Organisations are increasing their focus on managing third-party risks but there's more to do to raise awareness levels and improve compliance. These were the main findings of a study on vendor risk management by the Shared Assessments Program, a collaborative consortium, and consultancy firm Protiviti.

The study, which assesses the quality and maturity of third-party risk programmes including cybersecurity, IT, privacy, data security and business resiliency controls, suggests that companies are now more aware of vendor and third-party risks than in the past and have improved their management of those risks.

Lack of understanding of cyber risks in vendors

Overall, the study shows that the higher the board-level engagement and understanding of cybersecurity risks, the better the organisation is at managing third-party risks – but it warns that there is less widespread understanding of reducing cyber risks in vendors. The survey's main findings are:

• There is a clear correlation between boards with high engagement in and understanding of cybersecurity risks and organizations with higher levels of reported process maturity, with a 1.6-point gap (on a 5.0-point scale) between organizations with high and low board engagement.
• While many boards (39 per cent) have a high level of engagement in and understanding of cyber risks within their own organization, significantly fewer (26%) understand and are engaged in reducing cyber risks in vendors that directly support their organizations. Even at the board of directors’ level, third-party risk management awareness levels are still lagging.
• Despite higher maturity levels in all of the eight vendor risk components, the study shows there is still a long way to go before organisations routinely have fully operational third-party risk programmes with all recommended compliance measures in place.
• In 2016, there has been a narrowing of the maturity gap between financial services and all other verticals, most likely a function of increased regulatory pressure in sectors that include insurance and health care.
• 65 per cent of all organisations have an incident response plan for events at vendors or third parties.
• Financial services organisations are more likely to have an incident response plan in place – 75 per cent currently have established plans.
• 61 per cent of organisations test their plans for vendor or third-party events.

The survey had input from 400 C-suite executives, risk management and audit professionals from a mix of industries, with the largest contingent in financial services. It used a benchmarking tool for evaluating the quality and maturity of third-party risk programmes. The infographic below shows that companies in which the board is highly engaged with vendor cybersecurity have a far better overall level of vendor risk management maturity.

---

CTMfile take: This highlights some of the areas where companies can improve their third-party risk management and cybersecurity in vendors is one important area to address.