Unmanaged third-party risks are costing businesses
A report my MetricStream however, shows that one in five respondents to a survey (21%) reported that their organization has faced significant risks due to third-parties during the last 18 months. Of those that shared financial impact data on the losses, a quarter said that the loss was greater than £8 million (generated through cost of downtime, regulatory fines and reputational damage).
How organizations are managing third-party risk also revealed that nearly three quarters (73%) of businesses do not track fourth-parties, meaning they have no visibility past their immediate suppliers. This finding emphasises some of the concerns raised in the Business Continuity Institute's latest Supply Chain Resilience Report which revealed that only two-thirds of organizations maintain adequate visibility over their full supply chain.
French Caldwell, chief evangelist at MetricStream, commented: “As companies continue to outsource their processes and services in order to decrease costs, streamline or scale up quickly, they are opening themselves up to risks. However, despite some supplier incidents costing upwards of £8 million, 44% of the respondents said that their business had no dedicated third-party risk management function. Furthermore, as enterprises rapidly adopt cloud services, entities that would have been third-parties when the services were managed in-house become fourth parties which are more difficult to monitor.
“Businesses can no longer plead ignorance. They are responsible for the actions of their third-parties and they will bear the brunt of any fallout. For example, if a business shares sensitive data with a third-party without checking if it has relevant cyber security, and that supplier suffers a data breach, under some rules the company could be liable. Not only will it suffer reputational damage, but new regulations such as the EU GDPR could see large fines imposed too."