An Update on TPRM Programs
A new survey finds that companies are — at long last — pushing their third-party risk management programs up the maturity curve, as they move from monitoring the cybersecurity risks among their vendors to actually reducing those risks.
The report comes from BlueVoyant, a firm that helps businesses to manage their supply chain cybersecurity risks. (So keep that commercial interest in mind as we consider the findings, but the findings are useful to consider nonetheless.) BlueVoyant published its 2024 State of Supply Chain Defense report today, which surveyed 2,100 C-suite executives around the world who are responsible for supply chain and cyber risk management.
The big theme is that companies are moving beyond building awareness of third-party risk management (TPRM) within their organizations, to implementing specific programs and enforcing security standards on their vendors. That alone is a huge step forward, even if companies are still struggling with how to hold their vendors accountable (which, to be clear, companies still are).
Some of the more notable findings:
- 36 percent of survey respondents said they are pursuing “a far more active role” in working with vendors to remediate cyber risks. That’s up from only 19 percent in 2023, which “indicates meaningful progress, but still leaves substantial room for future improvement,” as BlueVoyant put it.
- 81 percent said their organizations had suffered some sort of harm in the prior year from a cybersecurity breach within their supply chain. That’s actually down from 94 percent in the 2023 survey, so in a roundabout way this demonstrates that better TPRM programs are indeed yielding better results.
- Larger organizations are struggling more with TPRM, because they tend to have more vendors and it’s more difficult to monitor them all. The more vendors in your extended enterprise, the greater the odds that you suffered a cyber breach via your supply chain. (See Figure 1, below.)
So overall, companies are making strides toward better third-party risk management (good), but they still struggle to operate an effective TPRM program at scale (bad). Let’s consider a few implications of that.
Different Strokes for Different Folks
One interesting finding was that different industries tended to assign third-party risk management to different groups. For example, among healthcare and pharma companies, the business function most likely to “own” TPRM was the IT department. For the energy and business services sectors, it was a dedicated risk management function. For the financial services sector it was legal.
I won’t pass judgment on which business function is best suited to handle cybersecurity in the supply chain, since that decision depends on each company’s unique profile of risks, organizational structure, and employee talent. But the BlueVoyant report does suggest that we lack a “standard model” for addressing cybersecurity risks in the supply chain. Think about the questions that raises.
For example, how will your company assure that its TPRM issues are effectively addressed across the enterprise? You’ll need some way to confirm that you understand the compliance risks (best understood by legal, privacy, or compliance teams), the technical risks (best understood by IT), and the operational risks (best understood by procurement or finance).
Once you do develop those mechanisms — and remember, the BlueVoyant report says that companies are doing so — you still need to enforce your security standards on your supply chain. Who does that? Who plays the heavy telling a vendor to live up to the Service Level Agreement it signed or it will get the boot? If your IT function detects those SLA failures, does it also drop the hammer on the offending vendor, or does some other team (legal or procurement, probably) do that? If so, you’ll need to develop a process so that IT collects and conveys the information to the hammer-dropping team, and said team then drops said hammer with appropriate force and speed.
Next question: How can vendors respond to all these demands for cyber assurance, when different customers might be asking for different things? It’s easy to mutter, “Well that’s the vendor’s problem,” but we are all someone else’s vendor. We need to streamline the demands for assurance that we place upon vendors, or else everyone will be spending all their time answering compliance questionnaires or responding to some alleged cyber incident your customer picked up from a vulnerability scan it’s been running on you.
I’ve met TPRM vendors who say artificial intelligence will help to ease these pain points. For example, AI will be better at extracting and analyzing data that vendors make available through some sort of API, and be better at studying alleged incidents to reduce the rate of false positives that waste everyone’s time.
OK, I accept that maybe AI tools will save the day — but for lots of organizations that’s still in the future. We still need to develop standard methods of implementing TPRM systems regardless of the specific need AI might fill, akin to the standard methods that exist for testing financial assertions or managing whistleblower hotlines. TPRM isn’t there yet.
Next: The Evolution of TPRM
More broadly, I also wonder how organizations will move to a standard model for third-party risk management.
For example, with so many companies taking such different approaches to TPRM right now, how will people with TPRM expertise easily circulate through the workforce? An IT security professional might develop strong TPRM abilities over the years, with a keen understanding of contract management challenges and potential compliance risks — but would another company where legal runs the TPRM program be able to recognize those capabilities? Or would the hiring managers be hung up on misguided notions that TPRM leaders must always hail from a legal background?
I also wonder how auditors and regulators will assess a company’s TPRM program when we have such diversity of practice. Let’s assume that the Public Company Accounting Oversight Board does adopt its proposed NOCLAR rule later this year and audit firms need to start scrutinizing a client’s third-party risk management more closely. How will they do that? Will they try to impose assumptions they have about how a TPRM program is “supposed” to look?
What about regulatory examiners, or enforcement attorneys investigating some cybersecurity failure you suffered thanks to a vendor? How will they evaluate your TPRM capabilities when firms do things so differently?
In the fullness of time, answers will emerge for all of these questions, just like they emerged for SOX compliance or expectations for whistleblower hotlines. I just don’t know when that will happen. The BlueVoyant report shows that companies are taking steps forward — but the risks are galloping ahead even faster. That makes for a bumpy ride.