New global study shows deep concern about third-party cyber risk
- Published: Wednesday, 03 April 2019 13:17
BitSight and the Center for Financial Professionals (CeFPro) have released the results of a joint study shedding light on how financial institutions are addressing challenges associated with third-party cyber risk. Based on a survey of financial services professionals from around the world, the ‘Third-Party Cyber Risk for Financial Services: Blind Spots, Emerging Issues & Best Practices’ report found that managing third-party cyber risk is critical to their businesses, but a lack of continuous monitoring, consistent reporting, and other blind spots are creating challenges that could leave organizations vulnerable to data breaches and other consequences.
Most larger organizations work with hundreds, if not thousands, of third parties, creating new risks that must be actively managed. The financial industry, in particular, has a massive business ecosystem made up of legal organizations, accounting and human resources firms, management consulting and outsourcing firms, and information technology and software providers. Each of these vendors poses a potential weak spot for cyber threats if risk is not actively managed to protect the exchange of data and other sensitive information.
"Managing third-party cyber risk has rapidly become the #1 concern for businesses," said Jake Olcott, Vice President of Communications and Government Affairs at BitSight. "Many in the financial sector are taking action to manage that risk, but as our survey shows, there is vast room for improvement in key areas like continuous monitoring and effective board reporting."
Key findings from the Third-Party Cyber Risk for Financial Services Report include:
Third-party cyber risk is driving key business decisions. Nearly 97 percent of respondents said that cyber risk affecting third parties is a major issue. Meanwhile, nearly 80 percent of respondents said they have terminated or would decline a business relationship due to a vendor's cyber security performance. 1 in 10 organizations has a role specifically dedicated to vendor, third-party or supplier risk.
There is a lack of consistent third-party risk measurement and reporting. Only 44 percent of respondents are reporting on this risk to their executives and boards on a regular basis. This lack of regular reporting could be the reason why nearly one in five respondents think boards and executives are not confident or do not understand their approaches to third-party risk management (TPRM).
A majority of organizations aren't using critical tools. Respondents reported that they still rely on tools like annual on-site assessments, questionnaires and facility tours to assess third-party security posture, giving them limited visibility into their third-party cyber risk.
TPRM challenges and concerns for the future continue to grow. Companies are concerned with the accuracy and actionability of risk assessment data, as well as an unclear responsibility for this type of risk management within their organizations. Looking toward the future, respondents are focused on making their security programs more effective while staying up-to-date on new regulations and prioritizing continuous monitoring and visibility.