Many organizations in the Philippines are still behind their Asia-Pacific peers when it comes to managing cyber risks linked to third-party vendors, according to a new study by cyber defense and supply-chain risk management company BlueVoyant.
“Our research shows that Philippine organizations still have work to do to strengthen program foundations and executive alignment to address persistent threats within the third-party ecosystem,” William Oh, head of Asia Pacific at BlueVoyant, said.
BlueVoyant’s sixth annual State of Supply Chain Defense Report found that only 23% of Philippine organizations have put in place well-developed programs to manage cyber risks from vendors and partners. This is lower than the APAC average of 32%. The report also showed that cyber problems tied to supply chains are becoming more common. In 2025, all Philippine respondents said they were affected by at least one cyber incident that came through a third party, up from 84.5% in 2024.
The report looks at how companies around the world check, track, and fix cyber risks that come from outside suppliers. The 2025 study was carried out by independent research firm Opinion Matters and surveyed 1,800 senior executives globally. This included 100 respondents from the Philippines. All respondents were involved in cybersecurity, supply chain oversight, or risk management at companies with more than 1,000 employees.
Third-party cyber risk refers to the danger a company faces when its vendors, suppliers, or other partners have weak or compromised cybersecurity. Even if a company’s own systems are secure, attackers can exploit vulnerabilities in these external organizations to access sensitive data, disrupt operations, or cause financial loss. Common examples include breaches at IT service providers, cloud platforms, or payment processors that handle company information. Managing these risks involves checking vendors’ security practices, monitoring them regularly, and working closely to address any issues before they cause harm.
As companies depend more on vendors for daily operations, managing cyber risks beyond their own systems has become harder. In the Philippines, 64% of organizations said they rarely or only sometimes use special tools to manage third-party cyber risks. This can make it harder to spot problems early.
Cyber incidents linked to vendors continue to disrupt operations. Forty percent (40%) of Philippine organizations said they faced between two and five cyber breaches through third parties in the past year. Many also reported internal challenges. A quarter cited resistance to change within the organization, while another 25% pointed to poor coordination among teams. Some also struggled to get vendors to complete security questionnaires or to provide accurate information about their cyber risks.
Most organizations said they try to work directly with vendors to fix security issues. About 63% said they cooperate with third parties during the remediation process, and 23% said they work closely with vendors from start to finish. While this helps build trust, the report noted that larger and more complex vendor networks can still leave gaps in visibility.
Spending on third-party cyber risk management is growing. Almost all Philippine respondents, or 98%, said they increased their budgets over the past year. Commonly outsourced tasks include fixing security issues, preparing reports, and monitoring vendors. Many are also turning to artificial intelligence (AI), with 59% saying AI will be important for ongoing monitoring and 53% planning to use it to handle risk questionnaires.
“Organizations worldwide continue to face the pressing challenge of managing supply chain and third-party cyber risks,” Joel Molinoff, global head of Third-Party Risk Management at BlueVoyant, said. “Increased investment and growing AI adoption are positive steps, but the biggest gains come when third-party cyber risk is embedded into everyday business decisions and not treated as just a compliance exercise.”