AI-Driven Cyber Security Is Increasingly Essential For Effective TPRM

The cyber security battlefront is evolving. Traditional cyber incidents, which increased by 10% in 2025, are likely to be replaced by AI-driven attacks, like the incident reported by Anthropic in November 2025. Yet, many firms still regard cyber security as just a chief information security officer (CISO) problem – which could become a strategic flaw.

In the context of heavily interdependent operations – partly fuelled by the AI-industrial revolution – cyber security is a hot topic for third-party risk monitoring (TPRM), with more than half of cyber incidents originating externally. Over the next two years, TPRM and risk intelligence vendors that can deliver timely, accurate and actionable insights on third-party cyber security threats are poised to become the dominate players in the market.

While the overall volume of cyber incidents in 2025 was significantly lower than the peak observed after Russia’s invasion of Ukraine in 2022, the number of cyber security events remains well above pre-COVID-19 levels, according to the University of Maryland’s Cyber Events Database. The bulk of the attacks (62%) focused on public administration, information, healthcare and social assistance, and finance and insurance sectors. Financial gains were the main motive for hackers in 52% of the reported incidents.

In 2026, we can expect a rise in AI-driven cyber incidents, where AI agents select the target, the method and the timing of attack. In that context, AI is both a threat and an essential layer of defence. Real-time monitoring of any digital footprint requires the use of AI; especially when this needs to be applied to third parties.

From a risk management perspective, an optimal software solution should provide CROs with:

• A view of the cybersecurity vulnerability of the firm’s own digital assets.
  Value-at-risk (VaR) models must be adapted to quantify the damage to key virtual areas and services. Any cyber risk quantification (CRQ) tools should facilitate AI-driven scenario testing and Monte Carlo modelling, so CROs can fully understand if their risk control and mitigation measures are adequate.
  
  
• Measurable and real-time insight into the cyber security profile of partners, providers and clients.
  This would require multiple integration points to facilitate the fusion of proprietary and cybersecurity data to build heat maps of third-party cyber exposure. These maps should be three-dimensional, taking into account volume (the number of incidents), potential exploitability (how easily a threat agent could exploit any identified vulnerability), and impact (the potential damage to the organization).

For more on what to expect from risk management in 2026, check out the predictions report and webinar, and for more specific insights into cyber security and risk intelligence, register to attend our webinar on Key Questions CEOs Should Be Asking About Third-Party Cyber Risks on February 23, 2026.