New research shows that Singapore organisations report some of the highest levels of third-party cyber risk management maturity worldwide, even as most continue to experience supplier-related cyber incidents.
BlueVoyant’s latest State of Supply Chain Defence Report finds that 60% of surveyed organisations in Singapore describe their third-party risk management (TPRM) programmes as “established” or “optimised.” This proportion is nearly twice the Asia-Pacific average and higher than reported levels in the US market, which is often treated as a benchmark for cyber practices.
The research was conducted by independent firm Opinion Matters on behalf of BlueVoyant. It covers 1,800 C-suite leaders globally, including 300 senior executives from Singapore-based organisations with more than 1,000 employees and responsibility for cybersecurity, supply chain oversight, or enterprise risk management. William Oh, head of Asia-Pacific at BlueVoyant, linked the country’s broader role in technology to its approach. “As one of the leading hubs for technology and innovation in Asia, Singapore continues to set the benchmark for advanced TPRM programs. But this year’s findings show that maturity alone doesn’t guarantee protection,” Oh said, as reported by Security Brief Asia.
Despite this reported maturity, supply chain cyber incidents remain widespread. BlueVoyant’s study shows that 93% of Singapore respondents experienced negative impacts from a cyber incident connected to a supplier, up from 70% in the previous year. The report attributes this increase to a combination of more frequent attacks and improvements in detection and reporting. Over the past 12 months, 48% of organisations in Singapore reported between two and five breaches via third parties, while 36% reported one incident. BlueVoyant notes that more than 56% of organisations experienced multiple vendor-related breaches, reflecting expanding vendor ecosystems and continued operational reliance on external providers.
For cyber insurers, MGAs, and reinsurers active in Asia, the data underscores that even well-structured TPRM frameworks do not eliminate exposure. The pattern of multiple breaches across vendor networks has direct relevance for underwriting of contingent business interruption, technology errors and omissions, and standalone cyber policies featuring supply chain triggers or dependencies on critical service providers.
The research indicates that third-party cyber risk is regularly escalated to senior leadership in Singapore. Around 32% of respondents said they brief top executives on third-party cyber exposure at least monthly, suggesting that vendor-related security has become part of ongoing board and C-suite oversight rather than an occasional reporting item.
Spending intentions are also shifting. Ninety-eight per cent (98%) of organisations surveyed in Singapore plan to increase investment in TPRM over the next 12 months, compared with 90% in the previous cycle. As programmes expand, many firms are using external partners to help manage the operational workload: 45% of respondents said they outsource analysis of data and results generated by third-party monitoring tools.
Remediation activity is another area where outside expertise is engaged. According to the report, 42% of Singapore organisations outsource some or all remediation work with vendors. This includes addressing identified security gaps and, where risks remain unresolved, supporting workload or service migrations away from higher-risk providers.
Technology adoption is playing a growing role in how Singapore organisations manage third-party cyber risk. Sixty-four per cent (64%) of respondents identified artificial intelligence as the technology they see as best suited to continuous monitoring of suppliers over the coming year, reflecting the volume of signals produced by ongoing oversight of vendor environments. BlueVoyant’s findings point to a shift from basic, point-in-time vendor assessments toward continuous monitoring of suppliers’ external attack surfaces and security posture. This approach is used to identify configuration changes, emerging vulnerabilities, and other indicators that could precede an incident.
At the same time, vendor ecosystems are expected to grow. Two-thirds of Singapore respondents (67%) anticipate their supplier and partner networks will expand by between 6% and 15%. This growth increases the number of external entities connecting to core systems or handling sensitive data, with implications for aggregation and systemic risk analysis on the insurance side. Oh said: “As supply chains grow more complex, tools and collaboration aren’t enough on their own. Organisations need continuous visibility into vendor risk and leadership engagement that drives real accountability. We’re seeing increased investment and strong momentum behind AI adoption, but the biggest gains come when third-party cyber risk becomes part of everyday business decisions not just a compliance exercise.”
BlueVoyant’s observations align with a separate study by Beazley, which examines how organisations in Asia view cyber risk, resilience, and technology change. In its report, Beazley notes a growing gap between executive confidence and the complexity of emerging threats, particularly in Singapore. In the Singapore sample, 26% of respondents identified cyber risk as their primary business threat, up from 24% in the previous year. Over the same period, perceived resilience to cyber events increased from 83% to 87%, suggesting that while threat awareness is rising, many organisations believe their capabilities can keep pace.
The Beazley research also explores attitudes toward artificial intelligence and broader technology transformation. Among Singapore-based executives, 85% said they expect AI to improve their organisations’ economic performance, while 68% anticipate workforce reductions linked to AI implementation in the next 18 months. Respondents cited concerns over intellectual property protection, data governance, and regulatory compliance, while concern about technology obsolescence declined from 29% in 2024 to 26% in the latest survey.
For insurers, reinsurers, and brokers across Asia, the combination of high reported TPRM maturity, persistent third-party incidents, and rising confidence in cyber resilience raises questions about how controls function in practice. It may also influence future approaches to coverage wording, limits, sublimits, and accumulation management for complex, multi-party cyber, and supply chain events originating in or involving Singapore.
