Third-party cyber risks are a glaring blind spot according to PwC survey
London, 11 October 2021 – A majority of companies don’t have a handle on their third-party cyber risks – risks obscured by the complexity of their business relationships and vendor/supplier networks. This is the finding of the PwC 2022 Global Digital Trust Insights Survey. The survey of 3,600 CEOs and other C-suite executives globally found that 60% have less than a thorough understanding of the risk of data breaches through third parties, while 20% have little or no understanding at all of these risks.
The findings are a red flag in an environment where 60% of the C-suite respondents anticipate an increase in cyber crime in 2022. They also reflect the challenges organizations face in building trust in their data -- making sure it is accurate, verified and secure, so customers and other stakeholders can trust that their information will be protected.
Notably, 56% of respondents say their organizations expect a rise in breaches via their software supply chain, yet only 34% have formally assessed their enterprise’s exposure to this risk. Similarly, 58% expect a jump in attacks on their cloud services, but only 37% profess to have an understanding of cloud risks based on formal assessments.
Sean Joyce, Global & US Cybersecurity & Privacy Leader, PwC United States said: “Organizations can be vulnerable to an attack even when their own cyber defenses are good; a sophisticated attacker searches for the weakest link - sometimes through the organization’s suppliers. Gaining visibility and managing your organization’s web of third-party relationships and dependencies is a must. Yet, in our research, fewer than half of respondents say they have responded to the escalating threats that complex business ecosystems pose.”
Asked how their companies are minimizing third-party risks, the most common answers were auditing or verifying their suppliers’ compliance (46%), sharing information with third parties or helping them in some other way to improve their cyber stance (42%), and addressing cost- or time-related challenges to cyber resilience (40%). But a majority have not refined their third-party criteria (58%), not rewritten contracts (60%), nor increased the rigor of their due diligence (62%) to identify third-party threats.
Simplifying the way to cybersecurity
Nearly three quarters of respondents said the complexity of their organization poses “concerning” cyber and privacy risks. Data governance and data infrastructure (77% each) ranked highest among areas of unnecessary and avoidable complexity.
Simplification is a challenge, but there is ample evidence that it is worthwhile. While three in 10 respondents overall said their organizations had streamlined operations over the past two years, the “most improved” in our survey (the top 10% in cyber outcomes) were five times more likely to have streamlined operations enterprise-wide. These top 10% organizations are also 10 times more likely to have implemented formal data trust practices and 11 times more likely to have a high level of understanding of third party cyber and privacy risks.
CEO engagement can make a difference
Executive and CEO respondents differ on how much the support the CEO provides on cyber, with CEOs seeing themselves as more involved in, and supportive of, setting and achieving cyber goals than their teams do. But there is no disagreement that proactive CEO engagement in setting and achieving cyber goals makes a difference. Executives in the “most improved” group, reporting the most progress in cybersecurity outcomes, were 12x more likely to have broad and deep support on cyber from their CEOs. Most executives also believe that educating CEOs and boards so they can better fulfill their cyber responsibilities is the most important act for realizing a more secure digital society by 2030.
Sean Joyce concluded: “Our survey shows that the most advanced organizations see cybersecurity as more than defense and controls, but as a means to drive sustained business outcomes and build trust with their customers. As leaders of organizations, CEOs set the tone for focusing their cyber teams on bigger-picture, growth-related objectives rather than narrower, short-term expectations.”
About the Survey
The 2022 Global Digital Trust Insights is a survey of 3,602 business, technology, and security executives (CEOs, corporate directors, CFOs, CISOs, CIOs, and C-Suite officers) conducted in July and August 2021 by PwC Research. Sixty-two percent of respondents are with companies with US$1 billion and above in revenues; 33% are with US$10 billion+ companies. Respondents operate in a range of industries: tech, media, telecom (23%), industrial manufacturing (22%), financial services (20%), retail and consumer markets (16%), energy, utilities, and resources (8%), health (7%), and Government and public services (3%). Respondents by region include: Western Europe (33%), North America (26%), Asia Pacific (18%), Latin America (10 %), Eastern Europe (4%), Middle East (4%), and Africa (4%).
About PwC: At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 152 countries with over 327,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.
PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.
© 2021 PwC. All rights reserved.
Managing Director, Global Corporate Affairs & Communications, PwC United States
Tel: +1 310-367-1045
Director, Global Corporate Affairs and Communications, PwC United Kingdom
Tel: +44 7803 974136