Prevalent, Inc., has published a new report, ‘The 2023 Third Party Risk Management Study: How Are Organizations Avoiding TPRM Turbulence?’. This provides insights into current trends, challenges and initiatives impacting third-party risk management practitioners worldwide.
The findings clearly illustrate that 2022 was a turbulent year for the practice of third-party risk management (TPRM). Over the past year, organizations dealt with the fallout from the Russian invasion of Ukraine and resulting supply chain disruptions, damaging and widespread third-party breaches and security incidents (including LastPass, OpenSSL, Okta, Toyota, and several in healthcare), and emerging regulatory oversight in areas beyond IT security such as ESG. While organizations have matured their TPRM programs since last year’s study, there is still more work to do.
Key findings from the 2023 Third-Party Risk Management Study include:
- 41 percent of companies experienced an impactful third-party breach in the last 12 months, but rely on overlapping tools and manual processes which slows incident response.
- An overwhelming majority of companies (71 percent) report that the top concern regarding the usage of third parties is a data breach or other security incident due to poor vendor security practices. However manual methods still persist, with a large percentage of companies using spreadsheets and an increasing percentage using news feeds to learn about breaches. The good news is that companies not monitoring for third-party breaches dropped from 12 percent to 4 percent.
- Third-party data breaches and security incidents are driving increased information security involvement in TPRM. 70 percent of respondents report that information security is more involved in third-party risk management than ever, and 71 percent indicate that Information security fully owns the TPRM program. 62 percent of respondents to this year’s study indicated that third-party data breaches and security incidents were top drivers behind increased involvement in third-party risk management.
- Nearly half of companies continue to use spreadsheets. According to the report a ‘disappointing trend’ continues in 2023 as a growing number of organizations (48 percent) are using spreadsheets to assess third parties. This percentage is up from 2022 and 2021, where 45 percent and 42 percent of companies, respectively, said they were using spreadsheets. Only 4 percent of respondents indicated that they are not currently assessing third parties at all, which continued a downward trend from 2021 (10 percent) and 2022 (8 percent).
- There is a huge gap between tracking and remediating risks across the lifecycle – and on average 20 percent of companies are doing nothing. Not surprisingly, the offboarding and termination stage of the third-party relationship lifecycle sees the lowest percentage of companies tracking (47 percent) and remediating (38 percent) risks, and the highest percentage of companies doing nothing at all (39 percent).