A series of high-profile cyberattacks on large corporates, as well as a wave of new cybersecurity-related regulations that are currently making companies rethink their online data and cybersecurity processes – such as the EU’s General Data Protection Regulation (GDPR), China’s complex Cyber Security Law (CSL) and the stringent New York Department of Financial Services (NYDFS) Cybersecurity Requirements – are changing the way companies are viewing not only their own cybersecurity risks, but also those of third parties.

The majority (53 per cent) of companies surveyed said they would end or change their relationships with some vendors if there were heightened risk levels – and one of the most-cited reasons was fourth-party risk issues and an inability to resolve them. The survey – by Protiviti and Shared Assessments – also found that board members were not engaging enough with third-party risks.

Repercussions from vendor data breach

Protiviti's Cal Slemp said: “While our study revealed increased board engagement in cybersecurity, there is an ‘engagement gap’ in that boards remain more engaged in their own companies’ internal cybersecurity risks than the cybersecurity risks of the organizations’ vendors, which can have negative repercussions if even one of those vendors has a severe data breach.”

Seven out of 10 companies said they will change their high-risk relationships over the next 12 months. And nearly half (48 per cent) said it has become imperative from a risk and regulatory standpoint to assess vendors’ contractors.

The survey gathered data in the second and third quarters of 2017 from 539 c-suite executives and risk management and audit professionals, most of whom were from companies with revenues more than $1 billion.