Industry executives and experts share their predictions for 2022. Read them in this 14th annual VMblog.com series exclusive.
Third-Party Risk Management in 2022: What to Expect and How to Respond
These
top five trends will dominate your
third-party risk management conversations in 2022. Is your TPRM program ready?
By Brad Hibbert, Chief Operating Officer
and Chief Strategy Officer, Prevalent
Continued
pandemic-related supply chain disruptions. Increasing numbers of data breaches
targeting third parties. More regulatory scrutiny on business governance. If
there is anything that the last 18 months has taught us, it's that we should
expect the unexpected. But how should third-party risk management prepare for
2022?
Based
on hundreds of customer and industry conversations we've had in the last year,
here's what we believe you should expect in the next 12 months and how to adapt
your programs accordingly.
Prediction #1. Ransomware will become the
top tactic used in software supply chain attacks and third-party data breaches
in 2022.
After
a banner year of high-profile ransomware attacks originating from third-party
suppliers (for example Kaseya
and others), 2022 will only see more as cybercriminals continue to perfect
their attack methods, increase their sophistication and follow the money. Top
targets will include third parties that supply goods and services to the
automotive, mid-sized banking, and retailing industries due to the criticality
of the data and systems they have access to. Organizations would do well to
implement proactive event risk assessment cadences and deploy continuous cyber
and breach monitoring to get an early-warning picture of potential attacks
against their third party ecosystems.
Bonus stretch prediction:
Despite increases in ransomware attacks against healthcare
organizations, cybercriminals
will gain a conscience in 2022 and cease targeting hospitals due to the risk of
the loss of innocent life. After all, there is honor among thieves.
Prediction #2: Increased board-level and
executive awareness of third-party risk management means better metrics will be
needed.
Perhaps
owing to the increased number of third-party data breaches, continuing
pandemic-related supply chain disruptions, and new regulatory visibility into
ESG, third party risk management has been a common topic among executives and
boards.
Moving
into 2022, executives will be looking for demonstrable risk reduction-centric
improvements to continually justify the expenditure of third-party risk
management. This will mean a renewed focus on metrics that paint a meaningful
picture of third-party risk. Third party programs will be measured on their
ability to demonstrate risk remediation and ethical progress without hindering
standard business operations, all while demonstrating cost control and
efficiency. This will require you to evolve your reporting beyond how many
assessments you've completed to how much risk you have taken out of the
business.
Prediction #3: More focus on non-IT
security related risk dimensions including ESG, health and safety, diversity
and ethics.
While
ESG and ethics have often been checkbox addendums to contracts, better
availability of datasets and reporting is enabling organizations to hold third
parties more accountable in these areas. As renewed consumer and peer interest
drives ethical sourcing, executives are increasingly expecting a more robust
process with meaningful metrics to demonstrate progress.
Moving
into 2022, ethical sourcing will become increasingly embedded in the assessment
and review workflow rather than purely being taken at face value. Third parties
play a notable role in demonstrating actionable change in company ethics, which
will be an increasingly marketable tool. To address this trend in 2022, take a
look at how you assess your third parties. Can your company's brand value
weather a reputational hit if a supplier fails in ethical obligations?
Prediction #4: Deeper analysis will be
required to map to organizational risk assessment needs.
As
vendors continue to face the irksome requirement of articulating the same
information in different ways, those that have the luxury of refusing will
increasingly do so. In response, third parties will offer pre-completed
materials such as ISO or SOC II reports and supporting artifacts which will put
pressure on organizations to perform deeper analysis and mapping to their
internal needs.
While
this may appear detrimental if it doesn't align to your third-party risk
management program, there is a hidden advantage that the third party likely has
invested proportionately more effort in creating quality responses and
artifacts. The challenge into 2022, therefore, will be to translate these more
robust materials into the preferred structure to enable a true analysis of
controls. Look for solutions that enable automated mappings of risk controls to
satisfy multiple requirements.
Prediction #5: Some organizations will
expand their TPRM programs to include 4th and Nth party risks.
As
third-party risk management programs continue to wrestle for control over their
third party estates, some organizations are beginning to go beyond third
parties by considering the risks posed by their
third parties. This evolution will necessitate a shift from a
compliance-driven view to a more risk-driven lens.
In
2022 improvements in technology and greater reliance and awareness of the
broader supply chain mean it will become the norm to assess upstream 4th
parties and at the very least, consider their potential impact if a disruption
should occur. Organizations should be prepared to build a relationship map that
visually shows interconnections and data flows in their supplier ecosystems.
Predicting
the future of third-party risk management is a lot like predicting the weather
- just look outside your window, but be prepared for anything. Investigating
these top 10 trends will put your TPRM program on a solid footing for 2022 and
beyond.
##
ABOUT THE AUTHOR
Brad Hibbert brings over 25 years of executive
experience in the software industry aligning business and technical teams for
success. He comes to Prevalent from BeyondTrust, where he provided leadership
as COO and CSO for solutions strategy, product management, development,
services and support. He joined BeyondTrust via the company's acquisition of
eEye Digital Security, where he helped launch several market firsts, including
vulnerability management solutions for cloud, mobile and virtualization
technologies.
Prior to eEye, Brad served as Vice President of Strategy
and Products at NetPro before its acquisition in 2008 by Quest Software. Over
the years Brad has attained many industry certifications to support his
management, consulting, and development activities. Brad has his Bachelor of
Commerce, Specialization in Management Information Systems and MBA from the
University of Ottawa.