Vendor-Provided Resources
Here you can find links to resources supplied by TPRA Vendor Members (TPRM Service Providers). Some of these resources require you to input information to obtain the document.
Note: TPRA does not support one particular service provider over another, nor do we benefit from providing you the links below. Read and implement at your own risk.
If you are a TPRA Vendor Member and have a resource or link you would like to see added to this page, please submit through our Vendor Submissions form, or send it to Meghan Schrader at meghan.schrader@tprassociation.org for review.
Filter by Resource Type
Center for Financial Professionals (CeFPro)
Supplier Stability In Operational Resilience 2025: Follow-Up Insights and Analysis
January 20, 2026
Supplier Stability in Operational Resilience 2025 examines how financial institutions are strengthening resilience as regulatory expectations intensify. Drawing on joint research from Escode and CeFPro, the report highlights critical gaps in supplier risk ownership, cloud dependency, and continuity planning, and explores how software escrow is emerging as a key component of resilience assurance.
Explore the findings to understand where resilience frameworks are succeeding, and where greater accountability is still needed.
Bitsight
Exposed: Cyber Risk in the Financial Sector and Its Supply Chain
January 9, 2026
The financial sector relies on a complex web of technology providers—but many of these third parties present hidden and under-monitored cyber risks. Bitsight analyzed over 41,000 financial organizations and 50,000 vendor relationships to identify the most critical suppliers and assess their cybersecurity performance. The findings reveal systemic risk, poor security hygiene among key vendors, and significant monitoring gaps across the sector.
Key Takeaways
Bitsight identified the 99 most critical third-party suppliers to the financial sector
Some of the largest vendors have the weakest security performance
Unmonitored suppliers have 2.9x more critical CVEs and 2.8x more KEVs
Financial institutions monitor only 36.3% of their vendors on average
Continuous monitoring correlates with improved visibility and stronger risk communication
Download the full report to understand where your greatest supply chain risks may be hiding—and how to proactively reduce exposure.
Bitsight
A Third-Party Risk Management Framework Template: 10 Critical Elements
January 9, 2026
Build a third-party risk management framework that stands up to today’s threats—and tomorrow’s scrutiny.
Third-party risk is no longer just a cybersecurity issue—it’s a business imperative. As regulatory demands tighten and digital ecosystems expand, organizations need a third-party risk management framework that goes beyond checkbox assessments and ad hoc processes.
This eBook serves as your third-party risk management framework template—a structured, scalable guide to managing vendor and third-party cyber risk at every stage of the vendor lifecycle. You’ll discover how to build a defensible, data-driven program that enables visibility, accountability, and continuous improvement.
Whether you're starting from scratch or enhancing an existing third-party risk management program, you’ll learn how to strengthen assessments, streamline workflows, and foster cross-functional collaboration—all while ensuring defensibility and speed.
Bitsight
Top Five AI Governance Questions To Ask in Your Vendor Risk Assessment
January 9, 2026
Is your vendor risk assessment process ready for the AI era?
Download this practical guide to modernizing how you evaluate third-party AI risk. Whether you're conducting a cybersecurity supply chain risk management review or onboarding new partners, this resource helps you dig deeper into how vendors govern, deploy, and secure AI technologies.
Continuity Strength
Vendor Risk Management Survey Results - 2025
January 8, 2026
Thank you to everyone who participated in our vendor risk management research this fall. We analyzed responses from 64 organizations across financial services (59%), technology, healthcare, and manufacturing to identify critical gaps in third-party risk programs. Key findings reveal systematic weaknesses where organizations have implemented initial programs but failed to mature core capabilities:
68.8% lack formal BCP support for vendors
47.2% operate with minimal or reactive monitoring41.9% have no formal resilience scoring methodology
37.5% face significant assessment delays (5+ weeks)
We've organized the complete analysis into five focused reports so you can prioritize topics most relevant to your organization.
Each report includes detailed findings, industry-specific implications, regulatory context, and actionable solutions.
Select your priority reports here: https://continuitystrength.com/vendormgmtsurvey-2025-published-tpra
Looking forward to your feedback on the findings.
NetRise, Inc.
Gaining Device Software and Component Visibility at a Global Asset Management Firm
January 7, 2026
A leading global asset management firm manages trillions of dollars across offices on multiple continents. Its network relies on thousands of third-party devices, including firewalls, virtual private network (VPN) concentrators, branch routers, security cameras, and network access control systems. Despite a mature vulnerability management program, the firm lacked automated visibility into the device software and component inventory inside these systems. Vendor documentation was incomplete, and manual audits were time-consuming and inconsistent.
NetRise, Inc.
The Dependency Mirage: Hidden Vulnerabilities in Compiled Binaries
January 7, 2026
Most organizations trust their SBOMs and vulnerability scanners to reflect what’s running in production — but they don’t. In this RSA Conference session, Craig Heffner, Senior Staff Engineer at NetRise and creator of Binwalk, exposes how hidden dependencies and build-time decisions introduce vulnerabilities invisible to traditional security tools.
Drawing from real-world case studies, the talk reveals how manifest-based scanning reflects intent, not reality — and how Binary Composition Analysis (BCA) exposes what’s truly compiled into your software.
NetRise, Inc.
Fragile by Design: Large-Scale Evidence of Software Supply Chain Risk
January 7, 2026
The software supply chain is more fragile than most realize. In this ThreatCon keynote, NetRise Co-Founder and CEO Thomas Pace shares large-scale evidence from millions of analyzed binaries, firmware images, and software artifacts — revealing systemic risks that traditional AppSec tools overlook.
Learn why visibility into compiled code is the key to building true software assurance — and how NetRise is helping organizations uncover and address hidden vulnerabilities before they become front-page news.
NetRise, Inc.
A Conversation You Can’t Refuse With the Godfather of the SBOM
January 7, 2026
In this exclusive conversation, Tom and Allan explore the origins, evolution, and future of the Software Bill of Materials (SBOM)—from its inclusion in the 2021 White House Executive Order on improving the nation’s cybersecurity to the recently updated CISA minimum elements designed to strengthen software transparency and accountability.
They’ll unpack:
What drove the federal government to require SBOMs from software vendors
Why minimum SBOM standards are evolving—and what that means for security teams
How organizations can generate accurate, evidence-based SBOMs that go beyond compliance
Why visibility into the software you buy, build, or deploy has become central to national resilience
You’ll also hear their take on recent supply chain incidents—from the NPM compromise to the F5 breach—and discuss what it truly means to build resilience in a world where software trust can’t be blind.
NetRise, Inc.
NetRise Platform Data Sheet: Software Supply Chain Security, From the Inside Out
January 7, 2026
NetRise provides deep visibility into the compiled software running across devices, applications, operating systems, and critical infrastructure. By analyzing binaries—not declarations—you can finally see what’s actually executing in your environment and prioritize true software supply chain risk.
Get the full NetRise Platform Data Sheet to learn how our platform uncovers hidden components, misconfigurations, embedded secrets, unsafe libraries, and exploitable vulnerabilities—without requiring source code.