Sending the Right Message on Risk Management
The tone executives send regarding security risks trickles down to all employees and can affect a company’s third-party risk.
Reduces the risk of working with untrustworthy third parties (71%). Incorporates integrity, ethics and trustworthiness in relationships with third parties (66%). Increases employee and third-party awareness of the importance of security, data protection and business resiliency (43%)
75% of respondents say third-party risk is serious and of these, 70% say it is increasing or significantly increasing.
The Internet of things and migration to the cloud are expected to increase third-party risk by 60% and 68% of respondents, respectively.
78% of respondents say cyber-attacks will have a significant impact on their risk profile. 76% say the Internet of things will have a significant impact. Cloud computing, mobile, and big data analytics will have a significant impact according to 71%, 67% and 51% of respondents, respectively.
Although they recognize the seriousness of third-party risk, respondents say the top two risk management objectives are to minimize downtime (56%) and minimize business disruptions (37%).
During the past 12 months, respondents spent an average of $10 million to respond to security incidents because of negligent or malicious third parties.
The incentive to create a comprehensive program for mismanagement is low. Only 29% of respondents say they have a formal program.
Asked to rate the effectiveness of their organization’s ability to mitigate or curtail third-party risk, 21% of respondents said they considered theirs highly effective (7+ on a scale of 1 to 10).
23% of respondents say the compliance department is responsible for managing third-party risk. 17% say it is the information security department’s job.
Only 37% of respondents say C-level executives in their organization believe they are ultimately accountable for the effectiveness of third-party management. 50% of respondents do not believe risk management is aligned with business goals, which senior management determines.
Boards of directors are not significantly involved, according to 17 respondents, or have some involvement in overseeing risk management activities, according to 23% of respondents.