In the majority of significant breaches reviewed over the past decade, a third party was somewhere in the chain. Vendor questionnaires sent once a year are not a TPRM program — here is what one actually looks like.