Sponsored by RiskRecon, a Mastercard Company and conducted by Ponemon Institute,1,162 IT and IT security professionals in North America and Western Europe were surveyed for a new study, Data Risk in the Third-Party Ecosystem. All participants in the research are familiar with their organizations’ approach to managing data risks created through outsourcing. Over the coming weeks we will examine and discuss the responses in the study.
We broke the survey questions and responses into five categories:
- Strategic shortfalls in third-party risk management governance
- Lack of visibility into third-and- Nth party relationships
- The realities of today’s third-party risk management programs
- Key factors impacting the likelihood of a data breach
- North America and Western Europe differences
In this blog post, we will look at: Strategic shortfalls in third-party risk management governance
Cybersecurity incidents involving third parties are increasing and third-party data breaches are prevalent. Third-party data breaches can be caused by vendors, suppliers, contractors or business partners that may have weaker security controls than the organizations they provide services to. Stolen data may include sensitive, proprietary or confidential information such as credit card numbers, trade secrets, customer and patient data.
According to the research, 59 percent of respondents confirm that their organizations have experienced a data breach caused by one of their third parties and 54 percent of these respondents say it was as recent as the past 12 months, as shown in Figure 1. Of these respondents, 38 percent say the breach was caused by one of the Nth parties, indicating the flaws in third parties’ security controls in place for their Nth parties.
Figure 1. Has your organization ever and in the past 12 months experienced a data breach or cyber attack caused by a third party?
The lack of accountability and involvement by the boards of directors are barriers to achieving a robust third-party security posture. As shown in Figure 3, no single function emerges as having full accountability for the third-party risk management program. Most accountability (36 percent of respondents) seems to rest with the general counsel/compliance officer (18 percent of respondents) and CISO (18 percent of respondents).
Figure 2. Who is most accountable for the correct handling of the organization’s third- party risk management program?
Boards of directors are not kept informed about third-party risks. Only 40 percent of respondents say their organizations regularly report to the board about the state of their third- party risk management programs and the risks facing them. According to Figure 4, it is only when a security incident or data breach has occurred involving a third party (58 percent of respondents) and 35 percent of respondents say it is not a priority for the board. Forty-three percent say decisions about the third-party risk management program are not relevant to board members.
Figure 3. Reasons for not regularly reporting third-party risks to the board of directors