The past twelve months have seen increases in third-party incidents, breaches, compliance issues, and supply chain disruptions impacting businesses. This arena has led many organizations to seek to adapt third-party risk management programs to address emerging risks outside of the IT realm.
An example of this trend appears in a report from the firm Prevalent. The report is titled “2022 Third-Party Risk Management Industry Study”, and it details the state of third-party risk management in light of best practices and modern global realities.
The key observations include the finding that several organizations are paying more attention to non-IT security risks. Here, 40 percent of respondents manage both IT and non-IT vendor risks. However, some 45 percent of third-party risk management programs are only focusing on the IT vendor risk.
In relation to strategy, 67 percent of companies polled indicated that their third-party risk management programs have more visibility than the year prior (likely a response to surges in third-party vendor and supplier-related attacks such as Log4j, the Toyota supply chain breakdown, and others throughout the past few months.)
The report also finds that manual methods for assessing third parties continue to persist. This is evidenced by 45 percent of respondents who are still using spreadsheets to assess third parties.
Organizations also reportedly have increased concern with damaging third-party security incidents. This is not helped by many citing the fact they lack effective tools to tackle such incidents. With this issue, 69 percent of organizations have experienced a data breach or other security incident due to poor vendor security.
Such evens also take time to resolve. Organizations are waiting over two weeks for third-party incident resolution; 35 percent of firms report it takes up to two weeks to determine whether an incident resulted in disruption in service. Moreover, 47 percent wait another week for third-parties to complete remediation or migration.
It also stands that third-party risk management discipline falters as vendor relationships progress. In this regard, 74 percent of businesses track risks at sourcing/pre-contract due diligence, lowering to 61-68 percent for ongoing tracking. The report also finds that only 43 percent do so during off-boarding/termination.