New Survey Reveals Significant Business Vulnerabilities from Outsourced Vendor Ecosystem
WASHINGTON, DC (April 4, 2016) – When it comes to data security, US companies have great concerns about their third-party vendors. More than a third of businesses “do not believe their primary third-party vendor would notify them if a data breach involving sensitive and confidential information occurred,” according to the “Data Risk in the Third Party Ecosystem” survey, conducted by the Ponemon Institute and commissioned by BuckleySandler LLP and Treliant Risk Advisors LLC. While 37% of survey respondents did not believe they would be notified by their third-party vendors, an alarming 73% of respondents did not believe a fourth-nth-party vendor would notify them if they had a data breach. (NB: third-party vendors are direct service providers hired by a company. Fourth-nth-party vendors are indirect service providers or subcontractors hired by a third-party vendor.)
The Ponemon Institute, which conducts independent research on privacy, data protection and information security policy, was asked to conduct the independent study to understand the challenges companies face in protecting sensitive and confidential information shared with third parties.
The study notes that many companies have both direct and indirect relationships with third parties and fourth-nth parties that are important in meeting business needs. The study reveals that companies find it difficult to detect and mitigate risks associated with third parties that have access to confidential and/or sensitive company information.
Rena Mears, BuckleySandler Managing Director, whose practice focuses on privacy, cyber risk and data security, noted, "The type of risk we are seeing now is changing in response to our evolving data-driven economy. The risk to strategic data assets extends beyond any single third-party but rather to the web of relationships that comprise the data ecosystem." Mears continued, "Companies must understand managing data risk is not merely a compliance and contract issue but a fundamental strategic challenge in which personal data, intellectual property and transactional records must be protected from third, fourth and nth-party risk."
“The inability of so many companies to confirm whether third parties have had a data breach or cyberattack involving sensitive and confidential information should be a wake-up call for businesses across all industries,” noted Susanna Tisa, Chief Business Officer of Treliant Risk Advisors. “To mitigate this risk, companies should compile a comprehensive inventory of and conduct data and privacy risk assessments for all third-party vendors; however, we found that few companies represented in this research, in particular those outside the regulated banking sector, have done so."
The “Data Risk in the Third Party Ecosystem” study, which included responses from 598 individuals familiar with their organization’s approach to managing data risks created through outsourcing, also revealed a lack of confidence in third parties’ data safeguards, security policies and procedures.
“Despite the number of publicized data breaches throughout the US, there continues to be a significant lack of confidence and understanding within companies as to whether their security posture is sufficient to respond to a data breach or cyber attack,” explained Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute. “In fact, 60 percent of respondents said their companies still do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information, often citing lack of having the internal resources to check or verify or that the third party will not allow for independent monitoring.”
Mears added, “The reliance solely upon contractual agreements instead of audits and assessments to evaluate the security and privacy practices of third parties continues to put companies at significant risk.”
The following survey findings reveal key risks and vulnerabilities with third-party relationships:
- Companies are often uncertain if their third parties had a data breach: Half of respondents (49%) confirm their organization experienced a data breach caused by one of their vendors, but 16% are unsure.
- The number of cybersecurity incidents involving third parties is increasing: 73% of respondents see the number of cybersecurity incidents involving vendors increasing; Sixty-five percent of respondents also say it is difficult to manage cybersecurity incidents involving vendors.
- Respondents admit they are sharing sensitive data with third parties that might have poor security policies: 58% of respondents say they are not able to determine if vendors’ safeguards and security policies are sufficient to prevent a data breach; Only 41% of respondents say their vendors’ data safeguards and security policies and procedures are sufficient to respond effectively to a data breach.
- Companies need to strengthen the governance practices of their vendor management programs: Only 31% of respondents rate the effectiveness of their vendor risk management program as highly effective; Only 38% of respondents say their organizations establish and track metrics regarding the effectiveness of the vendor risk management program and less than half (48%) have a vendor risk management committee.
- Boards of directors are not involved in third-party risk management programs: 62% of respondents say their board of directors does not require assurances that vendor risk is being assessed, managed or monitored appropriately or they are unsure.
BUCKLEYSANDLER: BuckleySandler LLP provides premier legal counsel to protect and support the nation’s leading financial services institutions, corporations, and individual clients. With more than 150 lawyers in Washington, DC, Los Angeles, New York, Chicago and London, it offers a full range of litigation, transactional, compliance, and regulatory services. "The best at what they do in the country." (Chambers USA). Online: www.buckleyfirm.com | Twitter: https://twitter.com/BuckleySandler.
TRELIANT RISK ADVISORS: Treliant Risk Advisors LLC is a multi-disciplinary compliance, risk management and strategic advisory firm for the financial services industry and consumer-oriented businesses. Headquartered in Washington, DC, with offices in New York and Dallas, Treliant’s team of highly experienced professionals includes executives who have held senior positions in Fortune 100 companies, financial institutions and regulatory agencies. For more information, visit www.treliant.com.
PONEMON INSTITUTE: The Ponemon Institute, a research “Think Tank” dedicated to advancing privacy and data protection practices, conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a various industries. For more information, visit https://www.ponemon.org.