The current state of third-party risk management

Third-party risk management (TPRM) professionals increasingly do not trust that security questionnaires provide sufficient information to properly understand and act on their third-party risk, according to RiskRecon and Cyentia Institute.

As a result, the study found more enterprises are moving towards data-driven third-party risk management programs.

Many firms use questionnaires to assess vendor security risk

The research, based on a survey of 154 active TPRM professionals, found that 79% of firms have a TPRM program, 84% of which use questionnaires to assess vendor security risk.

While 81% of enterprises report that at least 75% of their vendors claim perfect compliance to their security requirements, only 14% are highly confident that vendors actually perform those requirements.

“In the mass outsourcing of systems and services to third parties, enterprises have dramatically increased the scale and complexity of their risk surface. This study reveals that risk professionals widely are of the opinion that questionnaire-based assessments are sufficient for managing third-party risk. The magnitude of risk in the hands of third parties necessitates much better performance visibility than questionnaires can provide,” said Kelly White, CEO, RiskRecon.

“Increasingly, third-party risk teams are adapting the risk management strategies deployed to protect their internal enterprise – rapid acquisition and analytics of objective data that reveal the reality of the quality of each vendor’s risk management program. For example, rather than just trusting vendors’ word that they are properly patching systems, they are using security ratings services and other information sources to objectively assess the quality of their patch management program.”

While the adoption of TPRM surges, there’s still more to be learned

• Companies are critically dependent on third parties, trusting them with their most sensitive data and operations functions. The survey found that one out of three TPRM programs manage more than 100 vendors per year. On average, respondents said that 31% of their vendors could cause a critical impact to their organization if breached, while 25% claim that half of their entire network could trigger severe impacts.
• Lack of proper resources and support continues to be a challenge for effective risk management. 57% of respondents say that staffing levels regularly limit their ability to keep up with the responsibilities of managing risk across their third-party portfolio, as TPRM programs typically manage 50 vendors per full-time employee. And more than 25% of programs report severe personnel shortages, which prevents critical tasks from being completed.
• Professionals do not trust questionnaire-based assessments; adding objective data to close the gap. Only 14% of surveyed professionals report being highly confident in the accuracy of vendor questionnaire responses. For this reason, 42% of respondents use cybersecurity ratings, along with other measures as part of their assessment mix.

“Our study clearly shows that the necessity to manage third-party risk well is not lost on security leaders. While this may be the case, there are stark differences in the methodologies of assessing third-party risk,” said Wade Baker, partner, Cyentia Institute.

“While security questionnaires remain a common program pillar, companies are seeking to achieve better risk outcomes more efficiently by leveraging objective assessment data from services such as security rating solutions. This is where the future patterns and practices of third-party risk management will be defined.”