A new survey-based report from Prevalent, Inc., shows that, although organizations are starting to adapt their third-party risk management (TPRM) programs to address new and emerging non-IT risks, much more needs to be done to grow and mature these programs. Key areas needing improvement include incident response, compliance, and the vendor lifecycle.
Key findings from the 2022 Third-Party Risk Management Study include:
45 percent of organizations experienced a third-party security incident in the last year – but are using disparate tools that extend incident response timelines
69 percent of respondents say that the top concern facing their organization with regard to their usage of third parties is a data breach, with 45 percent of respondents reporting that they experienced a security incident in the last year – up from 21 percent in 2021. However, 8 percent of companies don’t have a third-party incident response program in place, while 23 percent take a passive approach to third-party incident response.
40 percent of organizations are paying more attention to non-IT security risks – but not enough
TPRM programs continue to focus on addressing the risks faced when working with IT vendors, but a surprising 40 percent of respondents in the study say they are focused on managing both IT and non-IT vendor risks. However, organizations continue to overlook less quantifiable non-IT risks such as modern slavery, anti-money laundering, and anti-bribery and corruption risks that could still lead to compliance violations, fines or negative reputational impacts.
TPRM is becoming more strategic but 45 percent of organizations are still using manual spreadsheets to assess third parties
Two-thirds of respondents report that their TPRM programs have more visibility among executives and the board compared to last year. However, getting there took massive increases in third-party vendor and supplier-related cybersecurity issues. Unfortunately, manual processes are still holding organizations back, with 45 percent reporting that they use spreadsheets to assess their third parties. These manual processes add unnecessary complexity and time to third-party risk audits, with 32 percent of respondents saying it takes more than a month – more than 90 days in some cases – to produce reporting and evidence required to meet regulatory audits.