TPRM · GRC · AI

Third-Party Risk Management
for European Regulation.

Same team, sharper mission. We're becoming Acuna GRC — watch our 45-second briefing on what's changing, what isn't, and what it means for your TPRM program and GRC priorities.

Supplier Shield
A cloud platform for third-party risk
Visibility·Monitoring·Control
YOUAWSStripeOktaDatadogSlackTwilio
3rd-party · 64th-party · 4
Like a mind map for your vendors
See every vendor.
Map every dependency.
In one view.
Continuous monitoringRisk scoring4th-party visibility
A note from our team
For years we've solved
third-party risk.
Quietly, we've been building
something bigger.
Now available in every Supplier Shield account
Introducing
Acuna.
The AI-native GRC platform.
Supplier Shield
Acuna
Acuna
Supplier Shield is now a module of Acuna.
Acuna
Acuna · 8 modules
One login · One data layer
TPRM01
Supplier Shield
OSINT · A-F grades · live monitoring
● THIS IS US
Privacy02
Data Protection
GDPR · DPIA · ROPA · nDSG
Risk03
Enterprise Risk
Heatmaps · taxonomies · KRIs
Resilience04
Business Continuity
BIA · DRP · tabletop
Audit05
Internal Audit
Workpapers · evidence · findings
AI06
Aiko Agents
Ask · order · brainstorm
Trust07
Trust Center · RBAC
Public attestations · roles
Scanner08
Breach Scanner
D&B credit · darknet exposure
Acuna
Supplier Shield · A module of Acuna
One operating system
for risk, privacy & compliance.
50+
Frameworks
Swiss
Engineered
100%
Practitioner-built
Customization
acunagrc.ai
00:00
00:45
Supplier Shield is trusted byYou are in safe hands from day one.
UNICCGaviThe Global FundGold StandardGroup RCPEGRépublic et canton de GenèveAbilene Advisors

You came for TPRM. Here's the full picture.

The platform solves it. Advisors accelerate it. Education sustains it.

Platform · Acuna GRCFrom CHF 5’388 / year

Supplier Shield: TPRM first. Full GRC when you need it.

Start with vendor risk. Add compliance, audit, and AI-assisted reporting as you grow; all in one platform, hosted in Switzerland.

  • No more 200-question vendor formsAdaptive questionnaires; vendors answer once, applicable frameworks reuse responses
  • Know which suppliers are criticalRisk tiering by criticality, data access, and regulatory scope
  • Audit-ready at any timeEvidence library, findings tracker, and audit-ready exports; all in one place
  • 50+ frameworks supportedDORA, NIS2, ISO 27001, FINMA, GDPR and more; map once, reuse across all assessments
Modules inside Acuna GRC:Supplier Shield TPRMCompliance & AuditRisk ManagementData ProtectionBusiness ContinuityInternal Audit
Discover Acuna GRC From CHF 5’388 / year · see all plans
Advisory

Advisory Services

Senior practitioners. Fixed-fee or subscription. No sales rep.

  • TPRM programme design and gap review
  • DORA · NIS2 · ISO 27001 readiness assessments
  • Vendor due diligence and questionnaire support
  • Interim CISO / DPO engagements
Education

Abilene Academy

Switzerland’s only PECB Titanium Partner. 99% exam pass rate.

2,500+ professionals trained · 120+ countries · abileneacademy.ch

§ 01 · Product

Built the platform too.

Sister product · Acuna GRCVisit acunagrc.ai

Reading about TPRM is one thing. Running it is another. Acuna GRC is the platform our practitioners build with, vendor onboarding, continuous monitoring, evidence collection, and audit-ready reporting in one place.

248K
Vendors monitored
14M+
Risk signals/day
38
Frameworks mapped
94%
Audit pass rate
app.acunagrc.ai/dashboard
Workspace
Dashboard
Vendors
Assessments
Evidence
Frameworks
Reports
Vendor risk overviewLive
Total
2,481
Critical
47
Pending
128
Stripe Inc.Critical
92
DatadogHealthy
24
SnowflakeWatch
58
OpenAIWatch
64
§ 02 · Breach Wire

The Breach Wire.

Updated 5 May 2026 · Next refresh ~19 May 2026
$4.88M
Average global data breach cost (2024)
Source: IBM
$16.6B
Reported internet crime losses (2024)
Source: FBI IC3
859,532
Internet crime complaints filed (2024)
Source: FBI IC3
7
Sectors represented in this wire cycle
Source: Supplier Shield Threat Intel
7
Verified incidents in this wire cycle
Source: Supplier Shield Threat Intel
Sort: Newest ↓7 of 7
Disclosed / SevVendorSectorGeoDisclosure
2026-04-28CRIT
Checkmarx (via Trivy)
96 GB internal repo data
AppSec / DevSec Tooling
US / IL
Confirmed. Initial compromise via Trivy supply-chain attack on 23 March 2026 by TeamPCP; credentials used to access Checkmarx GitHub. LAPSUS$ published 96 GB extortion archive on 25 April; Checkmarx confirmed origin on 28 April. Customer data reportedly not stored in affected repo. Pattern: open-source tool to security vendor to downstream blast radius.
SOURCE: Checkmarx security advisorySTATUS: Investigating
2026-04-24CRIT
Medtronic
9M (claimed by ShinyHunters; not company-confirmed)
Medical Devices
US
Confirmed unauthorized access to corporate IT systems. Company states medical-device, manufacturing, distribution, and hospital customer networks segregated and unaffected. ShinyHunters claim of ~9M records remains unverified by the company.
SOURCE: Medtronic disclosure / The RegisterSTATUS: Investigating
2026-04-20HIGH
ADT
Limited (company); 10M+ claimed by threat actor
Consumer Security / IoT
US
Disclosed via SEC 8-K. Unauthorized access to certain cloud-based environments; ADT confirms only limited customer/prospective-customer data accessed. ShinyHunters claims 10M+ records and threatened public leak, claim not endorsed by ADT. Payment systems and security-monitoring infrastructure reported unaffected.
SOURCE: SEC 8-K / ADT filingSTATUS: Investigating
2026-04-19HIGH
Vercel (via Context.ai)
Limited internal envs
AI / Cloud Infrastructure
US
Compromise of third-party AI tool Context.ai via Google Workspace OAuth ('Allow All' grant from a Vercel employee). Attacker reached non-sensitive environment variables in some Vercel environments. Sensitive encrypted-at-rest values report no evidence of access. Affects multiple Context.ai customers beyond Vercel.
SOURCE: Vercel security incident pageSTATUS: Patched
2026-04-22HIGH
Rituals
Customer/membership PII (scope TBC)
Retail / Consumer
NL
Customer data exposure: full name, email, phone, date of birth, gender, home address. Reported to Dutch DPA (Autoriteit Persoonsgegevens) under GDPR Art. 33. Containment measures implemented.
SOURCE: Bitdefender / vendor disclosureSTATUS: Contained
2026-04-28HIGH
Vimeo (via Anodot)
User and customer data, exact count not disclosed
Video SaaS
US
Downstream exposure via compromised third-party analytics provider Anodot. Exposed data types include account metadata, video titles, and email addresses in some cases. Anodot integration removed; credentials disabled; law enforcement notified. Classic 4th-party telemetry exposure pattern.
SOURCE: SecurityWeek / Vimeo disclosureSTATUS: Investigating
2026-04-15MED
Autovista Group
Operational disruption (EU + AU)
Automotive Data / Analytics
UK
Ransomware identified 11 April, disclosed 15 April. Disruption across Eurotax, Glass's, Schwacke, and Rodboka product lines in Europe and Australia. External forensic experts engaged. As of 4 May update, restoration progressing on a rolling basis. No threat actor has claimed responsibility.
SOURCE: Autovista service updateSTATUS: Restoring
Source · Supplier Shield Threat Intel · 14 partner CSIRTs · Last refresh 5 May 2026
§ 03 · Research Desk · Q2 2026

State of
Vendor Risk
2026, Year-End Report.

We are building the year-end benchmark now. Join the early list and be the first to receive the report the moment it is published.

  • Delivery target: end of year
  • Practical benchmark for vendor-risk leaders
  • Email-first access for early subscribers
No spam, only report-release updates.
SUPPLIER SHIELD · YEAR-ENDIN PRODUCTION
State of
Vendor
Risk
26
RELEASE WINDOW
END OF YEAR
EARLY ACCESS
SS
Report status
Live
Primary research is being compiled. Subscribers get first access when publication is ready.
What you get
  • 01Publication alert first
  • 02Executive summary by email
  • 03No off-topic emails
  • 04Unsubscribe anytime
Waitlist open
§ 04 · The Loss Ledger

What TPRM failures cost.

Last refresh: 5 May 2026 · Next: 19 May 2026Full methodology
2026 YTD verified third-party losses · running
$799M
1 verified disclosure · UnitedHealth Group / Change Healthcare
Verified breaches · 2025
136
719 named victims + ~26,000 unnamed downstream
Cascade ratio · 2025
5.28×
Downstream victims per breach · highest ever
Silent window · disclosure lag
117 days
Avg vendor-to-customer disclosure delay
Ranked by disclosed cost
01Healthcare
$799M
Anchor case: UnitedHealth / Change Healthcare
02Public Sector
$32.2M
Anchor case: Maximus / MOVEit
03Tech / SaaS
$22.6M
Anchor cases: Capita, Advanced Computer Software, Mobius/Optimove
Only rows with primary-source-backed cost figures shown.
Verified third-party losses · 2025 + 2026 YTDPrimary sources only
#VictimVendor / Root causeSectorGeoDisclosed cost
1UnitedHealth GroupChange Healthcare (ALPHV/BlackCat ransomware)HealthcareUS$799M
2Maximus, Inc.Progress Software (MOVEit zero-day)Public SectorUS$32.2M
3Capita plc + CPSLCapita infrastructure failure (processor)Tech / SaaSUK£14M ≈ $17.6M
4Advanced Computer Software GroupAdvanced Health and Care (lack of MFA)Tech / SaaSUK£3.08M ≈ $3.9M
5Mobius Solutions Ltd (Optimove)Mobius unauthorized staging env. (Deezer data)Tech / SaaSFR€1M ≈ $1.05M
Currency converted at rates current on disclosure date. Original-currency figure is the regulator/filer's value of record.

Methodology: Disclosed costs only — settlements, regulatory fines, remediation outlays from SEC 8-Ks, GDPR/FCA enforcement notices, court records, and HHS OCR. Updated monthly. Never sourced from member or customer data.

Sources & full ledger
Full methodology
Verified incident counts (Industry / Country): Sourced from the Black Kite 2026 Third-Party Breach Report (3 March 2026), covering 1 January – 31 December 2025. The report analyzes 136 verified breach events, 719 named victim companies, an estimated 26,000 unnamed downstream companies, and 433M individuals impacted.
Disclosed cost figures (Top Incidents table): Sourced exclusively from primary documents — SEC filings on EDGAR, regulator penalty notices (ICO, CNIL), company quarterly earnings, and court records. No threat-actor claims, journalistic estimates, or aggregator-sourced totals used.
Inclusion criteria: A loss qualifies if (1) the financial impact is publicly disclosed in a primary source, (2) the root cause is causally tied to a third party, and (3) the disclosure occurred between 1 January 2025 and present.
Currency: USD equivalents use rates current on disclosure date. Original-currency figure is the filer's or regulator's value of record.
Updated monthly. Never sourced from member or customer data.
§ 05 · Video briefings

Sushi Talks, top episodes.

Watch latest
Now playingAudio
Featured episode · Spotify

The hidden risks of AI: What businesses can learn from AI cheating in chess

Watch or listen on the original platform.

SpotifyAudio
EP. 01

The hidden risks of AI: What businesses can learn from AI cheating in chess

SpotifyAudio
EP. 02

Third Party Risk Management: Interview with Monika Atanasova on Industry Evolution & AI Impact

YouTube26:13
EP. 03

How Hackers Hijack Networks: What Businesses and Home Users Must Know

SpotifyAudio
EP. 04

Understanding Third-Party Risk Management: Essential Insights for Businesses of All Sizes

YouTube14:59
EP. 05

How can financial risks in a supply chain be managed?

YouTube3:10
EP. 06

NIS2 Compliance: Are You at Risk of Personal Liability? | Supplier Shield

YouTube8:40
EP. 07

Supplier Risk Management: Best Practices to Safeguard Your Supply Chain

SpotifyAudio
EP. 08

Streamlining TPRM: How to Boost Efficiency and Cut Costs

SpotifyAudio
EP. 09

Why business continuity is now a legal obligation and what most leaders still don’t understand

YouTube9:13
YouTubeSpotifyTPRMBusiness ContinuityNIS2Full podcast library More episodes on Spotify
§ 06 · Network

Experts in your chair.

240+ contributors · 38 countries
Alexis Hirschhorn
Alexis Hirschhorn
CEO of Acuna · Acuna

Cyber security and governance consultant with 20+ years advising multinationals, governments, and international organizations.

Cyber and information securityCloud securityRisk and governance consultingCertified Lead Auditor
LeadershipSwitzerland
Henri Haenni
Henri Haenni
CEO of Abilene Group · Abilene Group

Business continuity and information security expert, certified international trainer and Lecturer at Sorbonne University Paris 1.

Business continuityRisk managementInformation security governanceSorbonne University lecturer
LeadershipSwitzerland
Laura Menetrey
Laura Menetrey
Legal and compliance expert · Abilene Advisors

Strategic legal advisor in data protection and privacy law, helping organizations navigate GDPR, NIS2, DORA, and Swiss nDSG.

Data protection lawGDPR, NIS2, DORA, nDSGPrivacy and regulatory advisoryData mapping and compliance
LegalSwitzerland
Jean Munyarugerero
Jean Munyarugerero
Auditing expert · Abilene Advisors

Hands-on IS and business continuity trainer and auditor with experience spanning finance, cloud, public sector, and NGOs.

IS and business continuity trainerManagement systems auditorFinance, cloud, public sector, NGOs
AuditSwitzerland
Jean-Emmanuel Rodriguez
Jean-Emmanuel Rodriguez
Cybersecurity governance expert · Abilene Advisors

Supports clients through vendor risk, compliance technology integration, and gap analysis from policy development to go-live.

AI governanceInformation security governanceGap analysis and framework implementationGRC
GRCSwitzerland
Bénédicte Sévin
Bénédicte Sévin
GRC Consulting team leader · Abilene Advisors

Leads end-to-end project supervision across implementations, audits, and compliance programs for global organizations.

GRC project leadershipISO 27001 Lead Implementer15+ years international experienceI.S.I.T. Paris certified
DeliverySwitzerland
Contributor program

Risk practitioner with a story to tell? Share your expertise with our audience.

We welcome unpaid guest contributions with author attribution and profile/backlink credit.

Pitch us
§ 07 · Education

Abilene Academy.

Browse catalog

The reading is free. The training is structured. Abilene Academy is our practitioner school with accredited courses taught by working CISOs, GRC leads, and continuity experts.

All categoriesBusiness Continuity and Crisis ManagementCybersecurityMicrosoft TrainingGovernance, Risk and ComplianceQuality, Health, Safety and EnvironmentInformation Security
§ 08 · Library

Free for practitioners.

All resources
Most popularCompliance

Cross-Border Data Transfers Between Switzerland and France: A Compliance Guide

Personal data flows freely between Switzerland and France in both directions with no SCCs required. Learn when SCCs and Transfer Impact Assessments apply, how FADP Article 9 compares to GDPR Article 28, and what financial-sector overlays apply.

Jun 1, 2026Download
Threat Intelligence

Amazon employee data breach exposes hidden dangers in the digital supply chain

Apr 29
AI & Risk

Browsers: The new AI battleground and 2025�s biggest security test

Apr 29
AI & Risk

Could scrapping IP laws supercharge AI—or leave your business exposed?

Apr 29
TPRM

Cyber supply chain risk management: From visibility gaps to resilience at scale

Apr 29
§ 09 · FAQ

Reader questions.

Third-party risk management (TPRM) is the process of identifying, assessing, and monitoring risks introduced by vendors, suppliers, and partners who have access to your systems, data, or critical operations. Regulations such as DORA and NIS2 require formal, evidence-backed TPRM programmes for regulated entities in the EU.

DORA applies to all EU-regulated financial entities: banks, investment firms, insurers, payment institutions, and e-money institutions, plus ICT third-party service providers designated as critical by ESAs. Swiss firms with EU subsidiaries or branches are also in scope. Enforcement began January 2025.

Mid-market TPRM tools in Europe typically cost €25k–€80k per year before professional services. Enterprise GRC suites can exceed €250k. Acuna GRC (which includes the Supplier Shield TPRM module) starts from CHF 5,388/year with no per-user fees. See our GRC pricing benchmark for a full comparison.

TPRM (Third-Party Risk Management) focuses specifically on risks from external vendors and suppliers. GRC (Governance, Risk and Compliance) is a broader framework covering internal governance, enterprise risk, and regulatory compliance across the whole organisation. Supplier Shield is the TPRM module inside Acuna GRC, the full GRC platform.

Yes. Supplier Shield is the TPRM module of Acuna GRC, the AI-native GRC platform built by Acuna SA in Morges, Switzerland. The Supplier Shield brand remains the editorial and advisory identity; Acuna GRC is the product delivery platform. Existing Supplier Shield customers migrate to Acuna at no additional cost.

Supplier Shield remains the editorial brand while the platform is now Acuna GRC.

Yes. The newsroom and most research are free.

A composite score across a universe of vendors weighted by risk-relevant factors.

The Daily Brief

The TPRM brief.
Every weekday at 7am.

Supplier Shield — TPRM for European Regulation