Philippines lag APAC on third-party cyber risk maturity

BlueVoyant has reported that organisations in the Philippines rank among the least mature in the Asia-Pacific region on third-party cyber risk management, even as supply chain-linked cyber incidents increased across surveyed firms.

The company's sixth annual State of Supply Chain Defence Report found that 23% of organisations in the Philippines said they had established or optimised third-party cyber risk management programmes. That compared with 32% across APAC.

The report also recorded a rise in supply chain-related breaches. It said 100% of organisations in the Philippines reported negative impacts from at least one supply chain-related cyber breach in 2025. The same measure stood at 84.5% in 2024.

BlueVoyant said 40% of organisations in the Philippines experienced between two and five breaches through third parties over the past year.

Maturity gap

Third-party cyber risk management, often shortened to TPRM, covers the ways organisations assess and manage security risks that arise from suppliers, technology partners, contractors, and other external service providers. It includes processes such as supplier due diligence, ongoing monitoring, and remediation when issues appear.

BlueVoyant said organisations in the Philippines reported low use of dedicated tooling. It found that 64% of organisations in the country rarely or sometimes used dedicated third-party risk management platforms.

The report also highlighted organisational issues that slow efforts to improve. It said the top organisational barriers in the Philippines were internal resistance to change at 25% and cross-stakeholder collaboration at 25%.

On day-to-day operations, the findings pointed to supplier engagement and data quality. BlueVoyant said 18% of respondents in the Philippines struggled to get suppliers to complete risk questionnaires. It said 16% faced challenges in collecting accurate risk insights.

Remediation approach

The report indicated a relationship-focused approach to addressing issues with suppliers. It said 63% of organisations in the Philippines worked with third parties to remediate cybersecurity issues. It said 23% collaborated directly with vendors throughout the process.

BlueVoyant described that approach as a strength in the market. It also said expanding supplier networks raise the risk of gaps in visibility when collaboration does not scale at the same pace.

Budgets and outsourcing

BlueVoyant's findings pointed to increased spending on third-party cyber risk management in the Philippines. It said 98% of organisations increased TPRM spending over the last 12 months. That figure stood at 90% in 2024.

The report also found signs of outsourcing in several areas of third-party cyber risk work. BlueVoyant said respondents most often outsourced remediation at 38%, reporting at 37%, and monitoring of third parties at 34%.

Those figures suggest organisations increasingly rely on external specialists for parts of the workflow, particularly where continuous monitoring and reporting require dedicated processes and staffing.

AI usage

The survey also asked respondents about the role of AI in third-party cyber risk management. BlueVoyant said 59% of organisations in the Philippines saw AI as key for continuous monitoring in the coming year. It said 53% planned to use AI for managing risk questionnaires.

Organisations often use questionnaires to gather information about a supplier's security controls and governance. The results suggested that respondents expected more automation in that part of the process.

Supplier growth

BlueVoyant said respondents in the Philippines expected supplier networks to expand. It found that 97% anticipated growth in their third-party networks. It said 41% expected growth of 6% to 10%.

Expansion in supplier ecosystems can increase the volume of vendors that security and risk teams need to assess. It can also increase dependency on vendors that hold sensitive data or provide operationally critical services.

William Oh, Head of Asia Pacific at BlueVoyant, focused on the role of third-party cyber risk management in the country's broader technology agenda. "As the Philippines increasingly recognise cybersecurity central to the economy's digitalisation, third-party cyber risk management is emerging as a crucial aspect in organisational resilience. Our research shows that Phillipine organisations still have work to do to strengthen program foundations and executive alignment to address persistent threats within the third-party ecosystem," said Oh.

BlueVoyant also framed the issue as a global challenge that requires day-to-day business attention.

"Organisations worldwide continue to face the pressing challenge of managing supply chain and third-party cyber risks. Increased investment and growing AI adoption are positive steps, but the biggest gains come when third-party cyber risk is embedded into everyday business decisions and not treated as just a compliance exercise," said Joel Molinoff, Global Head of Third-Party Risk Management, BlueVoyant.

The study surveyed 1,800 C-suite leaders globally, including 100 respondents from the Philippines. It focused on organisations with more than 1,000 employees. Respondents held responsibilities in cybersecurity, supply chain oversight, or enterprise risk.