TPRM · GRC · AI

We're becoming
Acuna GRC.

Same team, sharper mission. Watch our 90-second briefing on what's changing, what isn't, and what it means for our readers and platform members.

Discover Acuna

SS · ACUNA · 2026-04 · 45sPlaying, click to pause

Scene 01·A cloud platform for TPRM

Supplier Shield

A cloud platform for third-party risk

Visibility·Monitoring·Control

3rd-party · 64th-party · 4

Like a mind map for your vendors

See every vendor.
Map every dependency.
In one view.

Continuous monitoringRisk scoring4th-party visibility

A note from our team

For years we've solved
third-party risk.

Quietly, we've been building
something bigger.

Now available in every Supplier Shield account

Introducing

Acuna.

The AI-native GRC platform.

Supplier Shield

Acuna

Supplier Shield is now a module of Acuna.

Acuna · 8 modules

One login · One data layer

TPRM01

Supplier Shield

OSINT · A-F grades · live monitoring

● THIS IS US

Privacy02

Data Protection

GDPR · DPIA · ROPA · nDSG

Risk03

Enterprise Risk

Heatmaps · taxonomies · KRIs

Resilience04

Business Continuity

BIA · DRP · tabletop

Audit05

Internal Audit

Workpapers · evidence · findings

AI06

Aiko Agents

Ask · order · brainstorm

Trust07

Trust Center · RBAC

Public attestations · roles

Scanner08

Breach Scanner

D&B credit · darknet exposure

Supplier Shield · A module of Acuna

One operating system
for risk, privacy & compliance.

50+

Frameworks

Swiss

Engineered

100%

Practitioner-built

∞

Customization

acunagrc.ai→

00:00

00:45

Supplier Shield is trusted byYou are in safe hands from day one.

§ 01 · Product

Built the platform too.

Sister product · Acuna GRCVisit acunagrc.ai

Reading about TPRM is one thing. Running it is another. Acuna GRC is the platform our practitioners build with, vendor onboarding, continuous monitoring, evidence collection, and audit-ready reporting in one place.

248K

Vendors monitored

14M+

Risk signals/day

Frameworks mapped

94%

Audit pass rate

Try Acuna GRC Book a demo

app.acunagrc.ai/dashboard

Workspace

Dashboard

Vendors

Assessments

Evidence

Frameworks

Reports

Vendor risk overviewLive

Total

2,481

Critical

Pending

128

Stripe Inc.● Critical

Datadog● Healthy

Snowflake● Watch

OpenAI● Watch

§ 02 · Breach Wire

The Breach Wire.

Updated 5 May 2026 · Next refresh ~19 May 2026

$4.88M

Average global data breach cost (2024)

Source: IBM

$16.6B

Reported internet crime losses (2024)

Source: FBI IC3

859,532

Internet crime complaints filed (2024)

Source: FBI IC3

Sectors represented in this wire cycle

Source: Supplier Shield Threat Intel

Verified incidents in this wire cycle

Source: Supplier Shield Threat Intel

Sort: Newest ↓7 of 7

Disclosed / SevVendorSectorGeoDisclosure

2026-04-28CRIT

Checkmarx (via Trivy)

96 GB internal repo data

AppSec / DevSec Tooling

US / IL

Confirmed. Initial compromise via Trivy supply-chain attack on 23 March 2026 by TeamPCP; credentials used to access Checkmarx GitHub. LAPSUS$ published 96 GB extortion archive on 25 April; Checkmarx confirmed origin on 28 April. Customer data reportedly not stored in affected repo. Pattern: open-source tool to security vendor to downstream blast radius.

SOURCE: Checkmarx security advisorySTATUS: Investigating

2026-04-24CRIT

Medtronic

9M (claimed by ShinyHunters; not company-confirmed)

Medical Devices

Confirmed unauthorized access to corporate IT systems. Company states medical-device, manufacturing, distribution, and hospital customer networks segregated and unaffected. ShinyHunters claim of ~9M records remains unverified by the company.

SOURCE: Medtronic disclosure / The RegisterSTATUS: Investigating

2026-04-20HIGH

ADT

Limited (company); 10M+ claimed by threat actor

Consumer Security / IoT

Disclosed via SEC 8-K. Unauthorized access to certain cloud-based environments; ADT confirms only limited customer/prospective-customer data accessed. ShinyHunters claims 10M+ records and threatened public leak, claim not endorsed by ADT. Payment systems and security-monitoring infrastructure reported unaffected.

SOURCE: SEC 8-K / ADT filingSTATUS: Investigating

2026-04-19HIGH

Vercel (via Context.ai)

Limited internal envs

AI / Cloud Infrastructure

Compromise of third-party AI tool Context.ai via Google Workspace OAuth ('Allow All' grant from a Vercel employee). Attacker reached non-sensitive environment variables in some Vercel environments. Sensitive encrypted-at-rest values report no evidence of access. Affects multiple Context.ai customers beyond Vercel.

SOURCE: Vercel security incident pageSTATUS: Patched

2026-04-22HIGH

Rituals

Customer/membership PII (scope TBC)

Retail / Consumer

Customer data exposure: full name, email, phone, date of birth, gender, home address. Reported to Dutch DPA (Autoriteit Persoonsgegevens) under GDPR Art. 33. Containment measures implemented.

SOURCE: Bitdefender / vendor disclosureSTATUS: Contained

2026-04-28HIGH

Vimeo (via Anodot)

User and customer data, exact count not disclosed

Video SaaS

Downstream exposure via compromised third-party analytics provider Anodot. Exposed data types include account metadata, video titles, and email addresses in some cases. Anodot integration removed; credentials disabled; law enforcement notified. Classic 4th-party telemetry exposure pattern.

SOURCE: SecurityWeek / Vimeo disclosureSTATUS: Investigating

2026-04-15MED

Autovista Group

Operational disruption (EU + AU)

Automotive Data / Analytics

Ransomware identified 11 April, disclosed 15 April. Disruption across Eurotax, Glass's, Schwacke, and Rodboka product lines in Europe and Australia. External forensic experts engaged. As of 4 May update, restoration progressing on a rolling basis. No threat actor has claimed responsibility.

SOURCE: Autovista service updateSTATUS: Restoring

Source · Supplier Shield Threat Intel · 14 partner CSIRTs · Last refresh 5 May 2026

§ 03 · Research Desk · Q2 2026

State of
Vendor Risk
2026, Year-End Report.

We are building the year-end benchmark now. Join the early list and be the first to receive the report the moment it is published.

Delivery target: end of year
Practical benchmark for vendor-risk leaders
Email-first access for early subscribers

No spam, only report-release updates.

SUPPLIER SHIELD · YEAR-ENDIN PRODUCTION

State of
Vendor
Risk

RELEASE WINDOW
END OF YEAR
EARLY ACCESS

Report status

Live

Primary research is being compiled. Subscribers get first access when publication is ready.

What you get

01Publication alert first
02Executive summary by email
03No off-topic emails
04Unsubscribe anytime

Waitlist open

§ 04 · The Loss Ledger

What TPRM failures cost.

Last refresh: 5 May 2026 · Next: 19 May 2026Methodology →

2026 YTD verified third-party losses · running

$799M

1 verified disclosure · UnitedHealth Group / Change Healthcare

Verified breaches · 2025

136

719 named victims + ~26,000 unnamed downstream

Cascade ratio · 2025

5.28×

Downstream victims per breach · highest ever

Silent window · disclosure lag

117 days

Avg vendor-to-customer disclosure delay

Ranked by disclosed cost

01Healthcare

$799M

Anchor case: UnitedHealth / Change Healthcare

02Public Sector

$32.2M

Anchor case: Maximus / MOVEit

03Tech / SaaS

$22.6M

Anchor cases: Capita, Advanced Computer Software, Mobius/Optimove

Only rows with primary-source-backed cost figures shown.

Verified third-party losses · 2025 + 2026 YTDPrimary sources only

#VictimVendor / Root causeSectorGeoDisclosed cost

1UnitedHealth GroupChange Healthcare (ALPHV/BlackCat ransomware)HealthcareUS$799M

2Maximus, Inc.Progress Software (MOVEit zero-day)Public SectorUS$32.2M

3Capita plc + CPSLCapita infrastructure failure (processor)Tech / SaaSUK£14M ≈ $17.6M

4Advanced Computer Software GroupAdvanced Health and Care (lack of MFA)Tech / SaaSUK£3.08M ≈ $3.9M

5Mobius Solutions Ltd (Optimove)Mobius unauthorized staging env. (Deezer data)Tech / SaaSFR€1M ≈ $1.05M

Currency converted at rates current on disclosure date. Original-currency figure is the regulator/filer's value of record.

Methodology: Disclosed costs only — settlements, regulatory fines, remediation outlays from SEC 8-Ks, GDPR/FCA enforcement notices, court records, and HHS OCR. Updated monthly. Never sourced from member or customer data.

Sources & full ledger →

Full methodology

Verified incident counts (Industry / Country): Sourced from the Black Kite 2026 Third-Party Breach Report (3 March 2026), covering 1 January – 31 December 2025. The report analyzes 136 verified breach events, 719 named victim companies, an estimated 26,000 unnamed downstream companies, and 433M individuals impacted.

Disclosed cost figures (Top Incidents table): Sourced exclusively from primary documents — SEC filings on EDGAR, regulator penalty notices (ICO, CNIL), company quarterly earnings, and court records. No threat-actor claims, journalistic estimates, or aggregator-sourced totals used.

Inclusion criteria: A loss qualifies if (1) the financial impact is publicly disclosed in a primary source, (2) the root cause is causally tied to a third party, and (3) the disclosure occurred between 1 January 2025 and present.

Currency: USD equivalents use rates current on disclosure date. Original-currency figure is the filer's or regulator's value of record.

Updated monthly. Never sourced from member or customer data.

§ 05 · Video briefings

Sushi Talks, top episodes.

Watch latest

Now playingAudio

Featured episode · Spotify

The hidden risks of AI: What businesses can learn from AI cheating in chess

Watch or listen on the original platform.

SpotifyAudio

EP. 01

The hidden risks of AI: What businesses can learn from AI cheating in chess

SpotifyAudio

EP. 02

Third Party Risk Management: Interview with Monika Atanasova on Industry Evolution & AI Impact

YouTube26:13

EP. 03

How Hackers Hijack Networks: What Businesses and Home Users Must Know

SpotifyAudio

EP. 04

Understanding Third-Party Risk Management: Essential Insights for Businesses of All Sizes

YouTube14:59

EP. 05

Why business continuity is now a legal obligation and what most leaders still don’t understand

YouTube9:13

YouTubeSpotifyTPRMBusiness ContinuityNIS2Full podcast library More episodes on Spotify

§ 06 · Network

Experts in your chair.

240+ contributors · 38 countries

Alexis Hirschhorn

CEO of Acuna · Acuna

Cyber security and governance consultant with 20+ years advising multinationals, governments, and international organizations.

Cyber and information securityCloud securityRisk and governance consultingCertified Lead Auditor

LeadershipSwitzerland

Henri Haenni

CEO of Abilene Group · Abilene Group

Business continuity and information security expert, certified international trainer and Lecturer at Sorbonne University Paris 1.

Business continuityRisk managementInformation security governanceSorbonne University lecturer

LeadershipSwitzerland

Laura Menetrey

Legal and compliance expert · Abilene Advisors

Strategic legal advisor in data protection and privacy law, helping organizations navigate GDPR, NIS2, DORA, and Swiss nDSG.

Data protection lawGDPR, NIS2, DORA, nDSGPrivacy and regulatory advisoryData mapping and compliance

LegalSwitzerland

Jean Munyarugerero

Auditing expert · Abilene Advisors

Hands-on IS and business continuity trainer and auditor with experience spanning finance, cloud, public sector, and NGOs.

IS and business continuity trainerManagement systems auditorFinance, cloud, public sector, NGOs

AuditSwitzerland

Jean-Emmanuel Rodriguez

Cybersecurity governance expert · Abilene Advisors

Supports clients through vendor risk, compliance technology integration, and gap analysis from policy development to go-live.

AI governanceInformation security governanceGap analysis and framework implementationGRC

GRCSwitzerland

Bénédicte Sévin

GRC Consulting team leader · Abilene Advisors

Leads end-to-end project supervision across implementations, audits, and compliance programs for global organizations.

GRC project leadershipISO 27001 Lead Implementer15+ years international experienceI.S.I.T. Paris certified

DeliverySwitzerland

Contributor program

Risk practitioner with a story to tell? Share your expertise with our audience.

We welcome unpaid guest contributions with author attribution and profile/backlink credit.

Pitch us

§ 07 · Education

Abilene Academy.

Browse catalog

The reading is free. The training is structured. Abilene Academy is our practitioner school with accredited courses taught by working CISOs, GRC leads, and continuity experts.

All categoriesBusiness Continuity and Crisis ManagementCybersecurityMicrosoft TrainingGovernance, Risk and ComplianceQuality, Health, Safety and EnvironmentInformation Security

Explore training For teams

ISO 27001 Lead Implementer

Information Security

4 daysPhysical classroom · Online classroom · Self-studyEN · FR · ES · DE · PT 02

ISO 22301 Lead Implementer

Business Continuity and Crisis Management

4 daysPhysical classroom · Online classroom · Self-studyEN · FR · ES · DE · PT 03

ISO 31000 Risk Manager Certification

Governance, Risk and Compliance

3 daysPhysical classroom · Online classroom · Self-studyEN · FR · ES

§ 08 · Library

Free for practitioners.

All resources

Most popularAll

Amazon employee data breach exposes hidden dangers in the digital supply chain

Amazon’s recent data breach reveals hidden risks in third-party vendors. Learn how proactive supply chain security can help prevent such vulnerabilities.

Apr 29, 2026Download

General