US Companies are Holding Vendors Accountable for Cyber Issues
NAVEX Global has released data that shows that US companies are now moving quickly to go after vendors on cyber issues.
The report covers a number of topics, and shows that for the first time, companies are more concerned about cyber security problems with their vendors and partners than anything else. However, while concerns about third-party risk remain high – particularly regarding cybersecurity – more than half of organizations (58%) ranked their programs as maturing or advanced.
“We continue to see a move toward centralized and automated systems, which allow organizations to treat third parties the same way they treat their own employees with access to hotlines, training and policies,” said Randy Stephens, J.D., Vice President, NAVEX Global. “This is a smart approach, especially given the top concerns we see each year – even if some of those stated concerns fluctuate based on compliance failures in the headlines and shifting regulatory pressures.”
Forty-nine percent of respondents said cybersecurity and data protection was their top concern this year. This is the first time cyber security was the top concern in this annual report with a 10 percentage point increase from the 2016 survey. Bribery and corruption was the second most-common concern at 42 percent, ahead of conflicts of interest (the top choice in the 2016 survey) at 34 percent.
“There appears to be a fluidity in what respondents believe is the highest risk – even if the top three choices remain fairly consistent,” said Stephens. “Cybersecurity is always a major concern. But bribery and corruption has also been in the news of late. This issue is particularly significant for large organizations, given the regulatory guidance in the Foreign Corrupt Practices Act – which organizations are increasingly using to inform into their programs.”
While survey respondents identified cybersecurity as the top concern overall, bribery and corruption was still the #1 issue among organizations with more than 5,000 employees and annual revenues of $1 billion or more. Bribery and corruption was also a greater concern among organizations where 20 percent or more of their annual revenue is related to or generated by their third parties.
Bribery and corruption was more of a concern in Europe, the Middle East and Africa (65%) and Asia-Pacific (64%) than it is in North America (32%). Conversely, North American organizations were far more concerned with cybersecurity (56%) than their counterparts in Europe the Middle East and Africa (39%) or Asia-Pacific (28%).
Other key findings include:
- Organizations consider more third parties to be “high risk.” This year, only 3 percent of respondents report having no “high risk” third-parties compared to 25 percent in 2016
- More organization plan to increase expenditures for third-party programs than in 2016 (41% versus 33%) – a positive sign given the increased concerns
- Maturing and advanced programs are more fully embracing the guidance of the Foreign Corrupt Practice Act, the UK Bribery Act and other law and regulations. This allows programs to benefit from a risk-based, educated approach to managing their risks
- Organizations that rank their programs as highly effective in all 12 effectiveness categories in the survey also indicate that they utilize third-party automation or software
- Programs employing third-party systems and automation are more likely to utilize effectiveness measures. But for many organizations, there is room for improvement when it comes to assessing program effectiveness.