Apache Log4j Vulnerability: 8 Questions to Ask Your Vendors

Third-Party Risk Management in 2022: What to Expect and How to Respond

These top five trends will dominate your third-party risk management conversations in 2022. Is your TPRM program ready?
December 02, 2021
Logo vmblog

Editor's Note: This article was originally published on www.vmblog.com.

Continued pandemic-related supply chain disruptions. Increasing numbers of data breaches targeting third parties. More regulatory scrutiny on business governance. If there is anything that the last 18 months has taught us, it's that we should expect the unexpected. But how should third-party risk management prepare for 2022?

Based on hundreds of customer and industry conversations we've had in the last year, here's what we believe you should expect in the next 12 months and how to adapt your programs accordingly.

Prediction #1. Ransomware will become the top tactic used in software supply chain attacks and third-party data breaches in 2022.

After a banner year of high-profile ransomware attacks originating from third-party suppliers (for example Kaseya and others), 2022 will only see more as cybercriminals continue to perfect their attack methods, increase their sophistication and follow the money. Top targets will include third parties that supply goods and services to the automotive, mid-sized banking, and retailing industries due to the criticality of the data and systems they have access to. Organizations would do well to implement proactive event risk assessment cadences and deploy continuous cyber and breach monitoring to get an early-warning picture of potential attacks against their third party ecosystems.

Bonus stretch prediction: Despite increases in ransomware attacks against healthcare organizations, cybercriminals will gain a conscience in 2022 and cease targeting hospitals due to the risk of the loss of innocent life. After all, there is honor among thieves.

Prediction #2: Increased board-level and executive awareness of third-party risk management means better metrics will be needed.

Perhaps owing to the increased number of third-party data breaches, continuing pandemic-related supply chain disruptions, and new regulatory visibility into ESG, third party risk management has been a common topic among executives and boards.

Moving into 2022, executives will be looking for demonstrable risk reduction-centric improvements to continually justify the expenditure of third-party risk management. This will mean a renewed focus on metrics that paint a meaningful picture of third-party risk. Third party programs will be measured on their ability to demonstrate risk remediation and ethical progress without hindering standard business operations, all while demonstrating cost control and efficiency. This will require you to evolve your reporting beyond how many assessments you've completed to how much risk you have taken out of the business.

Prediction #3: More focus on non-IT security related risk dimensions including ESG, health and safety, diversity and ethics.

While ESG and ethics have often been checkbox addendums to contracts, better availability of datasets and reporting is enabling organizations to hold third parties more accountable in these areas. As renewed consumer and peer interest drives ethical sourcing, executives are increasingly expecting a more robust process with meaningful metrics to demonstrate progress.

Moving into 2022, ethical sourcing will become increasingly embedded in the assessment and review workflow rather than purely being taken at face value. Third parties play a notable role in demonstrating actionable change in company ethics, which will be an increasingly marketable tool. To address this trend in 2022, take a look at how you assess your third parties. Can your company's brand value weather a reputational hit if a supplier fails in ethical obligations?

Prediction #4: Deeper analysis will be required to map to organizational risk assessment needs.

As vendors continue to face the irksome requirement of articulating the same information in different ways, those that have the luxury of refusing will increasingly do so. In response, third parties will offer pre-completed materials such as ISO or SOC II reports and supporting artifacts which will put pressure on organizations to perform deeper analysis and mapping to their internal needs.

While this may appear detrimental if it doesn't align to your third-party risk management program, there is a hidden advantage that the third party likely has invested proportionately more effort in creating quality responses and artifacts. The challenge into 2022, therefore, will be to translate these more robust materials into the preferred structure to enable a true analysis of controls. Look for solutions that enable automated mappings of risk controls to satisfy multiple requirements.

Prediction #5: Some organizations will expand their TPRM programs to include 4th and Nth party risks.

As third-party risk management programs continue to wrestle for control over their third party estates, some organizations are beginning to go beyond third parties by considering the risks posed by their third parties. This evolution will necessitate a shift from a compliance-driven view to a more risk-driven lens.

In 2022 improvements in technology and greater reliance and awareness of the broader supply chain mean it will become the norm to assess upstream 4th parties and at the very least, consider their potential impact if a disruption should occur. Organizations should be prepared to build a relationship map that visually shows interconnections and data flows in their supplier ecosystems.

Predicting the future of third-party risk management is a lot like predicting the weather - just look outside your window, but be prepared for anything. Investigating these top 10 trends will put your TPRM program on a solid footing for 2022 and beyond.

##

About the Author

Brad Hibbert brings over 25 years of executive experience in the software industry aligning business and technical teams for success. He comes to Prevalent from BeyondTrust, where he provided leadership as COO and CSO for solutions strategy, product management, development, services and support. He joined BeyondTrust via the company's acquisition of eEye Digital Security, where he helped launch several market firsts, including vulnerability management solutions for cloud, mobile and virtualization technologies.

Prior to eEye, Brad served as Vice President of Strategy and Products at NetPro before its acquisition in 2008 by Quest Software. Over the years Brad has attained many industry certifications to support his management, consulting, and development activities. Brad has his Bachelor of Commerce, Specialization in Management Information Systems and MBA from the University of Ottawa.