Sponsored by RiskRecon, a Mastercard Company, and conducted by Ponemon Institute,1,162 IT and IT security professionals in North America and Western Europe were surveyed for a new study, Data Risk in the Third-Party Ecosystem. All participants in the research are familiar with their organizations’ approach to managing data risks created through outsourcing.  Over the coming weeks, we will examine and discuss the responses to the study.  

Below, we present differences in perceptions about third-party data risks between respondents in North America (656) and Western Europe (506). In several findings, respondents’ perceptions in these different regions are consistent.

Low effectiveness in mitigating third-party and Nth-party risks exists in both regions. Figure 1 presents the high and highly effective responses (7+ on a 10-point scale). Only 38 percent of respondents in North America and 39 percent in Western Europe report high effectiveness in mitigating these risks. Effectiveness in mitigating Nth-party risks is even lower.

Figure 1. Effectiveness in mitigating third-party and Nth-party risks

TPRM-Differences-1200Globally, third-party risk management programs are not effective. However, North American respondents are slightly more likely than Western Europe to say their third-party risk management program is effective (42 percent vs. 39 percent of respondents).

Figure 2. Effectiveness in the organization’s third-party risk management program

C9266872-39E2-4219-8D82-AD76EDD5AEB0

North American respondents are more likely to see increases in cybersecurity incidents involving third parties (63 percent vs. 56 percent of respondents). Western Europe respondents are more positive than North American respondents about the third parties’ data safeguards and security policies and procedures being sufficient to respond to a data breach (45 percent vs. 35 percent of respondents), as shown in Figure 3.

Figure 3. Perceptions about third-party risks

EEF6E72B-2EF5-4077-B086-995FA1393510

Both North America and Western Europe respondents are not evaluating the security and privacy practices of third and Nth parties, according to Figure 4.

Figure 4. Does your organization evaluate the security and privacy practices of third parties and Nth parties?

25372749-71DF-4BD6-A1FB-2229A1A1572A

North American respondents are more likely to rely upon contracts that legally obligate the third party to adhere to security and privacy practices (63 percent vs. 54 percent of respondents). Western Europe respondents’ primary method of evaluation is to have the third party conduct a self-assessment, according to Figure 5.

Figure 5. If yes, how do you perform this evaluation?

EAC5A74F-BFB4-4BF4-9FCB-67D737D98C4A_1_105_c

Download the study today to see the full results from our research, and stay tuned for our next blog which will look at the lack of visibility into third and Nth parties.