A new study shows 48% of companies still depend on spreadsheets, while 41% report experiencing an impactful third-party breach in the last year.

The 2023 Third Party Risk Management Study: How Are Organizations Avoiding TPRM Turbulence, released this week by Prevalent, Inc., provides insights into current trends, challenges and initiatives impacting third-party risk management practitioners worldwide.

The study shows that 2022 was a turbulent year for third-party risk management (TPRM). Over the past year, organizations dealt with the fallout from the Russian invasion of Ukraine and resulting supply chain disruptions, third-party breaches and security incidents and emerging regulatory oversight in areas beyond IT security.

Other key findings from the report include:

• 41% of companies experienced an impactful third-party breach in the last 12 months, but rely on overlapping tools and manual processes which slows incident response. 71% of companies report that the top concern regarding the usage of third parties is a data breach or other security incident due to poor vendor security practices. Companies not monitoring for third-party breaches dropped from 12% to 4%.
• 70% of respondents report that Information Security (InfoSec) is more involved in third-party risk management than ever, and 71% indicate that InfoSec fully owns the TPRM program. 62% of respondents indicated that third-party data breaches and security incidents were top drivers behind increased involvement in third-party risk management.
• A growing number of organizations (48%) are using spreadsheets to assess third parties. This percentage is up from 2022 and 2021, where 45% and 42% of companies, respectively, said they were using spreadsheets. Only 4% of respondents indicated they are not currently assessing third parties at all, which continued a downward trend from 2021 (10%) and 2022 (8%).