This collection of statistics from the latest industry surveys and reports offers a clear, data-driven look into the current cyber risk landscape & how risk and security leaders are using technology to get ahead.
Third-party cyber risk management is critical to organizational resilience. As third parties gain access to critical assets, businesses must be able to identify, prioritize, & manage vendors effectively.
44% of organizations assess more than 100 third parties each year.
(RiskRecon, The state of TPRM, 2024)
Only 4% of organizations have high confidence that their third-party questionnaires match the reality of the third party risk. (RiskRecon, The state of TPRM, 2024)
Nearly four in ten companies use multiple questionnaires for different risk domains and send an average of 55 questionnaires to third parties. (2025 EY Global Third-Party Risk Management Survey)
Operational and financial risk are the top considerations for monitoring third parties.
(2025 EY Global Third-Party Risk Management Survey)
Nearly a quarter of organizations suffered security incidents caused by third parties in 2024, a significant increase from just 9% in 2020. (RiskRecon, The state of TPRM, 2024)
Cyber insurance data confirms that 40% of breach claims involve a third party.
(Resilience 2024 Cyber Risk Report)
While organizations are investing heavily in third-party programs, the reliance on questionnaires and self-reporting is not delivering meaningful risk insights, leaving companies with low confidence in their third-party risk posture.
Insurers and companies alike are pushing for stronger third-party controls, better vendor prioritization, and more defendable risk data.
Quantitative third-party cyber risk management platforms can help organizations scale and prioritize their third-party controls with continuous monitoring and cyber threat intelligence.
AI is rapidly reshaping cyber risk management, offering powerful capabilities to detect threats, reduce breach impact, and automate security processes. However, these advancements also introduce new risks such as deepfakes and data poisoning that demand greater vigilance.
Organizations extensively using security AI and automation identified and contained data breaches nearly 100 days faster on average than organizations that didn't use these technologies.
(IBM, Cost of a Data Breach Report 2024)
89% of security leaders believe AI and machine learning are important for improving their security posture.
(Scale Venture Partners, Cybersecurity Perspectives 2024)
47% of organizations are prioritizing AI-specific skilling of their existing workforce. (2025 Microsoft Work Trend Index Annual Report)
42% of respondents said they turn to generative AI tools over colleagues because AI is available 24/7.
(2025 Microsoft Work Trend Index)
78% of AI users are bringing their own tools to work, a trend known as Bring Your Own AI (BYOAI).
(Microsoft and LinkedIn, Work Trend Index 2024)
27% of organizations who use gen AI say that employees review all content created by gen AI before it is used. (McKinsey Global Survey on AI 2024)
Poisoned datasets, unauthorized data exposure, or subtle manipulation can compromise model behavior, creating risks that are hard to detect and reverse.
Organizations are integrating AI tools across departments to boost productivity. This widespread adoption increases risks from shadow AI, as employees deploy unauthorized AI tools without proper oversight.
AI policies and AI governance frameworks will guide internal usage and help with compliance efforts for emerging AI regulatory requirements.
CISOs face mounting pressure to demonstrate security value while managing increasingly complex threat landscapes. With limited resources and growing attack surfaces, security leaders must strategically prioritize controls that deliver maximum risk reduction and business protection.
AI & machine learning driven insights were a mitigating factor in the average cost of a data breach, reducing the average cost by $258,538. (IBM, Cost of a Data Breach Report 2024)
66% of CISOs in the US identified human error as the top cyber vulnerability for organizations.
(SOC Radar)
84% of employees who received a phishing email took the bait within the first 10 minutes, replying with sensitive information or interacting with a fake link or attachment.
(CISA, Phishing Infographic)
Nearly half of all breaches in 2024 involved personal identifiable information (PII), making it the most common type of data stolen or compromised.
(IBM, Cost of a DataBreach Report 2024)
58% of CISOs struggle to communicate technical language to senior leadership in a way that they can understand. (FTI CISO Redefined)
In a survey of large organizations, security teams use an average of 45 cybersecurity tools.
(Gartner Cyber Trends 2025)
Security awareness training has become a critical investment as human error remains the top vulnerability.
CISOs are developing new approaches to translate technical risks into business language that resonates with executives and board members. This includes CRQ and creating dashboard-driven reporting that connects security investments to business outcomes.
Organizations are focusing on unified platforms and eliminating tool redundancies to improve efficiency and reduce complexity while maintaining comprehensive coverage.
Tell us about your current risk management challenges.
C-Risk is a recognized expert in Cyber Risk Quantification using the FAIR™ methodology. We provide CRQ solutions, advisory services and training.
