Apache Log4j Vulnerability: 8 Questions to Ask Your Vendors

Third-Party Risk Management in 2022: What to Expect and How to Respond

These top ten trends will require your third-party risk management program to adapt in 2022. Is your TPRM program resilient and ready?
By:
Brad Hibbert
,
Chief Operating Officer & Chief Strategy Officer
December 07, 2021
Share:
Blog 2022 tprm predictions 1221

Continued pandemic-related supply chain disruptions. An increasing number of data breaches targeting third parties. More regulatory scrutiny on business governance. If there is anything that the last 18 months has taught us, it’s that resilience and agility are some of the most valued business – and personal – qualities. So, since many organizations are currently planning for 2022, now is a great opportunity to look back on what we learned in 2021 to further improve the agility and resilience of your third party risk management program.

Based on hundreds of customer and industry conversations we’ve had in the last year, here’s what we believe you should expect in the next 12 months and how to adapt your programs accordingly.

Editor's note: Five of the below predictions were originally published in an article on VMBlog.com, which was also authored by Brad Hibbert of Prevalent.

1. Ransomware will become the top tactic used in software supply chain attacks and third-party data breaches in 2022

After a banner year of high-profile ransomware attacks originating from third-party suppliers (for example Kaseya and others), 2022 will only see more as cybercriminals continue to perfect their attack methods, increase their sophistication and follow the money. Top targets will include third parties that supply goods and services to the automotive, mid-sized banking, and retailing industries due to the volume and criticality of the data and systems they have access to.

Organizations would do well to implement proactive event risk assessment cadences and deploy continuous cyber and breach monitoring in 2022 to get an early-warning picture of potential attacks against their third party ecosystems.

Bonus stretch prediction: Despite increases in ransomware attacks against healthcare organizations, cybercriminals will gain a conscience in 2022 and cease targeting hospitals due to the risk of the loss of innocent life. After all, there is honor among thieves.

2. Third-party risk management moves beyond a checkbox, despite compliance being the primary organizational driver

Although many organizations seek to implement more robust third-party risk management programs due to information security and data privacy compliance requirements, we all know that compliance is just a minimum threshold. Organizations can be compliant with a myriad of cybersecurity standards but still be exposed to business resilience and environmental, social and governance (ESG) risks, for example.

Risk averse organizations, however, will go beyond checkbox compliance and invest in tangible risk reduction. The core drivers enabling this trend will include differentiation amongst peers when competing for new business and protecting existing business.

As many compliance standards and frameworks leave room for interpretation and alignment, customers will become increasingly aware that a certificate does not mean risk free, and in turn demand greater insight and clarity into risk mitigation activities. Look to expand your compliance efforts to include new domain areas, with a focus on not just meeting the requirement but demonstrating actual risk reduction over time.

3. Increased board-level and executive awareness of third-party risk management means better metrics will be needed

Perhaps owing to the increased number of third-party data breaches, continuing pandemic-related supply chain disruptions, and new regulatory visibility into ESG, third party risk management has been a common topic among executives and boards.

Moving into 2022, executives will be looking for demonstrable risk reduction-centric improvements to continually justify the expenditure of third-party risk management. This will mean a renewed focus on metrics that paint a meaningful picture of third-party risk. Third party programs will be measured on their ability to demonstrate risk remediation and ethical progress without hindering standard business operations, all while demonstrating cost control and efficiency. This will require you to evolve your reporting beyond how many assessments you’ve completed to how much risk you have taken out of the business.

4. Certain third party-related activities performed by procurement, legal, risk management and infosec will converge towards vendor lifecycle management

Throughout 2021, we have seen a gradual but steady convergence of third-party related teams into a consolidated workflow. These teams – responsible for everything from sourcing and onboarding new vendors, to managing their performance over time – will continue to consume risk intelligence from similar data sources, and begin to leverage insights from their peers in supporting contract negotiations and discussions related to their respective workstreams. Each team will continue to play a key role in the third-party lifecycle, and connectivity between systems will streamline the process to support efficient onboarding and offboarding.

This will pay dividends into 2022 as both the third parties and business alike will benefit from a simplified, unified process with less repetition. To accommodate for this trend, examine your existing workflows and data to determine whether they can be used by multiple stakeholders.

The 2022 TPRM Preparedness Toolkit

To help you prepare for what's next, we’ve assembled four of our most popular resources for building a stronger TPRM program. Get instant access to a business case template, an RFP kit, and two best-practice papers.

Get Started
2022 tprm toolkit 1021

5. Increased focus on vendor screening and pre-contract diligence

Third-party risk management programs continue to play catch-up on legacy contracts that have insufficient risk-based clauses and due diligence performed on their risk posture pre-signature. Rather than reactively rush to address deficiencies, 2022 will see a more pragmatic approach to establishing the risk posed by a third party up front, and importantly positioning remediation and resolution as necessary obligations in order to secure a contract.

Readily accessible insights into third party performance through passive cyber scanning, business event correlation, breach events, ESG comparisons, and financial scorings will paint a meaningful picture before even sending a third party assessment and will continue to justify expenditure in the negotiation process. Examine how you are performing pre-contract due diligence, inventory your data sources, and consider how you will close those intelligence gaps.

6. More focus on non-IT security related risk dimensions including ESG, health and safety, diversity and ethics

While ESG and ethics have often been checkbox addendums to contracts (in fact, fewer than half of companies are actively tracking these risks), better availability of datasets and reporting is enabling organizations to hold third parties more accountable in these areas. As renewed consumer and peer interest drives ethical sourcing, executives are increasingly expecting a more robust process with meaningful metrics to demonstrate progress.

Moving into 2022, ethical sourcing will become increasingly embedded in the assessment and review workflow rather than purely being taken at face value. Third parties play a notable role in demonstrating actionable change in company ethics, which will be an increasingly marketable tool. To address this trend in 2022, take a look at how you are assess your third parties. Can your company’s brand value weather a reputational hit if a supplier fails in ethical obligations?

7. Greater emphasis on post contract obligation tracking and enforcement (e.g., KRIs and SLAs)

Complementing our earlier prediction on increased pre-contract due diligence, 2022 will see greater emphasis on post-contract performance. Supplier relationship management over the course of a vendor’s lifecycle has often historically been associated to project teams and business sponsors who are often too busy to consolidate findings and concerns in a centralized location. This results in “tribal knowledge” of third party performance often scattered throughout the business and lost as teams migrate.

2022 will see an increased focus on driving consistency and centralization when it comes to iterative vendor performance management. This will be driven by the advantages it provides, such as effective negotiation tools and levers, as well as resilience/security risk visibility associated to findings. In general, organizations should adapt their third-party risk management programs to address risk at every stage of the vendor’s lifecycle, not just at onboarding or once per year at renewal.

8. Increased openness to using managed service to augment internal teams and enable scale beyond top tier IT vendors

As third-party risk management program expectations evolve with the convergence of multiple audiences and organizational risk criteria to manage, the associated effort increases and subject matter expertise becomes scarcer. New risks mean that information security is no longer the only game in town. However, this expertise is not always readily available in-house, nor are the mechanisms or resources available to capture and adequately document the risks. Consequently, more third-party risk management teams are sensibly identifying their knowledge and resource gaps, and will consider more outsourced services to enrich their programs.

Going into 2022, take an internal skills and resource assessment to determine if outsourcing some of your third-party risk management program will enable your team to accelerate its risk reduction efforts. Prevalent customers, for example, report reducing their manual labor by 50%, accelerating their risk identification by 44% and improving their team productivity by a factor of 3 by leveraging managed services.

9. Deeper analysis will be required to map to organizational risk assessment needs

As vendors continue to face the irksome requirement of articulating the same information in different ways, those that have the luxury of refusing will increasingly do so. Instead, third parties will offer pre-completed materials such as ISO or SOC II reports which will put pressure on organizations to perform deeper analysis and mapping to their internal needs.

While this may appear detrimental if it doesn’t align to your third-party risk management program, there is a hidden advantage in that the third party likely has invested proportionately more effort in creating quality responses and artifacts. The challenge into 2022, therefore, will be to translate these more robust materials into the preferred structure to enable a true analysis of controls. Look for solutions that enable automated mappings of risk controls to satisfy multiple requirements.

10. Some organizations will expand their TPRM programs to include 4th- and Nth-party risks

As third-party risk management programs continue to wrestle for control over their third party estates, some organizations are beginning to go beyond third parties by considering the risks posed by their third parties. This evolution will necessitate a shift from a compliance-driven view to a more risk-driven lens.

In 2022 improvements in technology and greater reliance and awareness of the broader supply chain mean it will become the norm to assess upstream 4th parties and at the very least, consider their potential impact if a disruption should occur. Organizations should be prepared to build a relationship map that visually shows interconnections and data flows in their supplier ecosystems.

Prepare Your TPRM Program for 2022

Investigating these top 10 trends will put your TPRM program on a solid footing for 2022 and beyond and ensure you stay agile and ready for what’s next. To get started, register for a free TPRM program maturity assessment. The output of this assessment will prescriptively tell you what steps to take to improve your program. Or contact us for a strategy session today.

Tags:
2014 04 10 Headshot Brad Suit
Brad Hibbert
Chief Operating Officer & Chief Strategy Officer
Brad Hibbert brings over 25 years of executive experience in the software industry aligning business and technical teams for success. He comes to Prevalent from BeyondTrust, where he provided leadership as COO and CSO for solutions strategy, product management, development, services and support. He joined BeyondTrust via the company’s acquisition of eEye Digital Security, where he helped launch several market firsts, including vulnerability management solutions for cloud, mobile and virtualization technologies. Prior to eEye, Brad served as Vice President of Strategy and Products at NetPro before its acquisition in 2008 by Quest Software. Over the years Brad has attained many industry certifications to support his management, consulting, and development activities. Brad has his Bachelor of Commerce, Specialization in Management Information Systems and MBA from the University of Ottawa.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo