Some Companies Still Lack Third-Party Incident Response Programs

As a result, 45% of respondents said they experienced a security incident in the last year, up from 21% in 2021.
May 11, 2022
Logo supply demand chain executive

Editor's Note: This article was originally published on

Two-thirds of respondents report that their third-party risk management (TPRM) programs have more visibility among executives and the board compared to last year. However, it took massive increases in third-party vendor and supplier-related cybersecurity issues such as Log4j, the Toyota supply chain breakdown and the Kaseya ransomware attack to get there.

That’s because close to 45% of companies surveyed say manual processes are still holding their organizations back, and that they use spreadsheets to assess their third parties more this year than 2021, according to the Prevalent study.

"The past year has brought even more attention to the risks associated with third-party vendors and suppliers, specifically to the supply chain with continued cyber disruptions," says Brad Hibbert, chief strategy officer for Prevalent. "And although today's survey illustrates that organizations are starting to view their third-party management programs more strategically, there is still more progress to be made. More and more companies are starting to assess non-IT risks, which is a step in the right direction. But unfortunately, over half are not and that could lead to financial loss. Together, with a comprehensive TPRM solution, companies can build a stronger defense against IT and reputational third-party risks."

From Prevalent:

  • 32% of respondents say it takes more than a month (and in some cases more than 90 days) to produce reporting and evidence required to meet regulatory audits.
  • 45% of respondents said they experienced a security incident in the last year, up from 21% in 2021.
  • Top incident response tools that respondents reported having at their disposal included data breach monitoring (51%), cybersecurity/dark web monitoring (45%), vendor assessments (manual/spreadsheet-based) (43%) and proactive vendor self-reporting (43%). But only 38% indicated having access to automated vendor assessments.
  • 8% of companies don’t have a third-party incident response program in place at all, while 23% take a passive approach to third-party incident response.