At least one-third of our survey respondents said in the past year alone, they’d experienced significant disruptions due to third parties: software supply chain disruptions (47%), cloud breaches (45%), third-party platform exposures and outages and downtime (41%), data exfiltration (39%). And yet the trend of new third-party dependencies seen last year continues to gather steam.
CEOs and corporate directors are increasingly asking CISOs, CIOs and CROs about their organizations’ exposure to third parties. Our survey reveals why.
COVID-19 threw a monkey wrench into information security, sending risks ricocheting across the third-party ecosystem. Not only were organizations forced to intensify their reliance on outside service providers, they found the task of monitoring those providers via on-site assessments nearly impossible.
The survey illustrates changes in the business environment and the complex choices facing third-party risk managers at this inflection point.
The stakes are high. Even as 92% of businesses expect increased regulatory scrutiny of third parties—and 85% see their third-party risk exposure actually increasing—nine in ten still expect their dependence on third parties for critical business functions to grow. In response, 94% plan to strengthen their third-party controls, 90% say they’ll focus more on risk stratification, and 88% expect to speed up their onboarding processes. A smaller share (79%) plan to reduce the actual number of relationships.
Trust is at a premium in times of turmoil—and companies rely all the more on their third-party risk management program (TPRM) to keep their operations secure. Yet in our survey, most businesses had implemented only three to six of the ten components of a robust program, and only 5% had a full complement. This is partly a reflection of the uneven state of third-party risk management across industries: lacking maturity in some industries, but advanced in sectors such as in financial services (with regulatory emphasis on resilience, for example) and aerospace and defense (with formal third-party certification of cyber practices).
The most frequently cited element of a TPRM program—ongoing monitoring of third parties—is conducted by 54%, yet only 40% have formally defined third-party functions that are subject to governance, controls, measures, and reporting.
While 70% of respondents were very confident that their TPRM program delivered demonstrable value to the organization in the past two years, less than half rated the value delivered on five measures at the highest levels (5 on a scale from 1 to 5).
Unease about the current state of TPRM in their organization emerges also in the lack of confidence that their critical third parties meet their expectations of trustworthiness.
When it comes to the key attributes executives associate with trustworthiness—including how, and how securely, the company’s sensitive data is transferred and handled, along with geopolitical or regulatory risk—no more than six in ten can say they’re very confident that their critical third parties come up to expectations.
A lack of complacency with the current state of affairs surfaces yet again in a third finding. The higher the confidence in the value delivered by their TPRM in the past two years, the higher the concern with getting the right strategic view, leadership support and resources to manage those risks better.
At least eight in ten worry about securing adequate support from within for their TPRM—be it in the form of budgets, leadership recognition or business-unit buy-in. A majority of the confident executives are very concerned about fundamentals: lack of strategy for use of third parties (49%), lack of criteria for distinguishing critical from noncritical third parties (42%) and inadequate attention to fourth/nth-party risks (42%). About half are very concerned about the adequacy of their security architecture.
Companies are growing more dependent on third parties for critical business functions. That’s why how you manage third-party risks is more than a matter of curiosity to your stakeholders. Be ready to tell your business customers how your TPRM enables secure, reliable and resilient supply chains. If you’re a direct-to-consumer business, be prepared to tell consumers how you handle privacy and data security and the value you place on this.
An appropriately designed TPRM can bring value to your organization and stakeholders in multiple, self-reinforcing ways. It enables customers to feel confident in sharing their data. It enables confidence in the reliability of your supply chain to deliver the quality you expect, on schedule. Your TPRM can also help you safely reduce the number of third parties in your ecosystem—improving your bargaining power, while lowering your risk profile. And that, in turn, can reinforce your consumers’ confidence.
Here are two actions you should take to begin to future-proof your third-party risk management program and build trust in third parties you depend upon.
First, set up a third-party risk management office, or TPRMO, that acts as a kind of connective tissue to all of the third-party risk areas in scope. Several functions touch third-party risk management: the business units that engage with them directly, the legal and procurement departments that govern contracting, the internal auditors that create and monitor the controls, the IT and security teams, and the compliance group. Your TPRMO can uncover opportunities to eliminate duplications, identify gaps in coverage and simplify third-party risk management operations.
Consider an automotive company. Most new car electronics require periodic software upgrades, typically supplied by third parties. The OEMs are responsible for confirming that owners’ personal information is protected when these upgrades take place—while also confirming that the cars themselves remain safe. How they handle these multiple stakeholders as they deliver the updates is critical. Without central coordination, the risks can fall through the cracks in the supply chain and scale up rapidly.
Consider also the growing ecosystem of third-party apps and tech providers across many industries. A central third-party risk office is better able to help guard against attacks like the hack via software-update revealed in December 2020—and the software supply chain intrusions that significantly affected 53% of respondents in 2020.
As a set of capabilities focused on a category of risks, TPRM falls under the umbrella of enterprise risk management—and needs to evolve along with the ongoing transformation of risk management into an intelligence-driven one risk office.
Second, make the right investments in technology to automate third-party risk management processes—it’s a huge opportunity for innovation. Third-party trackers expedite the monitoring of third parties at the initial assessments and throughout the life of the relationships. Automation helps speed up onboarding, without sacrificing deeper, more complete assessments of third parties. For example, an often-overlooked risk, given the increase in the use of third parties, is assessing providers at the vendor level, rather than at the level of the actual product or service being used. Many vendors have multiple points of access with organizations, and vetting them at the wrong level can inadvertently expose the company to risk.
Technologies such as Risk Command, ranging from single dashboards to real-time threat intelligence to real-time regulatory intelligence, can reduce the time to make intelligence-driven decisions and responses—mutually reinforcing your organization’s data trust practices.
Respondents with more mature data trust practices stood out in multiple ways:
Principal, Cybersecurity, Privacy & Forensics, PwC US
Principal, Cyber, Risk & Regulatory, PwC US