Results from the definitive 2022 Third-Party Risk Management Study are in – and there is a lot to unpack as we review how organizations are responding to record numbers of third-party data breaches, supply chain disruptions due to continued pandemic shutdowns, and even the war in Ukraine.
This year’s study shows that third-party risk management (TPRM) is at a crossroads, demonstrating that companies have a choice of two paths to take – the existing path and the better path. To illustrate, consider the study’s conclusions:
|The Current Path||The Better Path|
Organizations are paying more attention to non-IT security risks …
… but should be doing more in more risk areas.
Third-party risk management may (finally!) be getting more strategic …
… but organizations should work to eliminate stubborn manual methods for assessing third parties that make audits more complex and time consuming.
Organizations are rightly concerned with increasingly damaging third-party security incidents …
… but should unify their disparate toolset to reduce the time to detect and respond to third-party incidents.
Organizations are doing a fair job of assessing vendor risks during the most obvious stages of the third-party lifecycle …
… but should consider more stages to keep TPRM discipline from faltering as vendor relationships progress.
In this post we’ll review the good (and bad) news and recommend three steps that organizations can take to improve their TPRM processes to get on the path to success.
The 2022 Third-Party Risk Management Study
Get on the path to TPRM success with insightful data, analysis and recommendations from our survey of global third-party risk management practitioners
TPRM programs are still primarily focused on addressing the risks faced when working with IT vendors (45%), but a surprising 40% of respondents in this year’s study say they are focused on managing both IT and non-IT vendor risks.
Also, as you can see in the graphic below, more teams are concerned with TPRM risks beyond IT security.
However, the lowest-weighted non-IT risks in importance were modern slavery, anti-money laundering, and anti-bribery and corruption risks. Following a similar theme to the Prevalent 2021 Third-Party Risk Management survey, organizations continue to overlook less quantifiable risks that could still lead to compliance violations, fines, or negative reputational impacts. For example, with the Russian invasion of Ukraine, companies with third-party suppliers in Russia must now consider whether they are exposed to bribery and money laundering as a result of sanctions.
Two-thirds of respondents report that their TPRM programs have more visibility among executives and the board compared to last year. This is great news! TPRM is starting to be seen as strategic. However, it took massive increases in third-party vendor and supplier-related cybersecurity issues such as Log4j, the Toyota supply chain breakdown, and the Kaseya ransomware attack to get there.
Unfortunately, manual processes are still holding organizations back, with even more companies (45%) reporting that they use spreadsheets to assess their third parties this year vs. 2021.
These manual processes add unneeded complexity and time to third-party risk audits, with 32% of respondents saying it takes more than a month (and in some cases more than 90 days) to produce reporting and evidence required to meet regulatory audits.
Something must be wrong with existing approaches, as high percentages of respondents say their current methods of assessing vendors are not able to deliver reporting to demonstrate compliance (57%), be more proactive in third-party incident response (50%), or assess risks at every stage of the vendor’s life cycle (48%).
The top concern facing organizations with regard to their usage of third parties is a data breach (69%), and 45% of respondents said they experienced a security incident in the last year – up from 21% in 2021!
Top incident response tools that respondents reported having at their disposal included data breach monitoring (51%), cybersecurity/dark web monitoring (45%), vendor assessments (manual/spreadsheet-based) (43%), and proactive vendor self-reporting (43%). But only 38% indicated having access to automated vendor assessments.
The most discouraging stats of all: 8% of companies don’t have a third-party incident response program in place at all, while 23% take a passive approach to third-party incident response. Good luck when the next SolarWinds hits.
The result: It takes about 2.5 weeks between incident discovery and remediation – a lifetime for an organization to be vulnerable to a potential exploit.
Contractual risks and risks at the offboarding and termination stage of the relationship don’t rank very high among the risks companies currently track – 45% and 43%, respectively. In fact, the percentage of customers tracking risks declines as the relationship lifecycle matures, indicating that companies are focused more on risks at the earliest stages, less so as the relationship continues. With all the risk involved in missing contractual expectations, this is surprising.
The results of this study demonstrate that TPRM teams are making progress toward a more strategic approach to TPRM, but three areas require additional improvements.
Looking at third-party risk solely through an IT lens will miss important risks. Therefore, invest in a solution that includes built-in questionnaire templates and complementary intelligence to address areas including everything from business/operational, reputational and financial risks to ESG and compliance risks.
By unifying non-IT risk intelligence with the results of traditional cybersecurity and data privacy assessments, you can:
In addition, considering that nearly a third of companies say it takes more than 30 days (and some more than 90 days) to produce the evidence required to meet regulatory audits, collecting these insights in a single platform will accelerate audit reviews and enable to teams to get back to their day jobs.
With 45% of companies reporting a security incident in the last year – and 69% of companies saying it’s their priority – more work needs to be done to automate incident response to mitigate results. Invest in mature tools and processes that:
Data from this year’s study shows that risk assessment discipline trails off as the vendor lifecycle progresses. Here are a few tips for addressing risks later in the relationship.
The 2023 TPRM Study Infographic
Review key statistics from our study of organizations trying to chart a course to TPRM success.