Third-party relationships are increasingly in the news. And not for good reasons. Third party-related data breaches are up, supply chains remain strained because of geopolitical and labor-related issues, and there are still problems with retaining staff to meet organizational needs.
As we close out 2023 in a complicated economic climate, it’s vital for third-party risk management teams to plan out how to address their most significant risks. Based on our analysis, the most significant risks to worry about in the new year are:
This blog post will cover these top third-party risks and provide context around why they matter, especially as we enter the new year.
Third-party cybersecurity risk is defined as a potential exposure to the confidentiality, integrity or availability of IT infrastructure and data that an organization takes on because of working with third parties, whether vendors, suppliers, or other business partners. It’s often conflated with IT vendor risk management – typically “owned” by the information security team – but it’s starting to be viewed as a more strategic business risk and gaining attention beyond IT and security teams. In fact, according to Proofpoint, more board members are paying closer attention to cybersecurity than ever before.
Some of the most important risks facing 21st century supply chains are data breaches and other cyber incidents. These incidents can jeopardize suppliers, their customers, and even their customers’ customers. In many cases, large enterprises will have robust cybersecurity programs, but these don’t always extend to third-party organizations that may have substantially less cybersecurity knowledge and capability. The largest companies with the most robust security programs will therefore still face potential exposures from smaller suppliers who are unlikely to have the same resources to devote to securing critical data.
Our recent study validates the cybersecurity risk inherent in the supply chain, as 41% of companies experienced an impactful third-party data breach in the last 12 months. The MOVEit file transfer hack is one such example. The vulnerability was first disclosed in May 2023, and 1,000+ companies and more than 60 million individuals were impacted as of the end of September. The full impact of the data breaches resulting from this vulnerability aren’t really known yet, and likely won’t be for several months. Despite this, it cannot be overemphasized how many organizations have been breached because of this vulnerability.
Third-party cybersecurity risk doesn’t only involve data breaches. There are also software supply chain attacks, such as the Log4Shell vulnerability of December 2021 that triggered a massive patching effort across industries and the 2020 SolarWinds breach where hackers compromised the company’s code base to install backdoors in thousands of organizations. More recently, the Citrix NetScaler zero-day had the potential to impact thousands of organizations with a remote code execution bug.
A few of the other cybersecurity risks to be aware of in 2024 include:
In 2024, organizations seeking to mitigate cybersecurity risks need to review which suppliers have access to their systems and what level of access those third parties have. The principle of least privilege applies very well here in terms of suppliers and service providers; limiting access to only what is strictly necessary can often create enough roadblocks to frustrate attackers. Companies should also understand the exposure risk of their suppliers with robust analysis of their internet-exposed assets. This is in addition to understanding the security policies of their vendors and how secure critical data will be while it’s being shared between parties.
Further, organizations need to review their regulatory compliance needs and those of their suppliers to ensure that everyone is aligned on which regulations should be adhered to. Tracking those regulations and conducting vendor risk assessments with a solution like the one Prevalent offers, can go a long way toward understanding precisely what level of risk each vendor presents. As third-party security incidents continue, a full accounting of cybersecurity risk in the supply chain becomes more and more critical.
How Can You Stay Ahead of Vendor Cyber Risks?
Download this 11-page strategy guide to discover how to structure your third-party risk management (TPRM) program to efficiently identify and address cybersecurity risks across your vendor ecosystem.
Reputational risks encompass threats to the name, goodwill, or credibility of a business that can ultimately affect its revenue. While reputational risk is difficult to quantify and comes in many forms – whether self-inflicted or from third-party business associations – it can spark business disruptions, fines, penalties, and lost revenue that are equally as severe as more tangible risks.
Supplier reputational risks include:
Negative news or adverse media coverage of unethical hiring practices, product quality issues, criminal activities, and environmental disasters also count as reputational risk. These adverse events can trigger pressure campaigns on organizations doing business with the supplier. The problem is that reputational risk is nebulous to monitor and account for, in addition to being difficult to spot. Further, the impact of negative press can be difficult to quantify on your business. Despite this, brand reputations have become more important in the past few years as a reflection of business success.
In response to these reputational risks, organizations need to implement comprehensive supply chain partner pre-screening that includes intelligence related to human rights, anti-bribery, and environmental practices. In addition to pre-screening, there needs to be regular assessments against industry best practices and regulations.
In 2024, organizations should also consider continuous reputational monitoring. Monitoring sources should include supplier news, financials, sanctions, politically exposed people (PEP), state-owned enterprises and more, and will help to flag important events. Further, organizations should be aware of their Nth parties. Risk doesn’t end with your suppliers. That’s why it’s important to identify and visualize relationships between your organization and third, fourth and Nth parties to discover dependencies and risks.
Lastly, compliance reporting needs to be simplified. Many regulatory regimes require organizations to monitor activity in their supply chains. The fastest, least-complex approach to audit reporting is to automatically map any vendor risk assessments to any regulation or framework.
Business continuity supply chain risks can take many forms. For instance, a key supplier could declare bankruptcy and be unable to deliver on its contracts. In fact, some studies show that 25% of businesses have been affected by the financial failure of a supplier in the past year.
Mergers and acquisitions can also signal a change in strategy or market consolidation that could impact service delivery, prices, or contract terms. In addition, leadership turnover or legal trouble can impact an organization’s culture, strategy, and ability to execute against goals.
When evaluating potential vendors, it is critical to understand the organization's financial situation, existing contractual obligations, and other factors that could prevent them from effectively executing your contract. The less due diligence that is performed before onboarding a vendor, the more likely you are to experience a significant business disruption.
Implement a formal and documented third-party business resilience and continuity plan to manage these risks. Vendors should be evaluated uniformly based on a predetermined set of metrics that make it easy to compare competing vendors and identify potential suppliers that may have difficulty fulfilling their contractual obligations.
Safety and reliability are two important aspects of risk management that deal with the prevention and mitigation of potential hazards and failures that may affect the performance, quality, or functionality of a product, system, or process. Safety and reliability are often related, but not identical, concepts. Safety focuses on the protection of people, property, and the environment from harm, while reliability focuses on the probability of a product, system, or process to perform its intended function under specified conditions for a given period.
Safety and reliability can be considered as a risk category when evaluating the potential consequences and likelihood of adverse events that may occur due to faults, errors, defects, or malfunctions in a product, system, or process. Safety and reliability risks can have significant impacts on the customer satisfaction, reputation, compliance, and profitability of an organization. Therefore, it is essential to identify, assess, and manage safety and reliability risks throughout the product life cycle, from design to operation to disposal.
One of the standards that provides a framework for safety and reliability risk management is ISO 13849-1, which defines safety categories and performance levels for the safety-related parts of a control system. Safety categories are based on the structural arrangement and reliability of the components, while performance levels are based on the probability of dangerous failures and the diagnostic coverage of the system.
Another standard that addresses safety and reliability risk management is IEC 61508, which defines safety integrity levels for the functional safety of electrical, electronic, and programmable electronic systems. Safety integrity levels are based on the probability of failure on demand and the average frequency of dangerous failures of the system.
For third-party risk management teams, this can mean asking questions about the overall safety practices and maintenance schedules of key suppliers. Safety risks become especially vital to understand in heavy industries, such as manufacturing, or in the resource extraction sector such as mining or oil & gas. Reliability of machinery is also a factor, which is why understanding maintenance practices is so crucial. Understanding these practices among suppliers can help organizations build contingency plans into their workflow in case a safety or reliability event occurs and risks interruption to the supply chain.
Environmental, social and governance risks relate to a wide spectrum of corporate conduct. Often, they can be difficult to detect until they reach the front pages of major news sites. By that point, the company’s reputation may already be tarnished or in danger of being tarnished. Typically referred to as “ESG,” this risk category includes:
ESG risks are on the rise as corporations face increasing scrutiny from regulators, auditors, and consumers. Environmental risks include climate change and how companies plan to account for shifting weather patterns and natural disasters. More attention is also being paid to “forever chemicals” such as PFAS in addition to other climate-related risks.
Management of ESG goes together with risk and compliance. Proper oversight of ESG requires expertise in third-party risk management and compliance with associated regulations. Companies’ ESG responsibilities and management of third-party risk heavily intersect due to the complexity of modern-day supply chains.
Regulatory pressure is also growing. The U.S. Securities and Exchange Commission (SEC) proposed rules requiring “certain climate-related information in their registration statements and annual reports,” including “upstream and downstream value chains.” The European Union (EU) Parliament presented mandates that EU businesses “identify and, where necessary, prevent, end or mitigate adverse impacts of their activities on human rights, such as child labour and exploitation of workers, and on the environment, for example pollution and biodiversity loss.”
ESG risks can be difficult to mitigate due to the multi-faceted nature of the category. As with financial risk, it’s important to include ESG reviews during the initial due diligence process for prospective vendors – prior to signing any contracts. Since multiple ESG-focused regulations are now holding companies accountable for issues like bribery and slavery in their supply chains, it’s critical to conduct relationship mapping and 4th- and Nth-party risk analysis to uncover any potential supply chain issues that could shed negative light on your organization.
In 2024, these risks look to be even more acute. Climate change is a growing risk category in the face of multiple extreme weather events, such as the June 2023 wildfires in Canada, ice storms in Texas in February, and uncommon heatwaves in Australia in September. This necessitates taking a harder look at environmental risks, especially as they relate to supply chain resilience.
Additionally, social accountability risks look to be on the rise. Regulations on modern slavery and child labor, as previously mentioned, are growing throughout the world. Governments in Europe, North America, and Asia Pacific have started to pay closer attention to working conditions in manufacturing facilities globally. As more consumers make socially conscious purchase decisions, companies need to take a harder look at their corporate social responsibility policies and keeping their suppliers accountable.
Align Your TPRM Program with Expanding ESG Regulations
Download this guide to review current and future ESG standards and legislation, and learn how to prepare your TPRM program for compliance.
Bribery and corruption risk will continue to be a challenge in 2024. The U.S. Foreign Corrupt Practices Act (FCPA) continues to be strictly enforced for companies seeking to do business in the United States, and other jurisdictions also have anti-corruption legislation for local and foreign businesses. Collectively, third-party relationships represent one of the most significant bribery and corruption risk exposures to organizations.
When unpacking FCPA bribery and corruption enforcement actions, Stanford Law School discovered that over 90% of incidents involve a third-party intermediary. All third parties who act as agents of a company – such as distributors, sales representatives, brokers, consultants, freight forwarders, lobbyists – can expose the organization to liability for bribery and corruption.
In fact, a company can be held liable for the actions of its third parties, even if the company claims to have no knowledge of an incident. Often, all that is needed for an indictment is a "high probability" of bribery or evidence that a company was "willfully blind" to a third party’s corruption on their behalf.
Enforcement of ABAC laws is expanding. In the United Kingdom, the Serious Fraud Office (SFO) has expanded its enforcement activities. And the European Union’s Directive on Mandatory Human Rights, Environmental, and Good Governance Due Diligence will require significant due diligence for organizations operating in EU countries, with ABAC falling under the Good Governance section.
In 2024, concerns about bribery and corruption will continue to grow among organizations in countries with aggressive enforcement. The long arm of the U.S. FCPA is also likely to continue given the importance of the United States as an international market and source of finished goods. Companies under the jurisdiction of the FCPA and other anti-corruption measures would do well to analyze the financial situation of their vendors to ensure that they are not caught up in any activities that could trigger a corruption investigation.
Companies face an increasingly problematic third-party risk environment. The number and variety of risks in the categories outlined above, including a cyberattack, continuity risk, reputational concerns, and more will likely make conducting business more difficult in 2024.
It behooves organizations large and small to take a hard look at their 2024 TPRM strategies , making sure that they consider the complexity of their risk environment and quantifying the real impact of the risks outlined in this report. Further, organizations should prioritize these risk categories based on their corporate strategies. Cybersecurity could be a bigger concern than reputational risk in 2024, for example, prompting risk managers to emphasize inoculating the organization against cyber threats. Similarly, perhaps business continuity is a higher priority. Ultimately, organizations need to make those judgements and focus on reducing or mitigating the risks that are of greatest concern to their businesses.
For more on how Prevalent can help manage your third-party risk program, sign up for a demo today.
Follow these 7 steps for more secure and efficient offboarding when third-party relationships are terminated.
10/17/2024
Third-Party Risk Management (TPRM) has advanced from being an annual checklist exercise to a critical daily...
10/07/2024
Effectively manage third-party cybersecurity incidents with a well-defined incident response plan.
09/24/2024