Supply chain vulnerabilities are a major challenge for cyber resilience: an analysis of the WEF report

The World Economic Forum (WEF) released the fifth edition of its Global Cybersecurity Outlook report, which highlights the most significant obstacles that companies all over the world face in securing their assets and operations against cyberattacks.

The cybersecurity practices of business partners is a key topic this year, as the document has a section dedicated to supply chain concentration risks. Still, valuable insights about third-party risk are sprinkled throughout the entire report.

The 2026 report is based on a survey that received responses from 873 participants from 99 countries. In addition, data was collected from a 60-minute workshop with 21 executives, as well as polls posed to the attendees of the Forum’s Annual Meeting of the Global Future Councils and Cybersecurity.

This blog post will focus on the data regarding third-party cyber risk, but it's worth pointing out that the report is also valuable for executives who lead global companies or are working to expand their businesses to new markets and are looking to understand regional differences in the cybersecurity landscape.

While the report can be freely downloaded from the WEF's website, we invite you to stay with us a little longer as we go over the key insights related to third-party cyber risk.

Supply chain vulnerabilities: the most cited challenge by CEOs of resilient businesses

One of the questions posed by the WEF survey was: "What is your organization's greatest challenge to becoming cyber resilient?" Among the CEOs who are confident in their organization's cyber resiliency, 78% picked "third-party and supply chain vulnerabilities" as one of the three selections they could make. It was the most cited challenge in this group.

It is also the most cited challenge by large companies, at 65%, up from 54% last year.

For all organizations, it was the second most common challenge among their top 3, being selected by 46% of all respondents of the survey.

The report also found that 65% of respondents believe the risk of supply chain disruptions has increased. Notably, companies in the high resilience group had supply chain disruption as their top cyber risk concern, even though 74% already assess the security maturity of suppliers.

Less resilient businesses rank supply chain disruptions in fifth place, being more worried about ransomware attacks or software vulnerabilities, yet only 48% of these companies assess the maturity of their suppliers.

The report further investigated how companies perceive different types of supply chain risks, asking respondents to pick one out of five risks as the "main supply chain risk." The most common choice was inheritance risk, which the report describes as "the inability to assure the integrity of third-party software, hardware and services."

However, the report provides an insightful breakdown of the different risks by industry, showing that in quite a few areas (namely financial services, manufacturing, and infrastructure) the most common risks are visibility and concentration risk.

The report describes visibility risk as "lack of visibility into extended supply chain," while concentration risk is "too great dependence on critical third-party suppliers."

At Tenchi Security, we’ve also observed a growing sense in the market of limited visibility into third-parties. Large organizations struggle to maintain an accurate inventory of third-parties classified by the level of risk they pose to the business.

Moreover, assessment methodologies based on questionnaires or “independent” audit reports do not give third-party risk management teams confidence that they truly have a correct and in-depth view of their vendors’ real security posture. That’s exactly where we’ve been helping our customers - by building risk management programs that effectively address these challenges.

This leads us to our next topic: technology. As noted by the report in a few sections and in other data points, companies often feel pressured by emerging technologies, like cloud computing and AI. Without the proper tools to assess the security and the means to deploy this technology safely, companies can find themselves in unfamiliar (and potentially unsecured) territory.

For almost all survey respondents (94%), AI is going to be a major driver of change in cybersecurity, for both defenders and, unfortunately, attackers. But cloud computing is still a significant concern, with 61% of respondents also selecting it as one of the three choices they could make to answer this question.

While some businesses may be further along in deploying and securing their cloud infrastructure, it's important to remember that not all partners are in the same position. Divides like this lead to what the report calls "cyber inequity," an issue that can be addressed through collaboration.

One of the key differentiators of Zanshin, our proprietary technology, is precisely its ability to enable continuous, in-depth visibility into the real security posture of third parties in an automated way. This includes assessments of cloud security and third parties’ use of AI.

Collaboration as the key to success

Across these four years and leading into the fifth, one theme stands out: collaboration has become indispensable in a fragmented world facing rising threats, a widening tech divide and growing inequity that risk deepening the cyber resilience gap.
— Global Cybersecurity Outlook 2026, page 9

In its introduction, the Cybersecurity Outlook states that the need for collaboration is the one theme that stood out across the years. But are companies following this advice?

When it comes to addressing supply chain risk, the most common responses to the WEF survey involved some form of check during procurement or a maturity assessment. However, fewer businesses cooperate directly with their suppliers.

For instance, while 74% of highly resilient businesses assess the maturity of their suppliers, only 53% share information on threats with their partners, and 40% align their resilience strategy with them. In companies deemed to have insufficient resilience, the percentages are all lower, as expected: 48%, 31%, and 26%, respectively.

The most noteworthy divide between these two groups is in cyber incident planning and recovery exercises: 44% of resilient companies work with their partners on this task, while only 16% of non-resilient ones do.

We see a pattern here: ongoing cooperation and data sharing are less common than point-in-time assessments in specific situations.

In the Annual Meeting of the Global Future Councils and Cybersecurity 2025, which is a smaller dataset also used by the report, 65% of participants said their organizations provide training or support to less-resourced partners. However, only 34% did so in a way that was formal or structured.

If participants in this meeting are more engaged with cybersecurity than the average participant in the survey, then the actual share of companies that offer support or guidance to their partners must be even lower.

The report explains that differences in "skills, resources and available digital infrastructure and governance frameworks" (a list to which we add the security poverty line) create an imbalance where some companies are unable to sustain even a baseline level of cybersecurity.

Cooperation is key to overcoming this "cyber inequity" in third-party cyber risk management. As companies with a higher level of maturity share their resources and expertise, they help lift the whole ecosystem.

At Tenchi, we help third-party cyber risk management (TPCRM) programs become more collaborative. We don’t operate as an audit-driven tool that benefits only the first party. Instead, we enable organizations to support their third parties in improving their security posture through a combination of technology and specialized expertise, creating a true win-win scenario.

On average, when a third party adopts our product at the request of a first party, more than 80% of the critical and high-severity issues identified by Zanshin are resolved within the first eight weeks of use. This leads to a meaningful reduction in risk that benefits the entire ecosystem.

Geopolitical risks and regulations

The report sheds some light on how geopolitical risks and regulations also had an impact on third-party risk.

Geopolitics has become a significant factor for decision makers, with 91% of large companies (over 100,000 employees) responding that their cybersecurity strategy has changed in some way due to geopolitical volatility.

Most importantly for our analysis, 19% of respondents say their organizations have changed or are changing vendors due to geopolitical considerations. Among CEOs of highly resilient organizations, this figure rises to 30%.

For some private businesses and governments, geopolitical changes have brought along concerns over "digital sovereignty" or "cyber sovereignty." Through this lens, institutions and businesses must seek to avoid concentration risk and rely more on local partners.

Other regulations have demanded increased oversight of suppliers to critical infrastructure, banking, and other industries.

Perhaps in part due to this, 18% of respondents of the WEF survey said they have a negative view on cybersecurity regulations when it is "difficult to ensure third-party vendors comply with relevant requirements."

Still, most respondents see regulations as beneficial, especially those who work for more resilient businesses, where 79% hold a positive view of cyber-related regulations.

Together, geopolitics and regulations have certainly changed the business environment, which had an impact on third-party risk management. But, as the report put it, these challenges should serve as "triggers for renewed threat modelling and vendor-risk reassessment."

We already have a post dedicated to geopolitics and third-party cyber risk management, and we believe the points we made have aged well in light of the findings of the latest WEF report.

Understanding your suppliers

The Cybersecurity Outlook report covers more than supply chain risk. It brings insights regarding the impact of board engagement with cybersecurity risks, and the difference in priorities between CEOs and CISOs. 

While it's true that these issues are not strictly related to third-party risk, businesses will eventually trend toward partnering with organizations whose leadership has varied backgrounds and perspectives, which are often inseparable from their cybersecurity culture and regional challenges. Therefore, even seemingly unrelated cybersecurity insights can be valuable to secure our supply chains.

You can read the report on the World Economic Forum's website here.

Third parties and external vendors expand the attack surface and can expose your organization to invisible risks. Zanshin is the only global TPCRM solution that provides both inside-out and outside-in visibility, combining external attack surface monitoring with automated, continuous, and non-intrusive assessments of cloud infrastructure (IaaS, PaaS, SaaS) and other security controls.