Singapore leads in third-party cyber risk, yet breaches rise

Singapore organisations report some of the strongest third-party cyber risk management maturity in the world, yet most still suffer supply chain-related breaches, according to new research from cybersecurity firm BlueVoyant.

The company's latest State of Supply Chain Defence Report finds 60% of organisations surveyed in Singapore have what they describe as established or optimised third-party risk management programmes. This rate is nearly double the Asia-Pacific average. It is also higher than reported levels in the US market, which has often been viewed as a benchmark for cyber risk practices.

Despite this maturity, 93% of Singapore respondents say they have faced negative impacts from a cyber incident linked to a supplier. This is up from 70% in the previous year's findings. The study links the rise to a mix of increasing attack volumes and better detection.

BlueVoyant specialises in cyber defence and supply-chain risk monitoring. It commissioned independent research firm Opinion Matters to survey 1,800 C-suite leaders around the world. The sample includes 300 senior executives from organisations in Singapore with more than 1,000 employees and responsibility for cybersecurity, supply chain oversight or enterprise risk.

High maturity, high exposure

The report describes Singapore as a global leader in third-party risk management, often referred to as TPRM. Six in ten organisations say they have formalised and refined programmes in place. This proportion is the highest in Asia-Pacific and among the strongest globally.

The findings also show that supply chain cyber incidents remain common. Almost half of Singapore organisations, or 48%, report between two and five breaches via third parties over the past year. A further 36% report a single breach.

BlueVoyant says this means more than 56% of organisations experienced multiple vendor-related breaches during the period. The study links these incidents to expanding vendor ecosystems and growing operational reliance on external providers.

William Oh, Head of Asia Pacific at BlueVoyant, says Singapore's status as a technology and innovation hub shapes its approach. "As one of the leading hubs for technology and innovation in Asia, Singapore continues to set the benchmark for advanced TPRM programs," said William Oh, Head of Asia Pacific, BlueVoyant. "But this year's findings show that maturity alone doesn't guarantee protection. Even with the country's proactive approach, strong frameworks and sustained government-industry collaboration, more than 56% of organisations experienced multiple third-party breaches. The challenge has shifted from building these programs to ensuring they operate effectively day-to-day amid expanding vendor ecosystems."

Leadership focus

The research points to frequent engagement at senior levels. Almost one-third of respondents, or 32%, say they brief top executives on third-party cyber risk monthly or more often. The study links this rhythm of communication with faster incident response and closer alignment across business units.

Organisations in Singapore are also planning higher spending. The report finds 98% intend to increase investment in TPRM over the next 12 months. This compares with 90% who said the same in the previous cycle.

Many organisations make use of external expertise for analysis. Some 45% say they outsource the review of data and results from third-party monitoring tools. The report connects this practice with the volume of information created by continuous oversight of vendors.

AI and automation

Survey respondents in Singapore report growing interest in artificial intelligence for supply chain security. Around 64% identify AI as the best-suited technology for continuous monitoring in the coming year. They view automation as important as their external attack surface grows.

The study highlights a shift from basic vendor assessments towards ongoing scrutiny of third parties. Continuous monitoring involves regular scanning of vendors' digital footprints and security posture. It also involves faster flagging of changes that might indicate new vulnerabilities.

As third-party networks expand, organisations expect further complexity. Two-thirds of respondents, or 67%, expect their supplier and partner ecosystems to grow by between 6% and 15%. This expansion increases the number of external entities that connect into core systems or handle sensitive data.

Remediation is also a focus area. The report notes that 42% of Singapore organisations rely on outsourcing for remediation and for working with vendors on migration plans. This includes support with fixing identified security gaps and shifting workloads or services when risks remain unresolved.

Global benchmark

The State of Supply Chain Defence Report functions as a global benchmark for practices around third-party cyber risk. It examines how organisations assess suppliers, track security performance and act after they discover issues.

Respondents reflect a range of sectors and include only organisations with more than 1,000 staff. The study focuses on senior leaders with direct responsibility for cybersecurity controls, supply-chain oversight and enterprise risk management.

Oh says the findings show a need for deeper integration of third-party cyber risk into business strategy. He points to the growing role of leadership and automation in the most mature programmes.

"As supply chains grow more complex, tools and collaboration aren't enough on their own. Organisations need continuous visibility into vendor risk and leadership engagement that drives real accountability. We're seeing increased investment and strong momentum behind AI adoption, but the biggest gains come when third-party cyber risk becomes part of everyday business decisions not just a compliance exercise. That's where Singapore's most mature organisations are pulling ahead," said Oh.