Risk professionals relying on questionnaire-based assessments could be in for a rude awakening, according to Mastercard’s RiskRecon and the Cyentia Institute.

With major companies like Marriott, Instagram, P&N Bank, and General Electric experiencing breaches related to attacks on vendors this year, it is increasingly more important for enterprises to have third-party risk management programs.

Mastercard’s RiskRecon and cybersecurity research firm Cyentia Institute together issued a new report that analyzes these third-party risk management (TPRM) programs, finding companies are using hundreds of vendors but struggling to gain a true understanding of each ones’ cybersecurity posture.

The “State of Third Party Risk Management” report surveyed 154 third-party risk management professionals and found that they assess a median of 50 vendors each year, with most enterprises reporting having a TPRM program for about five to six years. Respondents said 31% of vendors are considered a material risk in the event of a breach, while 79% have formal programs in place to manage third-party risk. More than 60% said managing such risk is a growing priority for their organization.

SEE: Identity theft protection policy (TechRepublic Premium)

The majority of respondents worked for organizations in the financial services industry but others worked in technology and healthcare. 

“In the mass outsourcing of systems and services to third parties, enterprises have dramatically increased the scale and complexity of their risk surface. This study reveals that risk professionals widely are of the opinion that questionnaire-based assessments are sufficient for managing third-party risk. The magnitude of risk in the hands of third parties necessitates much better performance visibility than questionnaires can provide,” said Kelly White, CEO and co-founder of RiskRecon. 

“Increasingly, third-party risk teams are adapting the risk management strategies deployed to protect their internal enterprise – rapid acquisition and analytics of objective data that reveal the reality of the quality of each vendor’s risk management program,” White said. “For example, rather than just trusting vendors’ word that they are properly patching systems, they are using security ratings services and other information sources to objectively assess the quality of their patch management program.”

Small staffs struggle with growing number of vendors

Respondents were split almost evenly, with one third assessing fewer than 25 vendors annually, another third handling between 25 and 100, while the last third dealt with more than 100 vendors. About 5% of respondents were in charge of assessing more than 750 third parties each and every year. 

While the average respondent said about 30% of their vendors would pose a risk to their own operation if they were breached, another fourth said half of the third-party vendors could have severe impact on their enterprise if an attack was successful. 

Less than 10% of respondents said their organization dealt with a breach due to third-party compromise during the last three years but another 30% said they “preferred not to answer.”

The report notes that attacks on third-party vendors are becoming more common and more devastating as more companies rely on others for critical services. In a separate report, the researchers said they examined 813 multiparty incidents and found a total of 5,437 downstream loss events.

“Practitioners are facing three massive risk factors that will drive powerful innovation over the next few years,” the report said: “First, enterprises have outsourced a massive amount of systems and services to third-parties, placing their sensitive data and their ability to operate in the care of other organizations. Second, professionals increasingly don’t trust that questionnaires yield sufficient information for them to properly understand and act on their third-party risk. And third, third-party risk teams are having difficulty keeping up with demand for their services.”

Due to the rise in frequency, two-thirds of respondents said TPRM programs were becoming a priority for their enterprise and nearly 80% said their company had instituted a formal program designed to address it. 

This was not always done because enterprises simply wanted to. More than 20% of respondents said these programs were created due to executive mandate while 16% said it was a customer requirement. Many also said they have to report third-party vendor risk to their board, which made them more likely to view it as an issue worth addressing. 

More than half of respondents said these TPRM programs were organized and run by the information security department, while 15% said they fell under vendor management or procurement. Another 15% said it was led by the compliance or legal department. 

About 30% of respondents said their enterprise did not have any full-time employees working on dealing with third party risk, with just 1 in 10 respondents having 15 or more employees working on TPRM.

The lack of staff was a problem 57% of respondents cited as a reason they were limited in their ability to keep up with the responsibilities of managing risk across their third-party portfolio. More than 25% of respondents said that “severe” personnel shortages resulted in work rarely or never getting done. 

Debate over honesty in questionnaires

According to the study, 84% of respondents said they used questionnaires as the main risk assessment method while another 69% said they used documentation reviews. Half of all respondents said they also used remote assessments or cybersecurity ratings as well. 

About 40% of respondents use industry-standard question sets such as SIG, SIG Lite, or CAIQ with their own additional questions specific to their business or industry. Nearly 70% of these questionnaires ask between 11 and 100 questions of vendors. 

For 81% of respondents, at least 75% of their third-party vendors pass these questionnaires. But just one-third of respondents said they believed responses vendors provide to TPRM questionnaires.

“Our study clearly shows that the necessity to manage third-party risk well is not lost on security leaders. While this may be the case, there are stark differences in the methodologies of assessing third-party risk,” said Wade Baker, partner and co-founder of Cyentia Institute. 

“While security questionnaires remain a common program pillar, companies are seeking to achieve better risk outcomes more efficiently by leveraging objective assessment data from services such as security rating solutions. This is where the future patterns and practices of third-party risk management will be defined.”

Also see