Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • The Security Leadership Issue
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
ManagementPhysicalSectorsSecurity Leadership and ManagementSecurity & Business ResiliencePhysical SecurityGovernment: Federal, State and Local

Global News

Third-party risk management programs at a crossroads

By Maria Henriquez
road signs

XtockImages / iStock / Getty Images Plus via Getty Images

July 15, 2022

Amid record numbers of third-party data breaches, supply chain disruptions and the war in Ukraine, organizations are starting to adapt their third-party risk management (TPRM) programs to address new and emerging risks outside of the information technology (IT) realm, the Prevalent 2022 Third-Party Risk Management Study found. Between February and March 2022, Prevalent surveyed leaders directly involved in TPRM to understand how organizations are navigating today’s third-party challenges and staying ahead of future risks.

TPRM is at a crossroads and much more needs to be done, the study reveals. The study found seven key observations about the state of third-party risk management today:

  1. Organizations are paying more attention to non-IT security risks, but not enough. Information security, business continuity and data privacy and protection were rated as the top three risk types, which shows that organizations are acknowledging that third-party risk is higher than IT security risks. However, organizations continue to overlook less-quantifiable risks that could still lead to compliance violations, fines or negative reputational impacts, such as modern slavery, anti-money laundering, anti-bribery, and corruption risks.
  2. TPRM may be getting more strategic. Study results show that organizations are generally aligned around the strategic risk reduction goals of their TPRM programs — and that operational concerns such as cost, compliance and efficiency are secondary. Notably, executives have a fairly even view of TPRM goals across all areas, although they are primarily driven by risk reduction. Speaking of executives, more than 75% of respondents indicated that their TPRM program has more visibility among executives and the board compared to last year.
  3. Manual methods for assessing third parties persist, but dissatisfaction runs high. Forty-five percent of respondents indicate that they are still using spreadsheets to assess their third parties. The use of dedicated TPRM solutions grew by 14% from 2021 to 2022, and the use of governance, risk and compliance (GRC) tools and security rating services rose slightly from last year.
  4. Organizations are concerned with increasingly damaging third-party security incidents, but use disparate tools to detect, investigate and resolve exposures. The top concern among organizations in the survey is a third-party data breach or other security incident stemming from vendor security shortcomings. In fact, 45% report experiencing a data breach or other security incident connected to a third party in the last 12 months. Most organizations use data breach monitoring (51%), cybersecurity/dark web monitoring (45%), vendor assessments (manual/spreadsheet-based) (43%), and proactive self-reporting (43%). Organizations should be aware of the risk of using multiple, non-integrated tools to close the loop on their third-party incident response lifecycle.
  5. Organizations are waiting over two weeks for third-party incident resolution. 29% of respondents indicated that it would take them more than a week to determine which third parties were impacted by an incident, with 35% saying it would take up to two days to determine whether it would result in a disruption in service. 47% of respondents said it would be another week before they knew when the third party had completed its remediation or mitigation steps. It takes about two and a half weeks for organizations to remediate any third-party incident. That’s a lifetime for an organization to be vulnerable to a potential exploit.
  6. Third-party risk audits are getting more complex and time-consuming. Seventy-four percent of respondents said they had to report on third-party data privacy and protection controls, with information security controls coming second at 57%. Environmental, social and corporate governance (ESG) topics — a relatively new risk area — rank in the middle at 23%, and 18% of respondents indicated they had to report on human trafficking and slavery regulations.
  7. Third-party risk management discipline falters as vendor relationships progress. About 75% of respondents are tracking risks at the sourcing/pre-contract due diligence and onboarding stages of the third-party relationship. That leaves about a fourth of companies that don’t conduct risk assessments at this crucial stage, meaning they’re exposed to potential risks from the start of the relationship. Between 61% and 68% of respondents are tracking risks at the “business as usual” phases — assessing and monitoring ongoing management. Fewer than half of respondents are tracking contractual risks and risks at the offboarding and termination stage of the relationship.

While third-party risk management teams are making progress toward a more strategic approach to TPRM, there is still room for improvement. Security leaders seeking to grow and mature their TPRM programs as they relate to incident response, compliance and the vendor lifecycle can take three steps.

  1. Expand assessments beyond IT security to unify teams under a single solution and simplify audits. By unifying non-IT risk intelligence with the results of traditional cybersecurity and data privacy assessments, organizations can enrich visibility into supplier risks, elevate the strategic value of the TPRM program, and improve reporting.
  2. Automate incident response to reduce cost and time. Organizations should automate incident response by investing in mature tools and processes that reveal potential impacts by continuously tracking, scoring and managing cyber, business, reputational and financial risks in a single platform.
  3. Close the loop on the third-party lifecycle. Security, compliance and operational issues can crop up at any time during a vendor or supplier relationship, so it’s important to address risk at each stage of the third-party lifecycle.

For the full report, click here.

KEYWORDS: international security risk assessment security operations supply chain third party security

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Maria Henriquez is a former Associate Editor of Security. She covered topics including cybersecurity and physical security, risk management and more.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Security Leadership and Management
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Enterprise Services
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Logical Security
    By: Charles Denyer
Subscribe For Free!
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

  • Duty of Care
    Sponsored byAMAROK

    Integrating Technology and Physical Security to Advance Duty of Care

Popular Stories

Red laptop

Cybersecurity leaders discuss Oracle’s second recent hack

Pills spilled

More than 20,000 sensitive medical records exposed

Coding on screen

Research reveals mass scanning and exploitation campaigns

Laptop in darkness

Verizon 2025 Data Breach Investigations Report shows rise in cyberattacks

Computer with binary code hovering nearby

Cyberattacks Targeting US Increased by 136%

2025 Security Benchmark banner

Events

May 22, 2025

Proactive Crisis Communication

Crisis doesn't wait for the right time - it strikes when least expected. Is your team prepared to communicate clearly and effectively when it matters most?

November 17, 2025

SECURITY 500 Conference

This event is designed to provide security executives, government officials and leaders of industry with vital information on how to elevate their programs while allowing attendees to share their strategies and solutions with other security industry executives.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • 5 mins with Ehret

    5 minutes with Jonathan Ehret – The need for third-party risk management in cybersecurity

    See More
  • two people working together over desk

    Streamlining third-party risk management for enhanced resilience

    See More
  • risk-management-freepik1170x658v568.jpg

    How to make third-party risk management recession-proof in 2023

    See More

Related Products

See More Products
  • physical security.webp

    Physical Security Assessment Handbook An Insider’s Guide to Securing a Business

  • 9780367259044.jpg

    Understanding Homeland Security: Foundations of Security Policy

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing