By Justin Goldstein
Special to GRC & Fraud Software Journal
A new MetricStream survey on the current state of third party risk management shows that many companies are exposed to real problems.
Respondents from more than 40 organizations across 15 industries – including financial services, retail, healthcare, pharmaceuticals and insurance show that they expose themselves to a plethora of third-party risks. Whether data security, business disruptions or compliance risks, organizations must have the relevant measures in place to mitigate their potential impact on continuity and reputation.
The survey’s key findings:
- Twenty one percent of respondents reported that their organizations faced significant risk due to third parties in the last 18 months; of those who shared financial impact data on the losses, 25 percent said that the loss was greater than $10 million (generated through cost of downtime, regulatory fines and reputational damage)
- Nearly three quarters (73 percent) of businesses do not track fourth parties, meaning they have no visibility past their immediate suppliers
- Some 44 percent of respondents reported that their organizations don’t have a dedicated third party risk management function or a centralized information repository, suggesting a lack of focus and tools
- Nearly half of businesses (48 percent) still use office productivity software to manage third-party risks, revealing immaturity of the function
French Caldwell, chief evangelist at MetricStream, says the survey shows underlying truths.
“As companies continue to outsource their processes and services in order to decrease costs, streamline or scale up quickly, they are opening themselves up to risks,” Caldwell says. “However, despite some supplier incidents costing upwards of $10 million, 44 percent of the respondents said that their business had no dedicated third party risk management function.
“Furthermore, as enterprises rapidly adopt cloud services, entities that would have been third parties when the services were managed in-house become fourth parties which are more difficult to monitor; nearly three quarters of businesses don’t track fourth parties in any capacity. It’s clear that many enterprises are yet to grasp fully how vital vendor risk management is.
“Businesses can no longer plead ignorance. They are responsible for the actions of their third parties and they will bear the brunt of any fallout.”
For example, Caldwell says, if a business shares sensitive data with a third party without checking if it has relevant cybersecurity, and that supplier suffers a data breach, under some rules the company could be liable. Not only will it suffer reputational damage, but new regulations such as the EU GDPR could see large fines imposed too.
A press release with a link to the full report can be viewed here.