnaire-only TPRM is broken.

3. Prioritize on evidence of exploitation, not theory

With vulnerability exploitation now a top access vector, the question "is one of my vendors exposing something attackers are actively using?" becomes central. That is precisely what the free CISA Known Exploited Vulnerabilities catalog answers. Correlating KEV entries against your vendors' internet-facing assets turns the DBIR's macro finding into a concrete, prioritized worklist for your own program.

4. Translate the trend into financial terms leadership understands

A board does not act on "48%." It acts on expected loss. Use the DBIR's data as the likelihood input to a FAIR risk quantification of your vendor portfolio: if industry-wide third-party involvement is rising this fast, the probability side of your risk equation is moving, and the true cost of a third-party breach makes the impact side concrete. That is how you turn a headline statistic into a funded program.

From Annual Report To Standing Strategy

It is tempting to read the DBIR once, nod at the scary numbers, and move on. The more useful response is to treat its trend lines as a planning input. For three straight years the third-party share of breaches has climbed, and the time available to react to new vulnerabilities has shrunk. A TPRM program built for the world of 2020 — annual reviews, questionnaire scores, a small team, point-in-time snapshots — is structurally mismatched to the world the DBIR is describing. The organizations that adapt will be the ones that treat vendor risk as continuous, evidence-driven, and quantified. The data has made the case; the strategy just has to catch up.