Every day, news feeds are loaded with examples of third-party data breaches with serious financial impacts to companies and consumers alike. Inevitably, those breaches will catch the attention of government regulators, each offering up their own version of mandated best practices and controls to keep a breach like that from happening again (or at least, to minimize its impact).
Yet, despite the frequency of third-party breaches and all the regulatory “help” you could ever want, organizations still struggle to get control of third-party risk. Let’s examine why and how organizations can address third-party risk with meaningful results.
Here are some of the most active industry, regional and non-IT regulatory regimes with specific provisions aimed at improving a company’s governance over third-party relationships.
The financial services and banking industry is a leader in requiring organizations to exercise governance over third-party relationships. Examples include regulations from the Office of the Comptroller of the Currency (OCC), Federal Financial Institutions Examination Council (FFIEC), UK Prudential Regulation Authority and Financial Conduct Authority (FCA) and the EU Baking Authority. There are even emerging requirements in this mature space aimed at harmonizing requirements; Interagency Guidance is an example of that.
Another layer of regulation is regional. Specific to organizations that do business in these geographies, the UK has the National Cyber Security Center (NCSC) third-party requirements. The EU has GDPR to govern third-party data governance. Singapore has the Monetary Authority and the Personal Data Protection Act (PDPA).
Despite third-party breaches dominating the headlines, regulators are taking aim at important issues such as how a company’s supply chain ecosystem impacts climate change, if they are susceptible to bribery and corruption and if they employ child labor. The UK Modern Slavery Act, German Supply Chain Due Diligence Act and EU Corporate Social Responsibility Directive (CSRD) all contain important provisions requiring regular such reporting and attestation.
Despite all the scrutiny, why do organizations struggle to get a handle on third-party risk? It comes down to 5 reasons.
Data from Prevalent’s 2022 TPRM Study showed that in 50% of organizations, IT security owns TPRM, whereas 22% of procurement teams own it. If there is no clear owner, how do you ensure all the risks are assessed and addressed?
The majority of organizations still use spreadsheets to assess their third parties – and that number continues to grow. How do you keep track of all those vendors in a spreadsheet, ask the right questions, record the answers and score them that way?
A one-size-fits-all approach rarely works with all vendors since they typically interact with different systems or sets of data, or supply services different in scope than others. Assessing vendors creates a burden on whoever owns TPRM. Without some standardization (for example against an industry-standard set of best practices principles), chaos reigns.
Because TPRM is as much about process and people as it is about technology it’s hard to justify the budget to prioritize it. If you have a few vendor managers at least assessing the high priority vendors you’ve checked the box, right?
It’s hard enough to get vendors to complete a questionnaire and submit evidence, let alone do something about it. But here’s the catch… unless the vendor does something about their security or compliance gaps, that gap will be exposed to exploitation. Which leaves your organization open to exploit.
Here are four things to start doing immediately to make the process of third-party risk regulatory reporting more manageable:
Third-party risk management efforts can deliver results. Make incremental progress toward improving third-party governance by taking these steps. Your team will thank you, and the regulators will, well, they’ll still be regulators.