Third-Party Risk Management: Why 2023 could be the perfect time to overhaul your TPRM program

By Alex Klinger, Pre-Sales Engineer at SureCloud.

  • 1 year ago Posted in

Ensuring risk caused by third parties does not occur to your organization is becoming increasingly difficult. Every business outsources some aspects of its operations, and ensuring these external entities are a strength and not a weakness isn’t always a straightforward process. 

In the coming years we’ll see organizations dedicate more time and resources to developing detailed standards and assessments for potential third-party vendors. Not only will this help to mitigate risk within their supply chain network, it will also provide better security. 

As demand for third-party risk management (TPRM) grows, here we discuss some of the key reasons why we believe 2023 could be pivotal for the future of your organization’s TPRM program.

Focus on Environmental, Social and Governance (ESG) risks

In recent years we’ve seen an increased corporate focus on Environmental, Social and Governance (ESG) risks, not only within their own organization but also associated with any third parties or extended enterprises. 

As a result, ESG has become about more than avoiding risk. It’s a strategic priority. Leadership teams understand the importance of working with third parties whose objectives align to their own business strategy. Consumers and regulators are increasingly aware of their environmental and social responsibilities, so much so, ESG has become a requirement for key stakeholders too, particularly investors that want to be associated with companies that prioritize their ESG posture. 

For example, recent research from Gartner suggests that by 2024 75% of vendor risk management programs will be tracking the environmental, social and governance demands of their IT vendors to guide their decision making process. ESG is no longer a straightforward tick box exercise, there is much greater scrutiny of third-party practices as many businesses are incorporating ESG into their third-party risk management assessment. 

Including ESG in your TPRM strategy is not only a way to protect your organization against regulatory action, fines and reputational damage, but should also be seen as a business opportunity. It can help increase your customer base, attract investment and enhance brand reputation. However, if it’s not included, it can have serious repercussions. 

For example, analysis of ESG performance on firm market value conducted by Moody Analytics demonstrated that ESG controversies led to a significant, negative and abnormal equity return in the short-term, over an annual period. It found that moderate to severe ESG events generate abnormal stock market losses of -1.3% to -7.5% over twelve months, which represents a loss of approximately $400 million for a typical-sized firm in the study. This effect can already be seen in 2023, as shares of Glencore, the mining company, fell after its main Shareholders recently filed a resolution calling for more clarity over how its plans for thermal coal production aligned with the Paris Objective agreement to limit global temperature increase to 1.5C.

The upside to an increased focus on ESG programs is it’s pressuring organizations to rethink due diligence requirements 

The Impact of Nth Parties 

Organizations are becoming increasingly dependent on third parties and sub-contractors. A study by Gartner found that 60% of companies work with over 1,000 third parties, and they expect this number to increase as business becomes more complex. As a result, many organizations are beginning to recognize that the risks of connecting with these outside entities is far greater than they first thought. 

The reason for this is that any third-party that a business chooses to work with will likely have hundreds, if not thousands, of its own sub-contractors. Meaning businesses become more dependent on fourth, fifth and Nth parties, all of which introduce risk into their business ecosystem. 

For example, a business could rely on a manufacturer that experiences a transport failure or security vulnerability at a third-party cloud supplier, which presents a high-level of risk to their business, even though they are not directly connected. The issue of Nth parties was evidenced during the SolarWinds hack in 2020 where the hackers were not only able to access data and networks of their customers, but also the data and networks of the clients and partners of SolarWinds’ customers. The magnitude of the problem with Nth parties could be greater than that of third parties, as the third-party business environment continues to increase.

The level of risk Nth parties present to organizations supply chain management is becoming more apparent 

Increased frequency and sophistication of cyber-attacks on third parties 

Forrester predicted that 60% of security incidents in 2022 would stem from third parties. In 2021 there was a 300% increase in supply chain attacks, a trend that has continued to increase over the past 12 months also. For example, Japanese car manufacturer Toyota was forced to completely shut down its operations due to a security breach with a third-party plastics supplier. 

It’s not only the frequency of third-party attacks that has increased, but also the methods that cyber criminals are using are becoming increasingly sophisticated. For example, the SolarWinds cyber breach in 2020 was so advanced that Microsoft estimated it took over a thousand engineers to stop the impact of the attack.

As the sophistication and frequency of supply chain attacks increases, the impact they have on businesses reputations and valuations is also becoming apparent. There is a need for organizations to conduct thorough due diligence of the third parties they choose to work with, otherwise the consequences could be disastrous. 

Cybersecurity should be a non-negotiable feature of all business transactions

Increase in use of external assistance for TPRM

As the scope, complexity and importance of third-party management continues to increase, the need for companies to leverage the use of external assistance with the TPRM process will only increase as well. However, many businesses don’t have the capabilities required for TPRM, in terms of resources and technology. Some utilize in-house support and technologies as a cost-effective answer to the problem, though this can be restrictive as organizations need to be able to respond rapidly to an ever-changing and evolving regulatory environment. 

The need for external help will be compounded further by the increasing remit TPRM teams need to cover, which includes a wider range of risks, such as ESG and nth parties, as well as to achieve a deeper understanding of how risk is managed by each third-party.

It’s for these reasons that the use of external assistance, such as adopting technology enabled solutions and managed services, will only increase in the future. The Deloitte Global Third-Party Risk Management Survey 2022 supports this as 82% of companies surveyed anticipate greater demand for a comprehensive TPRM end-to-end service solution. 

Demand for a managed service and technological solution will become more popular than ever before. Organizations are increasingly looking for a tool that provides a comprehensive, end-to-end insight-driven service that runs the day-to-day operational activities of a TPRM department. 

The third-party risk management landscape is becoming more complex due to the rise in the number of external entities companies are working with. This means it’s now more important than ever for organizations to have a mature third-party risk management program in place. Utilizing the expertise of an external TPRM managed services provider could be the first step to future proofing your business, as well as preventing a large amount of potential financial and reputational damage.

A solution that provides cloud technology, automation, workflow systems and AI offers a more streamlined TPRM process

END

Author information

 

Name: Alex Klinger (GRC and Cyber Sales Engineer at SureCloud)

Bio: Alex currently works as a pre-sales engineer at SureCloud where he advises clients regarding SureCloud’s Cyber and GRC product suite. Previously, Alex worked at Deloitte where he worked with clients on developing their cyber GRC management process.

By Alasdair Anderson, VP of EMEA at Protegrity.
By Eric Herzog, Chief Marketing Officer, Infinidat.
By Shaun Farrow, Security Practice Lead at Bistech.
By Andre Schindler, GM EMEA and SVP Global Sales at NinjaOne.
By Darren Thomson, Field CTO EMEAI, Commvault.