61% of Companies Have Been Breached by a Third Party: Find Out Why

This post examines the five key trends from this year’s study and recommends three best practices to get the right organizational focus on third-party risk management.

Finding #1: Many departments are involved with responding to TPRM fires, but no one is leading.

Echoing previous years’ study results, the top concern facing organizations in their use of third parties this year – by far at 74% -- is a data breach or other security incident. The reason behind this concern is quite apparent: 61% of respondents said they experienced a third-party data breach or other security incident in the last 12 months. This represents a significant 49% increase over the 2023 survey results and a three-fold increase since 2021.

This increase in breaches comes at a time when Information Security, Risk Management, and Data Privacy teams are more involved in third-party risk – and breaches are why. In fact, the only risk type tracked this year more than last year is Cybersecurity risk (58%).

However, putting out TPRM fires isn’t as straightforward as the data would suggest. While the Information Security team typically owns the TPRM program, Business Owners own the third-party relationship and Procurement manages the database of vendors/suppliers.

The complex ownership paradigm between Security, Business Owners, and Procurement, leads us to ask the question: Who’s really on fire watch?

Finding #2: Companies aren’t always using the right tools to put out TPRM fires.

The good news is that the vast majority of organizations report having a third-party risk management (TPRM), IT vendor risk management (VRM), or supplier risk management (SRM) program in place. But the bad news is that 50% of those same companies indicated that they still use spreadsheets to assess those third-party vendors and suppliers – consistent with previous years’ study results. That’s like trying to put out a forest fire with a blanket.

The largest year-over-year growth in tool usage, however, comes from security rating services. Growing usage of security rating services could be tied to a greater percentage of companies that reported a third-party data breach or security incident in the last 12 months, which could lead to a need for increased visibility into cybersecurity incidents and monitoring for those risks (see Finding #1).

The key takeaway here is that organizations do not rely on a single tool to address their third-party risks – they instead use multiple tools. But are they the right tools?

Cybersecurity is the only type of risk noted in this survey that has a higher percentage of respondents tracking via monitoring feeds (75%) vs. questionnaire-based assessments (61%). Both methods are important, but an over-reliance on monitoring feed data could limit an organization’s ability to inspect their third parties’ internal controls and practices and take action to remediate those risks.

And, not everyone seems satisfied with their current method of assessing third parties – especially when it comes to assessing risks at every vendor lifecycle stage, and whether it delivers automation and reporting for compliance.

Our take is this: Organizations may not be inspecting the brush where fires typically originate.

Finding #3: It takes resources to put out TPRM fires, but most organizations lack the manpower and coordination.

Organizations only manage about 33% of the third parties they work with. Aside from general tool and method dissatisfaction examined in Finding #2, this low percentage of vendors managed might have to do with understaffing. 37% of respondents said they had between 1-4 people currently involved in assessing third parties, and 37% said they needed between 5-9 people.

In fact, the number one barrier, at 63% of respondents, that organizations say is preventing their TPRM program adoption or growth is a lack of resources. Being understaffed by a factor of 2 means there are far too many unassessed vendors exposing the organization to too much risk.

A lack of program coordination might also be a concern. More than half of respondents (51%) indicated there is some coordination across the organization, with a surprisingly small 31% of respondents indicating a highly coordinated program.

Without the right amount of resources and leadership, that TPRM fire can quickly get out of control.

Finding #4: You can’t put a TPRM fire out by just watching it burn.

Data from this year’s study shows that between 85-87% of companies track risks from sourcing and selection through the ongoing risk monitoring stages of the third-party lifecycle – an improvement over the 2023 study results – but only 74-79% of companies track SLAs and offboarding risks later in the relationship lifecycle. Although also an improvement over last year’s study results, a lack of SLA visibility and post-contract breach risks could be problematic for organizations if they do not assess risks at these stages with the same frequency as with other stages.

What’s more interesting is the disparity between the percentage of organizations tracking risks and those actually remediating them. Nowhere is that disparity greater than in the Sourcing and Selection stage of the life cycle. Although organizations do well in tracking risks at this stage (85%), only 29% remediate what they find. Moreover, only 46% of companies report remediating risk as a result of Risk Assessments – the stage where risks should absolutely be mitigated! You can’t put a fire out by simply watching it burn.

Finding #5: Fighting TPRM fires can be aided by new technologies.

This year’s study showed that although just 5% of companies say they actively use AI in their TPRM programs, 61% are investigating its use cases. 25% firmly say they have no plans to use AI. The reason why 25% of companies say they have no plans to use AI is that nearly half of them (49%) have no organizational strategy in place for AI.

Yet, companies see value in AI. For organizations that are using it or considering using it, the top use cases are around reporting, speeding up questionnaire completion, and collating data from multiple sources. There is tremendous potential for organizations to leverage this tool in their programs and may help organizations reduce the resourcing challenges exposed in Finding #3.

Recommendations

The results of this study demonstrate that many programs struggle with manual processes that limit risk, lifecycle, and vendor coverage – making fighting TPRM fires cumbersome and time-consuming and risking their spread. Here are three actionable steps to improve TPRM firefighting.

Create cross-functional teams and establish clear TPRM ownership to ensure that remediations are enforced

Although most companies report having a TPRM program in place, it is unclear how well these teams collaborate within their programs. This segmented approach may be a case of teams focusing on their individual responsibilities without a collective vision, hence missing the “forest” of enterprise-wide risk management for the “trees” of department-specific goals.

Increasing the incidence of risk remediation is critical to truly gaining the most business value from a TPRM program. Create cross-functional teams with clear ownership responsibilities and extend that ownership all the way through to risk remediation.

Automate TPRM processes around a single platform to unify teams, data, and the risk lifecycle

Half of companies report still using spreadsheets along with a complicated set of tools to assess and manage their third parties. Organizations seeking new tools should seek out solutions that:

• Centralize both assessment and monitoring in a single platform to improve visibility
• Incorporate multiple data types (e.g., cyber, business, operational, financial, reputational, ESG, etc.) to address risks across many departmental users
• Utilize built-in remediation guidance to reduce risk to an acceptable level
• Include specific capabilities to address risks across the third-party lifecycle – from sourcing and selection of new vendors to offboarding and termination

A more comprehensive workflow-driven approach will aid in covering shortfalls in risk coverage, the risk lifecycle, and in enforcing remediations (noted in the recommendation above).

Close the resource and skill gap with outsourced managed services or artificial intelligence capabilities

Data from this year’s study shows that a lack of resources is the single biggest obstacle to TPRM program success. That lack of resources translates to 67% of vendors not being adequately managed. To overcome resource limitations, consider outsourcing all or part of your TPRM program to expert managed services providers. In concert with managed services, investigate the use of AI to speed up reporting, questionnaire completion, and collating data from multiple sources. When considering AI ensure:

• Chosen AI models are trained on years of real third-party risk management expertise, data, and events
• Consideration is made to the security, accuracy, and governance of processes and data
• Data is anonymized to reduce the likelihood of a data breach or exposure of personal data

Next Steps: Download the Full Study Results and Benchmark Your TPRM Program Against Peers

Download the full study results and gain access to the complete data, findings, and recommendations to compare your TPRM program against organizations like yours. You will also be able to access an infographic that summarizes the key findings and is sharable with your team. Or, request a demonstration with Prevalent to learn how to put these findings into action.