While there are often significant non-financial benefits to understanding your vendors’ controls, many executives are still “fuzzy” on why they need a third party or vendor risk management program. Generally, an organization outsources a business function to a service provider because it is less expensive than staffing the expertise and building the infrastructure internally. Building oversight (and additional cost) to manage the risks posed by these relationships into the budget seemingly reduces the ROI. However, not fully understanding these risks can cost the organization significantly more during and after a data breach. Once the decision is made to outsource, the sharing of sensitive information is a requirement; and due diligence becomes one of the only mechanisms to understand whether the third party has the necessary controls in place to protect your data.
Until recently it was difficult to understand the factor third-party error plays in a data breach. In May, the Ponemon Institute published its 2013 Cost of a Data Breach Study sponsored by Symantec. Based on its research, Ponemon identified that the number one factor influencing the cost of a data breach is third-party error. Additionally, the report maps this factor to an average cost of $43 per record (in the U.S.) when the breach is caused or influenced by a third-party error. Based on simple arithmetic, this means that in an average data breach influenced by third-party error, the additional cost is over $1,200,000 per incident.
Although third-party risk management is not called out specifically as a mechanism to reduce this data breach cost by Ponemon, based solely on my experience, a third-party risk program can reduce these costs by 20-80%. This number is clearly influenced by the maturity and scale of the program as well as incident response plans. For example, if only a very small percentage of critical vendors are assessed this will have less significance than organizations that are able to assess most or all of their vendor population. Asking the right questions, collecting the right evidence, consistency in the process, a strong toolset, and other maturity factors also play key roles.
I am interested in hearing what your experience has been. Have you seen the occurrence and/or cost of data breaches reduced as you have matured your third-party risk program?