How to uncover the risks of third-party relationships in your supply chains

Example pattern for mobile
Example pattern for desktop

Summary

 

  • Third-party blind spots can cause threats, including data breaches, ransomware, cloud compromises and privacy violations.
  • Today’s technologies can quickly and accurately give an enterprise a clearer, more expansive view of its third parties.
  • PwC developed Third Party Tracker to help determine which vendors pose the highest risk to an enterprise. 

 

You can’t manage what you don’t see, and businesses have a large blind spot regarding their third-party partnerships.

Only 40% of business executives in our 2022 Global Digital Trust Insights survey say they thoroughly understand the risk of data breaches through third parties. Nearly a quarter have little or no understanding of all these risks — a major blind spot of which cyber attackers are aware and willing to exploit. And yet, enterprise dependence on third parties is increasing, and the number of breaches these partnerships cause is on the rise. One reason why: third-party risk-management (TPRM) processes are woefully out of date.

Many times, organizations vet their third parties, including contractors and vendors primarily using surveys, which depend on accuracy and honesty in their responses. But how likely is any organization to self-report bad news such as a finding of non-compliance or data breach?

Businesses depend on surveys and other traditional vetting processes — despite the problems they can create — for various reasons. Perhaps they don’t know how or where to find data that would provide a more accurate picture of third-party risk. Or they may not have the resources to collect information on hundreds, thousands — or hundreds of thousands — of business partners.

Whatever the reason, risks to their organization continue to snowball as these enterprises take on more vendors, suppliers, resellers, and contractors.

60% of organizations have not done a formal assessment of third-party risks

60% of organizations have not done a formal assessment of third-party risks

Data breaches
%
Privacy violations
%
Cloud risks
%
loT/technology vendors
%
Software supply chain risks
%
Nth party risks
%
Source: PwC, 2022 Global Digital Trust Insights, October 2021

The price of TPRM blind spots can extend beyond minor glitches or supply-chain delays to costly, potentially business-crippling threats. These threats include data breaches, ransomware, cloud environment compromises, and privacy violations that could send an enterprise spiraling into non-compliance.

At least one-third of our US survey respondents said that, in the past year alone, they’d experienced significant disruptions due to third parties: software supply chain disruptions (47%), cloud breaches (45%), third-party platform exposures and outages and downtime (41%), or data exfiltration (39%).

All eyes on the data-driven TPRM prize

Regulators are paying close attention to third-party risks, and how companies deal with them. Recent guidance from the US Department of Justice emphasizes the importance of using data to help improve compliance programs. And memos from the Biden administration underscore the federal government’s focus on fighting corruption and improving cybersecurity.

Your third parties’ business practices reflect on your company, too. Investors looking at Environmental, Social, and Governance (ESG) factors will likely want to know that your third parties are operating lawfully and ethically. And to track and report ESG activities, your company must monitor its third-party risks.

Aware of these concerns, PwC and Microsoft sought a solution to the third party problem using new and emerging technologies: artificial intelligence, automation, and data analytics.

Like the lion’s share of enterprises, Microsoft was primarily using surveys to get information on its vendors — more than 250,000 of them. Keeping tabs on the risks they posed, from onboarding all the way through the end of each contract, proved expensive and time-consuming, not to mention rife with blind spots.

These concerns aren’t limited to any one enterprise or industry: they affect most, if not all. But the support of today’s technologies can quickly and accurately give an enterprise a clearer and more expansive view of its third parties — saving time and money, and improving compliance.

Finding the riskiest needles in the third-party stack

Seeking a better way to vet and monitor third-party relationships, PwC developed Third Party Tracker. This solution mines surveys and internal and external information to help determine which vendors pose the highest risk to your enterprise.

The software uses a risk-scoring methodology with parameters that can be customized for your business. Third Party Tracker analyzes data that helps answer specific questions, including: Has it had issues in the past such as data breaches, adverse media reports, or findings of non-compliance? How does it fare with ESG concerns such as sustainability and human rights? In a sense, TPT can help you begin to understand the trustworthiness of your third parties on matters that are important to your business.

Third Party Tracker also considers individual factors such as the amount of business your enterprise is doing or plans to do with the third party and the level of access it has to your networks and data.

Microsoft used Third Party Tracker to identify the riskiest entities among its channel resellers. By focusing its due-diligence efforts on these high-risk entities — rather than applying them to all 250,000+ — the company saved millions of dollars. Eliminating false-positive alerts saved the company additional time and money.

Strengthening the chain

With a list of high-risk third parties in hand, your company can then determine how to best address each. Are any too risky? You may curtail or even end your dealings with them. Or you may opt for on-site audits, or instill controls to mitigate risks. And you may wish to change how you onboard and assess your third parties.

More than half of companies have taken none of the three actions that promise a more lasting impact on their third-party risk management

More than half of companies have taken none of the three actions that promise a more lasting impact on their third-party risk management

Audited or verified the security posture and compliance of third parties or suppliers
%
Refined our criteria for onboarding and ongoing assessments of third parties
%
Provided knowledge-sharing or assistance to third parties shore up their cybersecurity postures
%
Addresses challenges, cost-related or time related, that affect your ability to be cyber resilient
%
Rewritten contracts with certain third parties to mitigate our risks
%
Performed more rigorous due diligence
%
Exited relationships with certain third parties
%
None of the above
%
Source: PwC, 2022 Global Digital Trust Insights, October 2021

Should your third parties’ risk levels rise or fall, you won’t need to wait until the next survey to find out. Third Party Tracker flags when risk scores change so you can get ahead of problems before they happen. Before: And the data it provides helps you talk to your board about the risks so it can exercise better oversight.

Given today's technologies, there’s no reason to remain in the dark about risks. Companies that report being more cyber-secure in the last two years are 11x more likely to understand their third-party risks. Having this knowledge can also create stronger bonds of trust between your business and its third parties and give you the confidence to forge ahead — together — in today’s highly competitive market.

Insights from PwC’s Cyber & Privacy Innovation Institute

Be cyber-ready for tomorrow

See how PwC and Microsoft can help strengthen threat-detection capabilities.

Learn more

Scott Gelber

Principal, Cybersecurity, Privacy & Forensics, PwC US

Email

Chris O'Connor

Managing Director, Cyber Managed Services, PwC US

Email

Douglas Li

Director, Cybersecurity, Privacy & Forensics, PwC US

Email

Next and previous component will go here

Follow us