More Than 95% of Benelux Organizations Surveyed Have Been Victims of Supply Chain Cyberattacks

April 13, 2022

Approach to third-party risk management remains too inconsistent, putting companies at risk.

AMSTERDAM, April 13, 2022 - As many as 96% of organizations surveyed in the Benelux region experienced a cyberattack due to vulnerabilities in their supply chain. Belgium, Netherlands, and Luxembourg together score higher in this area than the global 93% average. This is evident from the global third-party cyber risk management survey by BlueVoyant, an industry-leading internal and external cybersecurity platform, among 1,650 chief information officers (CIOs), chief information security officers (CISOs), and chief procurement officers (CPOs) responsible for cyber risk management in their supply chain, including 277 respondents from the Benelux.

The survey results paint a worrying picture of increasing risks, limited visibility into suppliers, and limited awareness of cyber risks in the supply chain. In the past 12 months, organizations reported experiencing they were victims of a cyberattack almost four times per year on average due to supply chain vulnerabilities. The global average reported in 2021 is 3.7 times per organization.

Managing Third-Party Cyber Risk Is Not a Priority, According to Respondents

More than nine in 10 organizations reported experiencing negative impacts from cyberattacks in their supply chain. This doesn't stop at one-off incidents, the survey found. More than half of organizations reported experiencing two to five attacks per year, with nearly a third saying they suffered six to 10 attacks. What is more, respondents say relatively little is done about these cyber incidents. More than 40% surveyed indicate that third-party cyber risks are not on their radar. This is significantly higher than what other countries report in the survey. Less than 30% indicate that third-party cyber risks are not on their radar. Only a quarter report that third-party cyber risk is a key priority for their organization.

Little Control Over External Suppliers Reported

External suppliers are often overlooked by organizations, according to the survey. A striking 91% said they do not check their external suppliers for cybersecurity risks. More than 40%of organizations said they have no idea if there are problems with third parties. The oversight that does exist is poorly enforced, with 69% of respondents saying they check their suppliers every three months, or even less frequently. This indirectly leads to concerns about the visibility of vulnerabilities at suppliers, the survey found.


Although vendor risk management budgets have increased, spending lacks strategic focus, the survey found. Nearly half of Benelux organizations report that budgets are increasing between 51-100%. Another 16% report increases of more than 100%.

"It is worrying that companies in Benelux are giving limited priority to third-party or vendor cyber risk management, despite the increasing risks due to the ever-widening potential attack surface and increasingly sophisticated cyber threats," said Richard Wolters, director of European marketing at BlueVoyant. "This does not surprise me, given the often fragmented approach in vendor cyber risk monitoring. With the number of growing cyber incidents linked to weaknesses in supply chains, many organizations are struggling to determine how to spend their cybersecurity budgets. While it is possible that Benelux companies are investing in supplier cyber risk management, it is still unclear to what extent these budgets can be used effectively and in a planned manner. It is important to change this in the short term in order to reduce the risk of cyber incidents."

About the Research

BlueVoyant launched its second annual survey in the summer and winter of 2021, conducted by the independent research organization Opinion Matters. Twelve-hundred CIOs, CISOs, and CPOs responsible for supply chain and cyber risk management were surveyed at companies with more than 1,000 employees in a range of industries, including: business services, financial services, healthcare and pharmaceuticals, manufacturing, utilities and energy, and defense.

To gain a global perspective, the survey was conducted in the following countries: U.S., Canada, Germany, Netherlands, U.K., and Singapore. Two more European reports were then commissioned, surveying 450 more respondents across Europe in January 2022, bringing the total to 1,650 respondents. Two-hundred seventy-seven respondents were from the Benelux countries - Netherlands (127), Belgium, and Luxembourg.

Get the full Benelux BlueVoyant research report: "Global Insights - Managing Cyber Risk Across the Extended Vendor Ecosystem."

About BlueVoyant

At BlueVoyant, we recognize that effective cybersecurity requires active prevention and defense across both your organization and supply chain. Our proprietary data, analytics, and technology, coupled with deep expertise, work as a force multiplier to secure your full ecosystem.

Accuracy. Actionability. Timeliness. Scalability.

Founded in 2017 by former Fortune 500 and former government cyber officials, BlueVoyant is headquartered in New York City and has personnel in Washington, D.C., Maryland, San Francisco, Israel, Philippines, Canada, U.K., Spain, Australia, Hungary, Czech Republic, Romania, Slovakia, Netherlands, Belgium, Germany, Sweden, Denmark, El Salvador, Colombia, Mexico, and Panama.

Media Contacts

Richard Wolters
T: +31(0)6 41273540
E: [email protected]

Jennifer Schlesinger
T: +1 201.397.4976
E: [email protected]