MOVEit. Okta. The London Metropolitan Police. LastPass. Change Healthcare. HCA. Anthem. Perry Johnson & Associates (PJ&A). What do these seemingly unrelated organizations have in common? Each was either the victim of a security incident that came through a third party in the last year or was the third party that was breached.
2023 was indeed a banner year for third-party breaches, yet data from the fifth annual Prevalent Third-Party Risk Management Study shows that organizations are making very little progress in mitigating the risks of third-party security incidents. Considering the increasing regulatory oversight into the use of new attack vectors such as AI as well as mandatory cybersecurity disclosures, organizations must leverage all the tools at their disposal to maintain a watch against spreading third-party breaches.
The 2024 TPRM Study eBook
Discover the trends, challenges, and initiatives impacting third-party risk management (TPRM) practitioners worldwide with this comprehensive, 26-page report.
This post examines the five key trends from this year’s study and recommends three best practices to get the right organizational focus on third-party risk management.
Echoing previous years’ study results, the top concern facing organizations in their use of third parties this year – by far at 74% -- is a data breach or other security incident. The reason behind this concern is quite apparent: 61% of respondents said they experienced a third-party data breach or other security incident in the last 12 months. This represents a significant 49% increase over the 2023 survey results and a three-fold increase since 2021.
This increase in breaches comes at a time when Information Security, Risk Management, and Data Privacy teams are more involved in third-party risk – and breaches are why. In fact, the only risk type tracked this year more than last year is Cybersecurity risk (58%).
However, putting out TPRM fires isn’t as straightforward as the data would suggest. While the Information Security team typically owns the TPRM program, Business Owners own the third-party relationship and Procurement manages the database of vendors/suppliers.
The complex ownership paradigm between Security, Business Owners, and Procurement, leads us to ask the question: Who’s really on fire watch?
The good news is that the vast majority of organizations report having a third-party risk management (TPRM), IT vendor risk management (VRM), or supplier risk management (SRM) program in place. But the bad news is that 50% of those same companies indicated that they still use spreadsheets to assess those third-party vendors and suppliers – consistent with previous years’ study results. That’s like trying to put out a forest fire with a blanket.
The largest year-over-year growth in tool usage, however, comes from security rating services. Growing usage of security rating services could be tied to a greater percentage of companies that reported a third-party data breach or security incident in the last 12 months, which could lead to a need for increased visibility into cybersecurity incidents and monitoring for those risks (see Finding #1).
The key takeaway here is that organizations do not rely on a single tool to address their third-party risks – they instead use multiple tools. But are they the right tools?
Cybersecurity is the only type of risk noted in this survey that has a higher percentage of respondents tracking via monitoring feeds (75%) vs. questionnaire-based assessments (61%). Both methods are important, but an over-reliance on monitoring feed data could limit an organization’s ability to inspect their third parties’ internal controls and practices and take action to remediate those risks.
And, not everyone seems satisfied with their current method of assessing third parties – especially when it comes to assessing risks at every vendor lifecycle stage, and whether it delivers automation and reporting for compliance.
Our take is this: Organizations may not be inspecting the brush where fires typically originate.
Organizations only manage about 33% of the third parties they work with. Aside from general tool and method dissatisfaction examined in Finding #2, this low percentage of vendors managed might have to do with understaffing. 37% of respondents said they had between 1-4 people currently involved in assessing third parties, and 37% said they needed between 5-9 people.
In fact, the number one barrier, at 63% of respondents, that organizations say is preventing their TPRM program adoption or growth is a lack of resources. Being understaffed by a factor of 2 means there are far too many unassessed vendors exposing the organization to too much risk.
A lack of program coordination might also be a concern. More than half of respondents (51%) indicated there is some coordination across the organization, with a surprisingly small 31% of respondents indicating a highly coordinated program.
Without the right amount of resources and leadership, that TPRM fire can quickly get out of control.
Data from this year’s study shows that between 85-87% of companies track risks from sourcing and selection through the ongoing risk monitoring stages of the third-party lifecycle – an improvement over the 2023 study results – but only 74-79% of companies track SLAs and offboarding risks later in the relationship lifecycle. Although also an improvement over last year’s study results, a lack of SLA visibility and post-contract breach risks could be problematic for organizations if they do not assess risks at these stages with the same frequency as with other stages.
What’s more interesting is the disparity between the percentage of organizations tracking risks and those actually remediating them. Nowhere is that disparity greater than in the Sourcing and Selection stage of the life cycle. Although organizations do well in tracking risks at this stage (85%), only 29% remediate what they find. Moreover, only 46% of companies report remediating risk as a result of Risk Assessments – the stage where risks should absolutely be mitigated! You can’t put a fire out by simply watching it burn.
This year’s study showed that although just 5% of companies say they actively use AI in their TPRM programs, 61% are investigating its use cases. 25% firmly say they have no plans to use AI. The reason why 25% of companies say they have no plans to use AI is that nearly half of them (49%) have no organizational strategy in place for AI.
Yet, companies see value in AI. For organizations that are using it or considering using it, the top use cases are around reporting, speeding up questionnaire completion, and collating data from multiple sources. There is tremendous potential for organizations to leverage this tool in their programs and may help organizations reduce the resourcing challenges exposed in Finding #3.
The 2024 TPRM Study Infographic
Review key statistics from our study of organizations seeking to step up their watch against third-party breaches
The results of this study demonstrate that many programs struggle with manual processes that limit risk, lifecycle, and vendor coverage – making fighting TPRM fires cumbersome and time-consuming and risking their spread. Here are three actionable steps to improve TPRM firefighting.
Although most companies report having a TPRM program in place, it is unclear how well these teams collaborate within their programs. This segmented approach may be a case of teams focusing on their individual responsibilities without a collective vision, hence missing the “forest” of enterprise-wide risk management for the “trees” of department-specific goals.
Increasing the incidence of risk remediation is critical to truly gaining the most business value from a TPRM program. Create cross-functional teams with clear ownership responsibilities and extend that ownership all the way through to risk remediation.
Half of companies report still using spreadsheets along with a complicated set of tools to assess and manage their third parties. Organizations seeking new tools should seek out solutions that:
A more comprehensive workflow-driven approach will aid in covering shortfalls in risk coverage, the risk lifecycle, and in enforcing remediations (noted in the recommendation above).
Data from this year’s study shows that a lack of resources is the single biggest obstacle to TPRM program success. That lack of resources translates to 67% of vendors not being adequately managed. To overcome resource limitations, consider outsourcing all or part of your TPRM program to expert managed services providers. In concert with managed services, investigate the use of AI to speed TPRM reporting, questionnaire completion, and data collation from multiple sources. When considering AI ensure:
Download the full study results and gain access to the complete data, findings, and recommendations to compare your TPRM program against organizations like yours. You will also be able to access an infographic that summarizes the key findings and is sharable with your team. Or, request a demonstration with Prevalent to learn how to put these findings into action.
Read an analysis of vendor risk management market trends and key solution evaluation criteria.
11/18/2024
Prevalent believes it is differentiated by delivering comprehensive coverage of multiple risk types and by delivering...
12/12/2023
Leading industry analyst firm recognizes Prevalent for sophisticated Vendor Risk Management offerings.
11/06/2023