A staggering 48% of companies still depend on spreadsheets, while 41% reported experiencing an impactful third-party breach in the last year
Prevalent, Inc., the company that takes the pain out ofthird-party risk management (TPRM), today announced a new report, The 2023 Third Party Risk Management Study: How Are Organizations Avoiding TPRM Turbulence?, which provides deep insights into current trends, challenges and initiatives impacting third-party risk management practitioners worldwide.
The findings clearly illustrate that 2022 was a turbulent year for the practice of third-party risk management (TPRM). Over the past year, organizations dealt with the fallout from theRussian invasion of Ukraine and resulting supply chain disruptions, damaging and widespread third-party breaches and security incidents (includingLastPass,OpenSSL,Okta,Toyota, and several inhealthcare), and emerging regulatory oversight in areas beyond IT security such asESG. While organizations have matured their TPRM programs sincelast year’s study, there is still more work to do.
Key findings from the 2023 Third-Party Risk Management Study include:
41% of companies experienced an impactful third-party breach in the last 12 months but rely on overlapping tools and manual processes which slows incident response.
An overwhelming majority of companies (71%) report that the top concern regarding the usage of third parties is a data breach or other security incident due to poor vendor security practices. However manual methods still persist, with a disappointingly large percentage of companies using spreadsheets and an increasing percentage using news feeds to learn about breaches. The good news is that companies not monitoring for third-party breaches dropped from 12% to 4%.
Third-party data breaches and security incidents are driving increased information security involvement in TPRM.
70% of respondents report that Information Security (InfoSec) is more involved in third-party risk management than ever, and 71% indicate that InfoSec fully owns the TPRM program. 62% of respondents to this year’s study indicated that third-party data breaches and security incidents were top drivers behind increased involvement in third-party risk management.
Nearly half of companies continue to use spreadsheets.
A disappointing trend continues in 2023 as a growing number of organizations (48%) are using spreadsheets to assess third parties. This percentage is up from 2022 and 2021, where 45% and 42% of companies, respectively, said they were using spreadsheets. The good news is that only 4% of respondents indicated that they are not currently assessing third parties at all, which continued a downward trend from 2021 (10%) and 2022 (8%).
There is a huge gap between tracking and remediating risks across the lifecycle – and on average 20% of companies are doing nothing.
Not surprisingly, the Offboarding and Termination stage of the third-party relationship lifecycle sees the lowest percentage of companies tracking (47%) and remediating (38%) risks, and the highest percentage of companies doing nothing at all (39%). The significant gap between tracking and remediating risks in the Initial Assessment and Sourcing and Pre-Contract Due Diligence stages is especially surprising, as these are the primary stages to discover and remediate risks before they impact the organization.
“Year over year we continue to see a significant increase in supply chain disruptions and widespread third-party security incidents,” stated Brad Hibbert, chief strategy officer for Prevalent. “And although this survey illustrates that organizations are making third-party risk management programs a priority with more people across the organization involved and only 4% reporting that they’re not monitoring their third-party suppliers, there is still more to do. Companies need to ditch manual processes for good and partner with an automated TPRM solution to manage risks across the third-party risk lifecycle.”
The results of this study demonstrate that TPRM teams are making progress toward a more strategic approach to TPRM, but four areas require additional improvements to keep companies on track:
- Automate Incident Response to Reduce Costs and Risk Exposure
Shortening the gap between incident discovery and mitigation can reduce costs and limit the company’s risk exposure withautomated incident response processes. Eliminate spreadsheets or overlapping tools that only tell part of the incident’s origin story. - Build a Single Source of the Truth to Eliminate Silos and Extend Risk Visibility Throughout the Enterprise
Results from this study show that, although information security risks are considered the most important, multiple enterprise teams are involved in third-party risk management – each with their own goals, workflows, assessment processes, and risks to review. Unify all internal teams with a single set of workflows, third-party risk profiles, assessments, and reporting. - Do Away with Spreadsheets and Automate Assessment and Monitoring Processes Across the Lifecycle
Invest in a solution that centralizescontract lifecycle management to ensure key contractual provisions are tracked throughout the lifecycle; offers remediation guidance to ensure offboarded vendors meet company compliance and security requirements to an acceptable level of risk; and delivers a prescriptive process to address final tasks and report according to compliance requirements. - Remediation
Data from this study shows a significant fall-off between risk tracking and remediation. To remediate risks to an acceptable level to the business (or to require proof of compensating controls in the place of specific remediations), leverage a third-party risk management platform with built-in remediation recommendations.
Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!
