Prevalent's 2024 Third-Party Risk Management Study
PHOENIX, May 8 — Prevalent Inc. published its 2024 Third-Party Risk Management Study today, finding that 61% of companies experienced a third-party data breach or cybersecurity incident last year. Breaches rose 20 points—or 49%—year over year, increasing threefold since 2021.
“What stands out in our report isn’t only the number of breaches, which is the highest we’ve tracked, but also the scale,” said Prevalent CEO Kevin Hickey. “Breaches in 2023 impacted huge supply chains—from Okta and LastPass to Change Healthcare and PJ&A—exposing sensitive records of millions of people worldwide. There has never been a more urgent time to take third-party security more seriously.”
Conducted this February and March, the survey’s respondents include heads of information security, data privacy, risk management, procurement, and other IT executives at companies spanning dozens of industries and whose supply chains collectively represent half a million vendors.
Prevalent’s study identified multiple areas of concern that could explain the unprecedented breadth and depth of third-party breaches:
“Although most organizations report having TPRM programs in place, half still rely on spreadsheets and use a patchwork of tools to assess their vendors,” said Prevalent COO Brad Hibbert, adding that 60% of respondents are not using a dedicated TPRM platform.
According to the report, the consequence of companies’ reliance on multiple tools is a lack of coordination, leaving their supply chains unguarded. Only a third of respondents indicated their third-party security programs were highly coordinated.
While the survey respondents’ average number of third parties was 3,200, respondents reported assessing or monitoring only 33% of those vendors. “There is a lot of risk hiding among those unassessed relationships,” said Mr. Hibbert.
More than 62% of respondents reported understaffing was the biggest obstacle to better safeguarding their organizations from third-party breaches. The average respondent said they need double their current staff dedicated to third-party security.
“Later stages of third-party lifecycles lack adequate risk assessment and monitoring, and overall remediation is woefully lacking,” per Prevalent’s report. While nearly 90% of companies track risks from the sourcing and selection phases, fewer than 80% track service-level agreements (SLAs) and offboarding risks later in the relationship lifecycle.
“What surprised us was the disparity between the share of organizations tracking risks and the share remediating them,” explained Mr. Hibbert. “A shockingly low 46% of companies report remediating risk as a result of risk assessments—the stage where risks must be mitigated.”
Prevalent found that AI use remains low in the sector, with only 5% of companies actively leveraging AI in their TPRM programs. However, interest remains high, with 61% saying they are actively investigating its uses.
Prevalent advises creating cross-functional teams and establishing clear ownership of TPRM programs as well as automating TPRM processes around a single platform to unify teams, data, and risk lifecycles.
Read the blog post and download the full e-book and infographic for additional statistics, context, and recommendations on benchmarking existing TPRM practices.