How well do you know the risks posed by your third parties and supply chain?

At best, only 44% of Canadian respondents say they thoroughly understand their third-party cyber and privacy risks. But those that have had the best cybersecurity outcomes globally over the past two years are 11x more likely to say they do.

Shrink the large blind spot hiding the risks in your business relationships

You can’t secure what you can’t see. And most respondents to our 2022 Canadian Digital Trust Insights survey seem to have trouble seeing their third-party risks—risks obscured by the complexities of their business partnerships and vendor/supplier networks.

Only 41% of Canadian survey respondents (40% globally) say they thoroughly understand the risk of data breaches through third parties, using formal enterprise-wide assessments. Nearly a quarter in Canada and globally have little or no understanding at all of these risks—a major blind spot of which cyber attackers are well aware and willing to exploit.

Among our Canadian respondents, 54% expect an increase in reportable incidents in 2022 from attacks on the software supply chain (56% globally), but only 31% have formally assessed their enterprise’s exposure to this risk (34% globally). Fifty-nine percent expect a jump in attacks on cloud services (57% globally), but only 44% profess an understanding of cloud risks based on formal assessments (37% globally).

The “most improved” global organizations, on the other hand, have taken note and taken action. They’re 11x more likely to report a high understanding of their third-party risks. Some three-quarters say they’re highly knowledgeable about third-party dangers in five of six areas. Only in their knowledge of “nth-party” risks—those posed by their suppliers’ suppliers and so on, down the line—does the number dip: 69% for the “most improved,” 31% for the rest. Just as we’ve frequently seen in Canada, the more complex the connection, the harder it becomes to see the risks buried within.


Organizations have a large blind spot to risks arising from third parties and the supply chain


High: Understanding from formal, enterprise-wide assessment
Moderate: Limited understanding from ad hoc assessments
Low: Anecdotal understanding, no assessments
No understanding

Canada

Cloud risks
%
%
%
%
Data breaches
%
%
%
%
Privacy violations
%
%
%
%
Software supply chain risks
%
%
%
%
IoT/technology vendors
%
%
%
%
Nth party risks
%
%
%
%

Global

Cloud risks
%
%
%
%
Data breaches
%
%
%
%
Privacy violations
%
%
%
%
Software supply chain risks
%
%
%
%
IoT/technology vendors
%
%
%
%
Nth party risks
%
%
%
%
Question: What is the level of understanding within your organization of the cyber and privacy risks arising from your third parties or suppliers across the following areas?
Base: 114 Canadian respondents; 3,602 global respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021.

Barely half of all Canadian respondents—between 27% and 51%—say they’ve responded to the escalating threats that complex business ecosystems pose (30% to 46% globally). The ones that have responded seem to be focusing their efforts primarily on today, perhaps at the expense of tomorrow. When asked how they’re minimizing their third-party risks, they gave largely reactionary answers: auditing or verifying their suppliers’ compliance (51% vs. 46% globally), sharing information with third parties or helping them in some other way to improve their cyber stance (41% vs. 42% globally) and addressing cost- or time-related challenges to cyber resilience (41% vs. 40% globally).

Only one top response—that they’re refining criteria for onboarding and ongoing assessments (43% vs. 42% globally)—could be considered proactive, offering benefits over the long term. Publicly listed organizations (46% vs. 47% globally) were more likely to claim this step.

Still, more than half have taken no actions that promise a more lasting impact on their third-party risk management. They’ve not refined their third-party criteria (57% vs. 58% globally), not rewritten contracts (66% vs. 60% globally) and not increased the rigour of their due diligence (61% vs. 62% globally).

The organizations that have had the best cyber outcomes over the past two years have consolidated tech vendors as a simplification move. Paring the number of tech and other third parties reduces complexity and increases your ability to know how secure they are. One benefit is that different functions (procurement, risk managers, fraud team, legal, security) can better understand their roles in protecting their supply chains from cyber disruptions. And with fewer vendors to monitor, your organization can more efficiently keep an eye on their security practices.


More than half have taken none of three actions that promise a more lasting impact on their third-party risk management


Canada
Global

Audited or verified the security posture and compliance of third parties or suppliers
%
%
Refined our criteria for onboarding and ongoing assessments of third parties
%
%
Provided knowledge-sharing or assistance to third parties to shore up their cybersecurity postures
%
%
Addressed challenges, cost-related or time-related, that affect your ability to be cyber resilient
%
%
Performed more rigorous due diligence
%
%
Rewritten contracts with certain third parties to mitigate our risks
%
%
Exited relationships with certain third parties
%
%
None of the above
%
%

Question: Has your organization done any of the following actions in the past 12 months to minimize third-party or supplier risks in your ecosystem? Check all that apply.
The three lasting actions are refining criteria for third-party assessments, rewriting contracts and performing more rigorous due diligence.
Base: 114 Canadian respondents; 3,602 global respondents
Source: PwC, 2022 Global Digital Trust Insights, October 2021

Public-private collaboration

Visibility also means seeing which challenges others face and what they’re doing to meet them. Collaborators can be an important part of your cyber-business ecosystem. As we’ve seen in other jurisdictions, companies and federal agencies have benefited from public-private partnership and government responses to recent significant cyber incidents. Timely sharing of information matters for cybersecurity in general, critical infrastructure or not.

But fewer than one-third of global survey respondents said their public-private collaboration efforts are “very effectively” helping them achieve their cyber goals. Those that have had the best cybersecurity outcomes over the past two years, however, were 34x more likely to have achieved their public-private collaboration goals “very effectively.”

Globally, organizations increasing their cyber budgets in 2022 were significantly more likely to say they have achieved these goals “very effectively”:

  • Share knowledge about new threats, approaches and solutions in my peer set (38%) 
  • Demonstrate avoidance of tangible financial losses (36%)
  • Activate public-private sector relationships for more effective responses to a cyber attack on our organization (33%)
  • Promote broader awareness and upskilling of workforce (32%)

Collaborators are an important part of secure ecosystems

Percentage who say that the goal was achieved “very effectively” Canada Global 24% 27% Provide input to government and policymakerson proposed rules and regulations Goals for public-private collaboration: 1 4 35% 31% Share knowledge about new threats, approaches,solutions and best practices in my peer set 2 2 28% 28% Activate public-private sector relationships for moreeffective responses to a cyber attack on our organization 3 1 33% 29% Promote broader awareness andupskilling of workforce 4 3 32% 30% Demonstrate avoidance of tangiblefinancial losses 5 5 Question: Thinking about your most significant public-privatecollaboration mechanism, what are your organization’s goals withpublic-private collaboration? And in the past year, how well has yourorganization achieved each of those goals you mentioned?Base: 114 Canadian respondents; 3,602 global respondentsSource: PwC, 2022 Global Digital Trust Insights, October 2021
Takeaways

For the COO and the supply chain executive

  • Map your system, especially your most critical relationships, and consider using a third-party tracker to find the weakest links in your supply chain.
  • Scrutinize your software vendors against the performance standards you expect. Software and applications that your company uses should undergo the same level of scrutiny and testing that your network devices and users do.
  • After a fuller accounting of your third-party and supply chain risks, identify ways to simplify your business relationships and supply chain. Should you pare down? Combine?

For the CRO, CIO and CISO

  • Build up your technological ability to detect, resist and respond to cyber attacks via your software, and integrate your applications so you can manage and secure them in unison.
  • Establish a third-party risk management office to coordinate the activities of all functions that manage your third-party risk areas.
  • Strengthen your data trust processes. Data is the target for most attacks on the supply chain. Data trust and good third-party risk management go hand in hand.
  • Educate your business on the cyber risks from your third parties and supply chain.

Contact us

Naren Kalyanaraman

Naren Kalyanaraman

Partner, Cybersecurity, Privacy and Financial Crime National Leader, PwC Canada

Tel: +1 416 815 5306

Alvin Madar

Alvin Madar

Partner, Cybersecurity, Privacy and Financial Crime and National Cybersecurity Leader, PwC Canada

Tel: +1 604 806 7603

Joanna Lewis

Joanna Lewis

Partner, Cybersecurity, Privacy and Financial Crime, PwC Canada

Tel: +1 416 687 9139

Follow PwC Canada

Contact us

Jennifer Johnson

Jennifer Johnson

Strategy & Transformation Leader, PwC Canada

Tel: +1 416 947 8966

Sajith Nair

Sajith Nair

Managed Services Leader, PwC Canada

Hide