Enterprise TPRM Leaders Specify Third-Party Risk as a Critical Priority

With third-party breaches continuing to escalate in velocity and impact, it’s no longer enough to secure internal assets; organizations must be doubly sure any sanctioned entity with network permissions does not become an unwitting conduit for malicious activity. 

Managing third-party and supply chain threats remains a daunting task, according to new research from CyberRisk Alliance Business Intelligence, which gauged companies’ understanding, interest, and investments in managing third-party risk.

Read the report highlights below, and download your free copy of the CyberRisk Alliance Business Intelligence report, sponsored by AuditBoard, Third-Party Risk: More Third Parties + Limited Supply-Chain Visibility = Big Risks for Organizations.

Key Takeaways From the CyberRisk Alliance Business Intelligence Third-Party Risk Survey

The objective of a CRA Business Intelligence survey was to reveal organizations’ experience with cybersecurity attacks originating from third parties as well as their assessments of their supply chain visibility, and other issues related to managing third-party risk. Survey data was collected from November 2022 among 209 security and IT leaders and executives, security administrators, and compliance professionals in the U.S. 

• Most respondents said they are increasingly working with more third-party products and services. The overall average estimated number of third-party partners (including software vendors, IT service providers, business partners, brokers, subcontractors, contract manufacturers, distributors, agents, and resellers) among all respondents is 88. This estimate varies with organization size: large enterprises have roughly 173 third-party partners and are much more likely to have the most complex supply chains.

• More than half of all respondents (57%) reported they were victims of an IT security incident — either an attack or a breach — related to a third-party partner in the past 24 months. On average, organizations experienced two third-party-related security incidents (attacks or breaches) in the past two years. This number increases with organization size, with respondents from the largest organizations estimating they experienced an average of five incidents during this period. 
• Among those whose organizations were afflicted, 52% reported the source of their attack was a software vendor. And for nearly 4 in 10 respondents (39%), a business partner, subcontractor, or IT service provider was responsible for the incident. 

• About 8 in 10 respondents said they experienced one or more consequences from these attacks. The most common were network outages/downtime, reported by 31% and disruption in customer service (28%). Another 27% suffered a business disruption or shutdown, while 24% said their data was stolen/exfiltrated. One in five respondents also reported financial losses or supply chain disruptions. 
• While organization size has no effect on the perceived importance of third-party risk management, the priority of these initiatives is highly correlated to the size of an organization. For example, about 6 out of 10 respondents (59%) from large enterprises specified third-party risk as either a critical or high priority at their organization whereas smaller organizations are less likely to have this at the top of their priority lists. 
• Concerns about managing third-party risks centered around the lack of human resources, budgets, and technology solutions. Nearly half of all respondents (49%) rated the lack of qualified staff to implement a third-party management program as highly concerning (rating this a 5, 6, or 7 out of 7), while the lack of visibility into third-party risks (45%), insufficient budget (44%), and lack of an automated third-party management technology solution (44%) were also similarly rated as highly concerning. 
• Overall, employee training is the most common measure used to prevent or mitigate the risk of third-party attacks, as reported by nearly two out of three respondents. Additionally, annual risk assessments, third-party policies and standards, third-party attestation reports, and pre-contact processes and controls were also used by at least four out of 10 respondents. The largest organizations are more likely to use in-depth assessments of third parties (46%), third-party attestation reports (51%), third-party oversight or governance staff (40%), and automated third-party risk management tools or platforms (44%). 
• The majority of respondents said they can assess the impact of a third-party partner or supply chain attack/breach in less than one week, with one in five indicating they can make an assessment within several hours. Another 20% said it takes a week or more to assess. Some attributed these longer assessment times to difficulties in getting their vendor or partner to take responsibility for the incident as well as vendor delays in notification or reporting. 
• Overall, more than half (56%) said they expected “some investment” and 23% expected a “limited investment” in third-party risk management technology or resources in the next 12 months. While there were no respondents from small organizations (less than 100 employees) who said they expect a significant third-party risk management investment in 2023, 27% from the largest organizations anticipate significant investment in this area.

The need for greater transparency — from better visibility into who is a supplier or provider, to dashboards tracking trusted vendors with privileged access — is paramount to enterprises maintaining trust in third-party relationships. Given the potential financial, reputational, or legal fallout from a third-party breach, organizations recognize the need to proactively assess and monitor the increasing number of outside providers helping them do business. They also need to foster collaboration to ensure successful remediation when a security event does occur. That commitment, however, doesn’t always result in action. The study also showed that beyond recognizing the need to better manage third-party risks, organizations are torn on how to reduce these risks. 

To learn more about how organizations are approaching third-party risk today, download the full CyberRisk Alliance Business Intelligence report, sponsored by AuditBoard: Third-Party Risk: More Third Parties + Limited Supply-Chain Visibility = Big Risks for Organizations.