Third-party risk management programs studied: questionnaires a weak area?
- Published: Tuesday, 24 November 2020 10:26
RiskRecon, a Mastercard Company, and the Cyentia Institute have published an in-depth study that explores the current state of third-party risk management (TPRM) programs and practices. The research found that TPRM professionals increasingly do not trust that security questionnaires provide sufficient information to properly understand and act on their third-party risk. As a result, the study found more enterprises are moving towards data-driven TPRM programs.
The ‘State of Third-Party Risk Management’ research is based on a survey of 154 active TPRM professionals. It found that 79 percent of firms have a TPRM program, 84 percent of which use questionnaires to assess vendor security risk. While 81 percent of enterprises report that at least 75 percent of their vendors claim perfect compliance to their security requirements, only 14 percent are highly confident that vendors actually perform those requirements.
The intent of the study was to understand the challenges currently facing TPRM programs and gather intelligence about how companies are meeting these challenges. And while the adoption of TPRM appears to be on the rise, there are additional lessons to be learned. For example:
- Companies are critically dependent on third parties, trusting them with their most sensitive data and operations functions. The survey found that one out of three TPRM programs manage more than 100 vendors per year. On average, respondents said that 31 percent of their vendors could cause a critical impact to their organization if breached, while 25 percent claim that half of their entire network could trigger severe impacts.
- Lack of proper resources and support continues to be a challenge for effective risk management. 57 percent of respondents say that staffing levels regularly limit their ability to keep up with the responsibilities of managing risk across their third-party portfolio, as TPRM programs typically manage 50 vendors per full-time employee. And more than 25 percent of programs report severe personnel shortages, which prevents critical tasks from being completed.
- Professionals do not trust questionnaire-based assessments; adding objective data to close the gap. Only 14 percent of surveyed professionals report being highly confident in the accuracy of vendor questionnaire responses. For this reason, 42 percent of respondents use cyber security ratings, along with other measures as part of their assessment mix.
“Our study clearly shows that the necessity to manage third-party risk well is not lost on security leaders. While this may be the case, there are stark differences in the methodologies of assessing third-party risk,” said Wade Baker, partner and co-founder, Cyentia Institute. “While security questionnaires remain a common program pillar, companies are seeking to achieve better risk outcomes more efficiently by leveraging objective assessment data from services such as security rating solutions. This is where the future patterns and practices of third-party risk management will be defined."