Innovation in Compliance Podcast: The 2022 Third-Party Risk Management Industry Study

Tom Fox: don’t just do these point in time assessments on an annual basis or when you’re onboarding a vendor but think about continuous assessments think about monitoring those vendors throughout the term of the contract and or your relationship to get a prize of anything that’s negatively impacting that vendor out there in the real world and then making sure that you have the appropriate response plans in place to start to mitigate those risks welcome to the innovation and compliance podcast part of the compliance podcast network join us every week as we talk with industry innovators who are making compliance to help business run more efficiently and at the end of the day more profitably here’s your host tom fox hello everyone this is tom fox back for another episode and today i have back with me Brad Hibbert the reason we have Brad back is prevalent released a very interesting study entitled third-party risk management industry study that i thought was worth much deeper exploration on a podcast so i asked Brad if he could visit with us again and he graciously agreed so Brad with that incredibly long-winded introduction welcome back Brad Hibbert: thanks Tom it’s great to be on the show again Tom Fox: Brad could you remind the audience what your current role is with prevalent Brad Hibbert: yeah i’m the chief strategy officer and chief operations officer at prevalent run the day-to-day stuff with respect to the product development just making sure that we’re building the tools that the market’s looking for and keeping our customers satisfied Tom Fox: well what the market is looking for that is a great way to lead into this podcast because as i said in the intro we’re going to take a deep dive into the 2022 third party risk management industry survey and this tells us not only what the market wants but perhaps even what they need so i was wondering if you could start with telling us how did you guys develop the information for this report Brad Hibbert: yeah we’ve been doing the third party risk management survey now for about three years so we started it back in 2020 we’ll send it out to thousands of professionals that are focused on third party risk management a lot of them more from a security background but we’re continuing to build that and as those results start to come back Brad Hibbert: in we analyze collate that information and start to analyze it looking for trends to see how the market’s moving again just to keep our pulse on kind of what the challenges are that the market sees and to make sure that we’re putting the solutions in place to enable our customers to create programs to mitigate those risks you know Brad we visited a couple of times over the years around that especially prevalent in your work there so i wanted to maybe start with asking what was maybe the overall assessment of third-party risk management as either you determine or the team determined from the survey Tom Fox: yeah there’s a few high-level i think trends that we’re seeing i think one is that third-party risk management is certainly getting more awareness within companies and within executive teams within companies i think that generally speaking i.t risks tend to be the primary concern of many companies and so that’s think about access control risks for your i.t vendors right because it sort of provides access to the crown jewels of the corporations certainly i think i t risks are a primary concern about 45 of the respondents but what’s interesting is i think the market is continuing to mature about 40 percent of the respondents also indicated that non-iit risks are important and are also being examined so we thought that was a pretty interesting trend versus what we saw back in 2020 so i would like to go over some of the key findings and before i start or ask you about those Brad i have to say that some of the findings i found were hopeful some frankly scared me some i scratched my head a little bit at and i don’t know if those were any of the emotions or feelings you thought in this but maybe we could take a deep dive and to see what people are doing and so can we just go through the key findings starting with number one Brad Hibbert: yeah as i mentioned i think that what we’re finding is that more and more organizations are starting to look at the non-i.t risks that’s a good trend right so certainly expanding beyond the i.t risks and realizing that both with your it vendors they could be impacted by more things than just the security or data breach but also your suppliers starting to come in in the purview of these programs as well so Brad Hibbert: the programs are starting to expand i think in two dimensions one is that it’s no longer just about i.t vendors so organizations are trying to get a broader volume of visibility across that broader supply chain of i.t vendors and non-iit vendors and they’re also trying to get a broader visibility of the types of risks that they’re looking at so maybe starting with the ig controls but then layering in these other types of controls that can impact the supply chain so that’s certainly one risk that we’re seeing it’s a positive trend as we mentioned in the report but there’s certainly a lot more i think that the organizations could do to really kind of move beyond compliance requirements and really start to remove the risks associated with these third-party relationships Brad we’re going to link to the full report in the show notes because not only is there more information in the full report but you got some great graphics that some were very helpful to me and some frankly scared me a little bit and really under this first point finding one rather i found one that was somewhat disconcerting might be the best and it’s an arrow that lists from the least important to the most important of risk and number one was just the number of risks that must be considered by really every corporation some of them are very significant some could be very costly in terms of fine or penalty some could lead to huge reputational damage and that really led to finding number two that i wanted to maybe ask you about when you talk to your clients and customers not i think i.t professionals and compliance professionals understand third-party risk but what about higher level business executives even to the board of directors do they see this now as really strategic and the solution and the response and the risk management strategies around third party risk as strategic so that we could start to get maybe that type of oversight Tom Fox: yeah i think we’re certainly seeing that in many of our accounts if you look at those you mentioned that one graphic that shows that the most important the least important i think what you’ll find is the most important risks tend to be those starting with data breaches out of the survey respondents so you’ll see it Tom Fox: in the data about 31 indicated that they were impacted by a third-party data breach versus 20 20 20. so certainly seeing a big increase in the number of data breaches or data incidents impacting these organizations driving that awareness that’s followed by what you would typical privacy and compliance requirements and violations which could have associated penalties and so on working its way right down to those softer objectives if you will things around environment social governance and those sorts of things so we’re certainly seeing organizations thinking about these more broadly and the conversations that we have with customers in the past it was really around those i.t security controls dealing with most of the time with teams out of the security department and now what we’re finding is teams are coming to the table with multiple participants so people from security people from procurement people contracts legal compliance trying to understand how they can get a better more holistic view of this concern around vendor risk or comprehensive profile of vendor risk and minimize that throughout that vendor life cycle so we’re certainly seeing the increase in awareness and organizations looking to do more but again what they want to do and what they are doing in practice kind of we have a little bit of gap so there’s still more work to do from an actual program operation perspective and then the other thing that struck me under this finding one obviously more visibility is certainly positive but you have a slide that lists certain corporate functions info security procurement legal compliance and risk management and here they rated the third party risk probably more applicable or or that they were concerned about and i wondered are you still seeing a siloed nature in the response to third-party risk when i see a difference in types of risk it really makes me worry that they are still seeing this it’s just picking off one then the next and the next but in a silo less comprehensive nature Brad Hibbert: yeah that’s right i think we always are pushing to have a more holistic view where you can harmonize the program across those different teams but i do think in more cases than not you still have that isolation not only in terms o Brad Hibbert: f which teams are interacting with the third party and focusing on the risk but in terms of the workflows and the processes and the technologies that they’re using to identify and manage those risks so info security certainly has their own tools a lot of the time procurement will have a different set of tools that they work on for pre-contract diligence maybe looking at credit scores and maybe looking at sanctions and those sorts of things so we still certainly see different teams using different pockets of tools and again i think organizations realize that they can’t scale their programs effectively and efficiently doing that and they want to work their way towards having that more harmonized approach and again i think that’s one of the things that organizations are going to be doing over the next few years Brad in finding number three frankly i didn’t know whether to laugh or to cry or just be terrified because it is a finding that manual methods for assessing third parties persist but dissatisfaction runs high and there is a stunning graphic of not our companies still using spreadsheets it’s actually increasing so i always scratch my head when i see this so i was wondering what your thoughts were on this finding Tom Fox: yeah i think a lot of organizations kind of know what end state they want to work towards they’re struggling with a couple of things one is who’s ultimately going to own this more holistic program in the future right so where does it fall and also you know how do they do that and many organizations today are still in the early stages of the program development many of them are still focusing just on the rit vendors which are the most critical sort of tier one vendors and most of them are still primarily focused on those security risks and when they do that they feel that they can kind of get by using manual methods using spreadsheets and email and so forth to do that which is it’s good to get started but the challenge is as you try to grow and mature your program you end up hitting a wall you can’t scale the program without putting more people on it or you can’t efficiently examine the risks and remediate those risks with the vendors so you end up having a very dissatisfied user community and dissati Tom Fox: sfying results of the program because of that but certainly i think more organizations are doing something and i think spreadsheets maybe is okay to kind of get going but again sooner or later those companies seem to be hitting a wall with respect to maturity Brad finding number four is entitled organizations are concerned with increasingly damaging third-party security incidents but are using disparate tools to detect investigate and remediate what did you see in this finding Brad Hibbert: when you think about the market over the last couple of years you know starting back and i think it was 2019 with the accellion breach in just over the last 12 months or so with cassaya solarwinds code cove the microsoft exchange vulnerability log4j i think these high-profile impactful data breaches are certainly raising awareness of the problem and it’s causing more organizations to start to monitor the third parties for these types of data breaches which is why i think we’re seeing more of these come up in our results that of course is driving the need to do these programs even if it’s just getting started on their critical vendors i think it’s getting people to move but certainly a pretty concerning when you see these breaches being successful in the last 12 to 18 months and again you know these high profile breaches being targeting the supply chain because they can get leverage in their activities if you can break into a technology or an msp that has access to all these different customer environments you get a windfall with respect to the investment that you’re making in that malicious or nefarious activity Brandon finding number five this was information one i think is incredibly valuable two i’m not sure i’ve seen it in this format before and three it’s something that literally everyone asks and that is how long from notice of it incident of breach to remediation what did you see in this finding Tom Fox: when it comes to monitoring your supply chain for things like data breaches and focusing on your tier one vendors for example we still find that lots of organizations are kind of relying on the contract terms which indicate that if you do come across an issue like this that you notify us so many organizations are still kind of taking a wait Tom Fox: and see or wait for the third party to contact with you and that can of course take take a little bit more time as opposed to you proactively monitoring your supply chain for data breaches or public disclosures right so you can kind of get instant access to that secondly i think that many organizations don’t have a incident response plan in place for third-party data breaches so either a specific third party is breached what do you do about that how do you trigger some workflow to start the remediation process with that vendor and do you have slas in place with respect to that sort of activity or number two if something does happen like a log 4j or solarwinds do you know where you would be impacted how do you reach out to that broad supply chain that you have to understand who is actually impacted by this high profile data breach so getting access to the information and identifying the issue is is one challenge and as we say in the survey many take up to a week or more just to identify that a third party has had an incident and then it’s you know what do you do when that incident happens and we’re finding that if organizations do not have a third party breach response process the remediation process can take a lot longer than one might expect so i think that there could be tightening up on both of those aspects one is quicker identification that there’s been an issue and number two is automatically kicking off an efficient process to remediate those risks and close that that vulnerability or that attack surface if you will much more quickly Brad in your next finding it’s around third party audits and this is something that has been well known to literally every compliance professional i think in every corporate discipline since I’ve been involved in this yet still many organizations find it challenging and now you’re finding it more complex and time-consuming what did this finding communicate to you Brad Hibbert: what we found was with this was that organizations now are trying to manage more third parties and in addition to those third parties they’re trying to manage a more comprehensive risk profile so crossing compliance and privacy and data breach and so forth so the more things that they have to monitor right the more Brad Hibbert: controls that they have to look at and the more vendors that they have to go after the more difficult it becomes for them to curate that information and put it into a format that’s appropriate for an audit and so as they try to scale these programs as they try to get more visibility it comes becomes much more complex and difficult for them to prove their policies and processes are in place and that they’re doing what they need to do again we saw that a 42 indicated that they are audited yearly with respect to their third parties and 23 are also audited on an ad hoc basis and when they are audited respondents are indicating that it takes between one week and one month to produce evidence to meet that regulatory audit it’s very costly very time consuming process and the more visibility you want to get and the more mandates that start that expensively require third-party coverage of controls it just becomes more difficult for teams but again it’s kind of hitting the wall of organizations to be able to actually scale the programs Brad the last finding to me the title of it almost sounded counter-intuitive it’s the third-party risk management discipline falters as the vendor relationship progresses there’s a third party risk management life cycle there’s a vendor life cycle there may be other life cycles at play where did these interactions or intersections perhaps is a better word where do you see that they begin to falter Tom Fox: you know you think about sort of the vendor relationship when everything from you have these different phases that you go through right selection and sourcing contracting on boarding you know due diligence and remediation monitoring and validation off-board and so forth as you go through these different phases there’s different types of risks that organizations look at and usually earlier in the cycle when you’re looking to onboard a third party is when you start doing that upfront diligence and it’s when you have the most leverage if you will to getting the vendor to provide you the information so what we’re finding is that up front when you want board of vendor you know looking for things like credit controls making sure you look at a cyber snapshot making sure you understand the breach histor Tom Fox: y looking at the sanctions all of those things are done up front as you onboard the vendor but as that vendor starts to go through that onboarding process and go through contract execution that’s when visibility starts to dwindle looking for ongoing cyber impacts or ongoing performance or ongoing issues with financials it just seems to drop off after you kind of get to that execution phase of the contract and we’re indicating that really you should keep a close eye on that third party throughout that entire life cycle to off-board and determination Brad we started this podcast or you rather started by introducing the report and talking a little bit about the overall assessment up but as we move towards the end of the podcast i was wondering did this report give you any large trends does it help us understand where weaknesses in the market might be that prevalent can help clients and customers not only plug some of these gaps but move from a just to detect to a prevent and remediate type of third-party risk management program or do we have just a lot more work to do Brad Hibbert: there’s a few things that we can pull out of the report that we recommend to our clients i think one thing is if you don’t have a program you know i think it’s time to start one don’t wait till there’s a data breach or a massive violation before you kick off your third party risk program so be proactive think about getting the program up and running but don’t try to boil the ocean day one so let’s kind of get a program up and running start tiering your vendors looking at the top tier vendors and looking at the top risks that can impact your your organization i think that’s one of the first things so kind of start the program show some success so you can grow that program over time i think that organizations should consider a comprehensive risk profile of those third parties so not just the i.t vendors and not just the it risks but any vendor that can have a significant impact on the business you want to include those within the program and get a comprehensive risk profile that’s that whole all that stats around it and non-ikea risks you want to make sure that you’re following along and getting that comprehensive visibility and next i i think that org Brad Hibbert: anizations need to push to get beyond the compliance checkbox so don’t just do these point in time assessments on an annual basis or when you’re on board in a vendor but think about continuous assessments think about monitoring those vendors throughout the term of the contract and or your relationship to get a prize of anything that’s negatively impacting that vendor out there in the real world and then making sure that you have the appropriate response plans in place to start to mitigate those risks don’t just identify that there’s a risk but have a way to actually minimize that risk and then i think as you grow and mature that program you can start to harmonize with various departments you know we see a lot of teams that start with security then they’ll start to harmonize with legals and start to harmonize with procurement so everybody who’s interacting with that vendor can understand the comprehensive risk profile and how they in their job function can make better risk-based decisions and kind of chip away at that risk posture so in the end you amplify the effect of the program and really move beyond that checkbox immediately reducing the third party risk throughout the relationship Brad unfortunately we are near the end of our time before we leave i have something to say which is i wanted to thank you and prevalent for putting this report together not only does it give us a snapshot of where we are now or where we are were when the data was collected but more importantly i see this as a great gap analysis roadmap benchmark that literally multiple corporate functions can utilize and hopefully take the information and move it up to a strategic level at the board so thanks to you and your team for putting this together but before we leave if anyone wanted a copy this report or more information on prevalent what would be the best way for them to find out Tom Fox: just come to our website www.prevalent.net we have a lot of literature up there this paper certainly highlights some of the trends that we’re seeing in some of the gaps as you mentioned we certainly have other best practices up there to show people how to get programs up and running some of the other things that you can consider as you mature your program over Tom Fox: time as well well Brad thank you again for taking the time to visit with me and i am sure we will be continuing this conversation Brad Hibbert: that’d be awesome thank you Tom Fox: if you want to stay up to date on the latest innovations in compliance and help your business run more efficiently subscribe to this podcast and help spread the word by leaving a review