PHL firms trail Asia-Pacific neighbors in cybersecurity risk readiness

Organizations in the Philippines rank among the least mature in the Asia-Pacific region in managing third-party cyber risks, a new study has found, even as supply chain-related breaches now affect every company surveyed.

The findings come from BlueVoyant‘s sixth annual State of Supply Chain Defence Report, which benchmarks how organizations worldwide assess, monitor, and remediate cyber risks originating from third-party vendors.

BlueVoyant is a global specialist in cyber defense and supply-chain risk management, trusted by more than 1,000 clients globally and recognized as the 2024 Microsoft Worldwide Security Partner of the Year.

The 2025 study, conducted by independent research firm Opinion Matters, surveyed 1,800 C-suite leaders worldwide, including 100 respondents from the Philippines.

All respondents held responsibilities in cybersecurity, supply-chain oversight, or enterprise risk across organizations with over 1,000 employees.

Only 23 percent of Philippine organizations have established or optimized third-party cyber risk management (TPRM) programs, making the country the lowest-ranked globally. The figure trails the broader Asia-Pacific average of 32 percent.

Adding to the concern, 64 percent of local firms rarely or only sometimes use dedicated third-party risk management platforms.

The threat landscape has intensified considerably.

A full 100 percent of Philippine organizations reported negative impacts from at least one supply chain-related cyber breach in 2025, a sharp rise from 84.5 percent in 2024.

Of those affected, 40 percent experienced between two and five breaches through third parties in the past year alone.

Barriers to improving TPRM maturity persist within organizations.

Internal resistance to change was cited by 25 percent of respondents, while another 25 percent pointed to difficulties in cross-stakeholder collaboration.

On the operational side, 18 percent of firms struggled to get suppliers to complete risk questionnaires, and 16 percent faced challenges in collecting accurate risk insights.

Philippine organizations lean heavily on relationships to address cybersecurity vulnerabilities.

Some 63 percent work directly with third parties to remediate issues, with 23 percent collaborating with vendors throughout the entire remediation process.

While this relationship-driven approach is a strength, experts warn that expanding ecosystems means collaboration alone can leave blind spots.

Investment in TPRM is climbing. Nearly all organizations surveyed, 98 percent, increased their TPRM spending over the last 12 months, up from 90 percent in 2024.

Key areas being outsourced include remediation at 38 percent, reporting at 37 percent, and monitoring of third parties at 34 percent.

Artificial intelligence (AI) is also gaining traction as a tool for managing third-party risk.

Some 59 percent of respondents see AI as key for continuous monitoring in the coming year, while 53 percent plan to use AI for managing risk questionnaires, recognizing automation as essential to maintaining visibility as attack surfaces grow.

Vendor ecosystems are also set to widen further.

A total of 97 percent of Philippine organizations expect their third-party networks to grow, with 41 percent anticipating growth of 6 percent to 10 percent.

William Oh, Head of Asia Pacific at BlueVoyant, shared, “As the Philippines increasingly recognise cybersecurity central to the economy’s digitalisation, third-party cyber risk management is emerging as a crucial aspect in organisational resilience. Our research shows that Phillipine organisations still have work to do to strengthen program foundations and executive alignment to address persistent threats within the third-party ecosystem.”

Joel Molinoff, Global Head of Third-Party Risk Management at BlueVoyant, said, “Organisations worldwide continue to face the pressing challenge of managing supply chain and third-party cyber risks. Increased investment and growing AI adoption are positive steps, but the biggest gains come when third-party cyber risk is embedded into everyday business decisions and not treated as just a compliance exercise.”

As vendor ecosystems expand and operational dependencies deepen, the report underscores the urgent need for Philippine organizations to move beyond relationship-led remediation and embed third-party cyber risk management into core business strategy.