Third-Party Risk: A Turbulent Outlook

Discussion Topics


While data breaches are commonplace, occasionally there’s an attack so audacious that its impact reverberates long after the initial jolt. Such was the case with the SolarWinds supply chain breach, in which a nation-state surreptitiously inserted eavesdropping malware into an Oklahoma software maker’s IT performance management solution used by governments and major enterprises.  

While IT security teams scrambled to determine and limit their own exposure, the SolarWinds breach had a detrimental downstream impact since the attackers also accessed users’ customer data. Thus, organizations — from small businesses to huge government agencies — were reminded of how vulnerable they are to cyberattacks through service providers and software with privileged access. It’s no longer enough to secure internal assets; everyone must be doubly sure any sanctioned entity with network permissions does not become an unwitting conduit for malicious activity.  

Managing such threats remains a daunting task, according to new research from CyberRisk Alliance. 

As one study participant put it: “Risk is the main cause of uncertainty in any organization. Thus, companies increasingly focus more on identifying risks and managing them before they even affect the business. The ability to manage risk will help companies act more confidently on future business decisions.”  

Getting to that level of assurance, however, is a challenge. Companies remain unclear on the best path forward now that they are keenly aware of the catastrophic impact from another’s carelessness or compromised code.  

The survey was conducted in late fall 2021 among 301 IT and cybersecurity decision-makers and influencers who use third parties. Survey objectives were to gauge how well organizations understand and manage risks associated with third-party partnerships. Study participants were asked about their own vendor relations, concerns, and challenges in managing certain risks, and the impact of IT security incidents related to their third-party partners. They also provided responses to structured survey questions and were encouraged to provide corresponding comments where applicable. 

Among the study’s key findings: 

  • Sixty percent of respondents experienced an IT security incident in the past two years due to a third-party partner with access privileges and were most likely to have sensitive data stolen or suffered some type of business outage.  
  • While 52% of those who experienced third-party related attacks indicated they less lost less than $100,000 in damages, another 45% incurred higher costs, with a few paying $1 million or more. 
  • Supply chain visibility is more essential than prior to the pandemic. Almost everyone wanted this ability, with 72% believing that tracking components, sub-assemblies, and final products was very or critically important. But respondents lamented that such visibility is severely limited. 
  • More than three out of four (76%) IT leaders and influencers rated managing third-party risk as a high or critical priority at their organizations—for most respondents (74%) this priority has increased in importance since 2020, when the pandemic created major micro and macro business disruptions, including supply and workforce shortages. 
Third-Party Risk: A Turbulent Outlook