Every business leader knows the feeling of progress: new platforms, new integrations, new partners coming online. Operations get faster. Teams become more productive. Customers get better service. The connected enterprise is a competitive enterprise.

But 2025 delivered a hard lesson. Two landmark incidents, one destroying an airline’s customer trust and the other shutting down a car manufacturer’s factories for six weeks, showed exactly what happens when enterprise third party risk management breaks down. Both attacks came through trusted integrations with third-party vendors, not through the front door. Both caused damage that will take years to repair.

For business leaders, the message is urgent: your organisation is only as secure as the partners and platforms it connects to. Third party risk management is no longer something you can leave to IT. It belongs in the boardroom.

What Is Third Party Risk Management?

Third party risk management (TPRM) is the structured process of identifying, assessing, and continuously monitoring the cybersecurity and operational risks that arise from working with external vendors, suppliers, and service providers. Every third-party relationship, whether a cloud platform, a logistics partner, or an outsourced call centre, is a potential entry point into your organisation’s systems and data.

For enterprises, TPRM has become a board-level discipline. Regulatory frameworks including DORA (the EU’s Digital Operational Resilience Act), GDPR, and ISO 27001 now explicitly require organisations to govern third-party relationships with the same rigour applied to internal systems. Failure to do so carries not just cyber risk, but regulatory and financial exposure.

The scale of the problem is striking. Over 70% of enterprises experienced a significant third-party cyber incident in the past year, according to SecurityScorecard’s 2025 research. The average cost of a breach originating from a third-party system now stands at $4.8 million. As the cases below show, the true cost can be far higher.

Case Study 1: Qantas Airways – When a Trusted Platform Becomes the Threat

On 30 June 2025, Qantas Airways detected unusual activity on a third-party customer service platform used by its Manila-based call centre. What appeared to be an isolated alert quickly became one of the most significant supply chain attacks of the year.

The attackers, a cybercriminal coalition known as Scattered Lapsus$ Hunters, did not breach Qantas directly. They targeted the Salesforce environment shared by Qantas and dozens of other global organisations. Using voice phishing, convincing call centre employees to grant system access by impersonating IT personnel, they extracted a large cache of customer data. Qantas publicly confirmed the breach on 2 July and confirmed on 9 July that 5.7 million customers had been affected: names, emails, phone numbers, dates of birth, and frequent flyer details. When ransom demands went unpaid, the data was published on the dark web on 12 October.

The scope stretched well beyond Qantas. The same campaign targeted approximately 40 global organisations sharing the same Salesforce infrastructure, across aviation, retail, and technology. This was not one company’s failure. It was a demonstration of what shared infrastructure risk looks like at scale.

The consequences were swift. The board cut CEO Vanessa Hudson’s short-term bonus by AU$250,000, citing shared accountability. Law firm Maurice Blackburn filed a representative complaint with the Office of the Australian Information Commissioner on behalf of affected customers. Under Australia’s reformed Privacy Act, potential penalties could reach AU$50 million or significantly more, up to 30% of annual turnover, depending on how the regulator classifies the breach. The reputational fallout continued for months.

Qantas’s core systems held. The breach came through a trusted integration, a vendor relationship built on access that was never actively monitored. Trust without governance is not a security posture.

Case Study 2: Jaguar Land Rover – When Third Party Risk Becomes National Economic Risk

In late August 2025, a group identifying itself as Scattered Lapsus$ Hunters exploited known vulnerabilities in SAP NetWeaver, the enterprise resource planning platform connecting manufacturing, supply chain, finance, and HR at thousands of large organisations worldwide. For Jaguar Land Rover, SAP NetWeaver was not a peripheral system. It was the operating backbone of the business.

The attack brought JLR’s factory production to a halt. Production did not resume until October 8, a shutdown of more than six weeks, with normal output not returning until mid-November. JLR employs over 39,000 people directly and supports an estimated 200,000 across its supply chain. The consequences cascaded through thousands of businesses, with some suppliers reducing pay or laying off staff.

The Cyber Monitoring Centre classified the incident as a Category 3 systemic event and estimated the total UK economic impact at £1.9 billion ($2.5 billion). The Bank of England cited the attack in its November 2025 Monetary Policy Report as a direct contributor to slower-than-expected GDP growth, noting that JLR’s production stoppage shaved 0.17 percentage points from GDP in September alone. It is the most expensive cybersecurity incident in British history.

JLR was not compromised through recklessness. It was compromised through a vulnerability in a deeply embedded third-party platform, one it depended on, trusted, and had no real-time visibility into when the attack began.

The Pattern Every Enterprise Leader Must Recognise

Read these two cases together and the pattern is hard to ignore. The entry point was a trusted third-party connection. The breach went undetected long enough to cause serious harm. The consequences, financial, regulatory, reputational, and operational, extended far beyond what any single team could absorb.

This is the defining characteristic of modern enterprise risk: your attack surface is no longer your firewall. It is every vendor, every platform, and every integration that touches your data or systems. Third party risk management is not a technical boundary to defend. It is a business relationship to govern.

A Practical Enterprise TPRM Framework: Four Priorities

The organisations that emerge from incidents like these with the least long-term damage are not simply lucky. They asked the hard questions before the breach.

1. Map your integration landscape

Most executives can name their top vendors. Very few can say, with confidence, how many active integrations their business runs, what data moves through each one, and who has access to what. That visibility gap is where attackers operate. A complete, regularly updated vendor inventory is the foundation of any enterprise TPRM programme.

2. Govern vendor access as a live risk

Access granted to a third party is not a one-time decision. It requires regular review, tight controls, and immediate revocation when a relationship changes or ends. Both Qantas and JLR were exposed by access that existed but was not actively monitored. Continuous monitoring, not annual reviews, is the standard that protects you.

3. Make third party risk a board-level accountability

Following the Qantas breach, the board reduced executive bonuses and cited shared accountability. That is the right instinct. When governance fails at the integration layer, it is a business failure, not a technical one. Enterprise third party risk management belongs on the board agenda alongside financial and operational risk.

4. Test your incident response plan before you need it

Speed of detection and containment determines how much damage you absorb. Organisations that suffer least from third-party incidents are those with rehearsed response plans that specifically account for vendor and integration failures. According to IBM’s Cost of a Data Breach Report, organisations with tested incident response plans contain breaches an average of 54 days faster than those without. Build and test that plan now.

The Regulatory Dimension: TPRM as a Compliance Requirement

Enterprise leaders in regulated industries face an added dimension: legal obligation. Three frameworks to know:

DORA (EU Digital Operational Resilience Act) requires financial services organisations to maintain full registers of third-party ICT providers and demonstrate operational resilience across their vendor ecosystem. It is now in force.

GDPR holds organisations liable for data processed by third-party vendors on their behalf. A vendor breach can trigger GDPR penalties against your business, not just the vendor.

ISO 27001, the leading information security standard, requires documented third-party risk controls as part of certification.

Regulatory compliance is no longer a reason to implement TPRM. It is the minimum baseline.

Third Party Risk Management as Competitive Advantage

There is a stronger case to make here than avoiding disaster. Enterprises that get third party risk management right in 2026 will hold a genuine competitive advantage. Enterprise clients choose partners they can trust. Regulators reward organisations that demonstrate proactive governance. In a market where a single supply chain attack can expose 40 companies at once, the ability to demonstrate rigorous vendor oversight is a differentiator that cannot be replicated by price alone.

Qantas and Jaguar Land Rover paid an enormous price for gaps in their integration governance. The investment required to close those gaps, in visibility, monitoring, response capability, and board accountability, is a fraction of what a breach costs. More importantly, it positions your business as one that earns trust at every level: with clients, with regulators, and with the partners who choose to work with you because of it.

The connected enterprise is here to stay. The question is not whether to connect. It is whether you are governing those connections with the rigour they demand. In 2026, every enterprise leader must have an answer to that question.