We are all familiar with the mantra on the importance of managing third-party risk to prevent anti-corruption, sanctions, money laundering and associated risks.  Over the last ten years, however, we have observed a new and important addition to the third-party risk plate – cybersecurity and data breach. 

And of course we have a posterchild for this risk – the 2013 attack on Target’s financial and retail data.  In that year, hackers gained access to Target’s network through a third-party vendor.  The hacker gained access and then stole Target’s sensitive customer  information. This was a wakeup call to every business – weaknesses in a third-party’s cybersecurity network can be exploited by hackers to the detriment.

This initial concern combined with another important trend and potential risk – damage to a company’s supply chain through exploitation of vendors and suppliers that may not be directly in contact with a specific company.  As hackers become more sophisticated, their ability to exploit potential vulnerabilities extends beyond just those vendors and suppliers that have direct access to a company, but can include indirect, multi-level hacks that can ultimately lead to your company’s data.

In an interesting survey of 209 Security and Information Technology Leaders released by the Cyber Risk Alliance (“CRA”) in January 2023, Third-Party Risk: More Third Parties + Limited Supply-Chain Visibility = Big Risks for Organizations, the CRA concluded that respondents believe that third parties are increasingly the cause of IT security incidents, and as a result, organizations are now emphasizing third-party risk and devoting more attention to this area. 

This risk has been increased by the fact that an organization’s vendor population have increased their own dependency on other partners and sub-contractors and an increasingly complex supply chain.  As a result, organizations lack visibility into third and fourth-party partners and relevant security vulnerabilities and data exposure.  In sum, this situation has resulted in increased risks of hacker attacks and breaches originating from third party populations.

To restate the obvious – organizations suffer from a severe lack of visibility into their supply chain and complex third-party networks.  The potential for severe consequences – business disruption, business losses, network disruptions, data loss and reputational damage – should be of concern to corporate boards, senior management CISOs and CCOs.

Organizations have to meet the demands for cyber risk management in this risk-permeated environment to satisfy various key stakeholders, including shareholders, customers, regulators, insurance providers, and the public. 

Unfortunately, managing these risks is a serious challenge.  Organizations reported significant obstacles to managing third parties and access to funding, resources and qualified staff. In particular, companies reported difficulties in persuading third-parties to respond to questionnaires and to address potential security vulnerabilities.  Many organizations reported that they intend to increase investment in technology and staff to manage their third-party risks.

Interestingly, more than half of all respondents (57%) reported they were victims of an IT security incident — either an attack or a breach — stemming from a third-party partner in the past 24 months. On average, organizations suffered two third-party security incidents (attacks or breaches) in the past two years. Fifty-two percent (52%) reported the source of their attack was a software vendor. And nearly 4 in 10 respondents (39%), reported that a business partner, subcontractor, or IT service provider was responsible for the cyber incident.

Organizations reported that managing third-party risks was difficult because of a lack of qualified staff (49%), absence of visibility into third-party risks (45%), insufficient budget (44%), and a lack of an automated third-party management technology solution (44%).

To mitigate cyber risks from third parties, nearly two-thirds of respondents cited employee training as the most common measure to mitigate such risks.  In addition, respondents cited their use of annual  risk assessments, third-party policies, and third-party attestations as risk mitigation strategies. 

More than half (56%) of respondents expected “some investment” in a third-party risk technology in the next 12 months.  Twenty-seven percent (27%) of the largest organizations expected to make significant investments to address this risk.