By Alex Klinger, Pre-Sales Engineer
at SureCloud
Ensuring risk caused by third parties does
not occur to your organization is becoming increasingly difficult. Every
business outsources some aspects of its operations, and ensuring these external
entities are a strength and not a weakness isn't always a straightforward
process.
In the coming years we'll see organizations
dedicate more time and resources to developing detailed standards and
assessments for potential third-party vendors. Not only will this help to
mitigate risk within their supply chain network, it will also provide better
security.
As demand for third-party risk management
(TPRM) grows, here we discuss some of the key reasons why we believe 2023 could
be pivotal for the future of your organization's TPRM program.
Focus on Environmental, Social and
Governance (ESG) risks
In recent years we've seen an increased
corporate focus on Environmental, Social and Governance (ESG) risks, not only
within their own organization but also associated with any third parties or
extended enterprises.
As a result, ESG has become about more than
avoiding risk. It's a strategic priority. Leadership teams understand the
importance of working with third parties whose objectives align to their own
business strategy. Consumers and regulators are increasingly aware of their
environmental and social responsibilities, so much so, ESG has become a
requirement for key stakeholders too, particularly investors that want to be
associated with companies that prioritize their ESG posture.
For example, recent research from Gartner
suggests that by 2024 75%
of vendor risk management programs will be tracking the environmental,
social and governance demands of their IT vendors to guide their decision
making process. ESG is no longer a straightforward tick box exercise, there is
much greater scrutiny of third-party practices as many businesses are
incorporating ESG into their third-party risk management assessment.
Including ESG in your TPRM strategy is not
only a way to protect your organization against regulatory action, fines and
reputational damage, but should also be seen as a business opportunity. It can
help increase your customer base, attract investment and enhance brand
reputation. However, if it's not included, it can have serious repercussions.
For example, analysis of ESG performance on
firm market value conducted by Moody
Analytics demonstrated that ESG controversies led to a significant,
negative and abnormal equity return in the short-term, over an annual period.
It found that moderate to severe ESG events generate abnormal stock market
losses of -1.3% to -7.5% over twelve months, which represents a loss of
approximately $400 million for a typical-sized firm in the study. This effect can
already be seen in 2023, as shares of Glencore, the mining company, fell
after its main Shareholders recently filed a resolution calling for more
clarity over how its plans for thermal coal production aligned with the Paris
Objective agreement to limit global temperature increase to 1.5C.
The upside to an increased focus on ESG programs is it's pressuring
organizations to rethink due diligence requirements
The Impact of Nth Parties
Organizations are becoming increasingly
dependent on third parties and sub-contractors. A study by Gartner found that 60%
of companies work with over 1,000 third parties, and they expect this
number to increase as business becomes more complex. As a result, many
organizations are beginning to recognize that the risks of connecting with
these outside entities is far greater than they first thought.
The reason for this is that any third-party
that a business chooses to work with will likely have hundreds, if not
thousands, of its own sub-contractors. Meaning businesses become more dependent
on fourth, fifth and Nth parties, all of which introduce risk into their
business ecosystem.
For example, a business could rely on a
manufacturer that experiences a transport failure or security vulnerability at
a third-party cloud supplier, which presents a high-level of risk to their
business, even though they are not directly connected. The issue of Nth parties
was evidenced during the SolarWinds
hack in 2020 where the hackers were not only able to access data and
networks of their customers, but also the data and networks of the clients and
partners of SolarWinds' customers. The magnitude of the problem with Nth
parties could be greater than that of third parties, as the third-party
business environment continues to increase.
The level of risk Nth parties present to
organizations supply chain management is becoming more apparent
Increased frequency and sophistication
of cyber-attacks on third parties
Forrester
predicted that 60% of security incidents in 2022 would stem from third parties.
In 2021 there was a 300%
increase in supply chain attacks, a trend that has continued to increase
over the past 12 months also. For example, Japanese car manufacturer Toyota was
forced to completely shut down its operations due to a security breach with a
third-party plastics supplier.
It's not only the frequency of third-party
attacks that has increased, but also the methods that cyber criminals are using
are becoming increasingly sophisticated. For example, the SolarWinds cyber
breach in 2020 was so advanced that Microsoft estimated it took over a thousand
engineers to stop the impact of the attack.
As the sophistication and frequency of
supply chain attacks increases, the impact they have on businesses reputations
and valuations is also becoming apparent. There is a need for organizations to
conduct thorough due diligence of the third parties they choose to work with,
otherwise the consequences could be disastrous.
Cybersecurity should be a non-negotiable
feature of all business transactions
Increase in use of external assistance
for TPRM
As the scope, complexity and importance of
third-party management continues to increase, the need for companies to
leverage the use of external assistance with the TPRM process will only
increase as well. However, many businesses don't have the capabilities required
for TPRM, in terms of resources and technology. Some utilize in-house support
and technologies as a cost-effective answer to the problem, though this can be
restrictive as organizations need to be able to respond rapidly to an
ever-changing and evolving regulatory environment.
The need for external help will be
compounded further by the increasing remit TPRM teams need to cover, which
includes a wider range of risks, such as ESG and nth parties, as well as to
achieve a deeper understanding of how risk is managed by each third-party.
It's for these reasons that the use of
external assistance, such as adopting technology enabled solutions and managed
services, will only increase in the future. The Deloitte
Global Third-Party Risk Management Survey 2022 supports this as 82% of
companies surveyed anticipate greater demand for a comprehensive TPRM
end-to-end service solution.
Demand for a managed service and
technological solution will become more popular than ever before. Organizations
are increasingly looking for a tool that provides a comprehensive, end-to-end
insight-driven service that runs the day-to-day operational activities of a
TPRM department.
The third-party risk management landscape
is becoming more complex due to the rise in the number of external entities
companies are working with. This means it's now more important than ever for
organizations to have a mature third-party risk management program in place.
Utilizing the expertise of an external TPRM managed services provider could be
the first step to future proofing your business, as well as preventing a large
amount of potential financial and reputational damage.
A solution that provides cloud
technology, automation, workflow systems and AI offers a more streamlined TPRM
process
##
ABOUT THE AUTHOR
Alex currently works as a pre-sales
engineer at SureCloud where he advises clients regarding SureCloud's Cyber and
GRC product suite. Previously, Alex worked at Deloitte where he worked with
clients on developing their cyber GRC management process.