Organizations are failing -- and badly -- assessing the risk of attacks and data breaches from vendors and supply chains, according to a recent Ponemon Institute study. The solution starts at the top.

Charlie Miller, Senior Vice President, The Santa Fe Group

May 2, 2016

4 Min Read

From corporations to universities and large retail stores to small-to-medium businesses (SMBs), today’s organizations do not always have the structure and appropriate processes necessary to reduce risks associated with third-party vendors and ultimately avoid security attacks and data breaches. In fact, while 75% of senior executives and board members recently surveyed believe third-party risk is serious, and 70% believe third-party risk in their organization is significantly increasing, surprisingly only 26% of respondents believe that their organization’s third-party risk assessment of controls is effective.

The Shared Assessments Program recently sponsored a study conducted by the Ponemon Institute, surveying 617 board members and senior executives. Tone at the Top and Third-party Risk, (Registration required.) looks at the increase in cyberattacks and outlines best practices to reduce risk, which include an involved senior management team and a positive tone at the top. "Tone at the Top" is used to describe an organization's control environment, as established by its C-suite and board. As tone at the top affects the organization risk appetite enterprise-wide, management must be committed to a culture and environment that embraces honesty, integrity and ethics, leading employees to be more likely to uphold those same values. 

Third-party risk is clearly on the rise within a continually changing threat landscape that includes the rapid growth in new technologies, such as IoT and migration to the cloud. Successful assessments and best practices executed by an organization could prevent an enterprise from spending the currently reported, approximately $10 million on average annually to respond to security incidents, in addition to reputation loss, brand damage, theft of assets, and loss of worker productivity. 

According to the Tone at the Top and Third-Party Risk study:

  • 78% of respondents believe cyberattacks will have a significant impact on their risk profile, followed by IoT (76%), cloud computing (71%), mobility and mobile devices (67%), and big data analytics (51%).

  • Organizations are failing when it comes to third-party risk assessment. Just 18% of respondents said that their company assesses the cyber risks of third parties.

  • Just 29% of respondents indicate they have a formal third-party risk management program in place, while 44% have an informal program and 27% have no such program.

  • Only 31% say their companies have metrics in place to measure the effectiveness of risk management activities.

So what does all of this data mean? As major security issues stemming from third-party and supply chain relationships continue to grow, those at the highest level of organizations must lead by example. Setting a positive tone and creating formal programs to manage third-party risk will ultimately help companies avoid becoming the next victim of an incident. The following are 10 steps an organization can take to implement a strong third-party risk management program that will not only save time and money, but also improve the effectiveness of risk planning, third-party assessments, and improve the overall risk management environment.

Step 1. The CEO and boards of directors should be responsible for establishing a positive tone at the top. As shown in the Ponemon research, a positive tone at the top can improve relationships with third parties and reduce risks.

Step 2. The CEO and boards of directors should become more proactive in the third-party risk program. This should include working with management to establish the vision, risk appetite, and strategic direction for third-party relationships.

Step 3. An organization should communicate its values to employees and other stakeholders through training and policies to ensure enterprise wide adoption.

Step 4. Make the business case for dedicating more resources to third-party risk management by estimating the potential costs to your organization due to negligent or malicious third parties.

Step 5. Assess the potential threats posed by technologies such as the use of cloud and IoT in third parties. The results of such assessments should involve recommendations as to what technologies and personnel are needed to minimize the threats.

Step 6. The risk of cyberattacks to sensitive and confidential information, ensure they have appropriate technologies to reduce and mitigate threats.

Step 7. Third-party risk management programs should incorporate metrics that reveal the vulnerabilities created by the third parties in your organization’s supply chain.

Step 8. While companies in the research space have fairly mature risk management programs, it is not clear whether such programs incorporate a strategy for managing third-party risk. Such a strategy should incorporate the people, process, and technologies for managing the risk.

Step 9. Assign accountability for the third-party risk management program to ensure the objectives of the risk management program are accomplished.

Step 10. Become involved in a consortium or council dedicated to best practices in addressing third-party risks. 

The state of third-party risk management is only going to continue to rise with the emergence of new technologies, therefore, instilling the importance of a positive tone at the top is crucial for all businesses. Improvement of your organization's relationship with third parties and educating all employees should be one of the top risk management objectives to protect your company, employees and customers.

Related Content:

About the Author(s)

Charlie Miller

Senior Vice President, The Santa Fe Group

Charlie Miller is senior vice president with the Santa Fe Group where his key responsibilities include managing and expanding the Collaborative Onsite Assessments Program and facilitating regulatory, partner and association relationships. Charlie has vast industry experience, having led vendor risk management and financial services initiatives for several global companies.

Charlie was previously the director of vendor and business partner risk management at AIG where he managed regulatory and governance activities for the organization's enterprise vendor risk management program, including co-leading the definition and implementation components. During his tenure at AIG, he simultaneously served as a Shared Assessments Steering Committee member where he used his industry expertise to manage key projects for the program. Prior to joining AIG, Charlie led the vendor risk management group at the Bank of Tokyo-Mitsubishi UFJ.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights