TheCorporateCounsel.net

Over at Radical Compliance, Matt Kelly discussed a new survey of vendor risk management processes at 156 companies from third-party risk management software provider Prevalent. While companies are improving their processes in some areas — for example, “cybersecurity and data privacy teams are now more involved in third-party risk management (TPRM) than they were a year ago” — generally, Prevalent found that third-party risk management programs were still struggling with limited resources and a hodgepodge of tools and practices:

– Resource Constraints: Many organizations struggle with inadequate resources, with only one-third of vendor relationships being managed in a TPRM program.

– Dependence on Outdated Tools: Half of the surveyed companies still rely on spreadsheets and multiple disparate tools to assess and manage their third-party relationships.

– Limited Remediation: Despite tracking risks across the vendor lifecycle, few companies actually do anything about what they find.

Matt highlighted some other statistics showing a piecemeal approach, leaving “the average company with too many TPs not RM’ed.”

Only 51% say they are able to assess risk at every stage of the vendor lifecycle (think a vendor not disposing of equipment or data as promised when a contract is terminated, or your own failure to disable their user access)

Only 49% say their TPRM program has the automation and reporting necessary to demonstrate compliance

While companies are making some strides in cybersecurity, it sounds like third-party risk management practices could use improvement across the board. As a reminder, the new cybersecurity disclosure rules include “whether the registrant has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider” in the non-exclusive list of matters to address when describing the company’s processes for assessing, identifying, and managing material risks from cybersecurity threats. So how are companies addressing this disclosure?

As Dave and John have observed, this year’s Form 10-K cybersecurity disclosures varied but tended to be shorter than expected, and most companies’ disclosure of their overall cybersecurity risk management approach wasn’t particularly detailed. The January-February 2024 issue of The Corporate Executive includes a deep dive into 10-K cybersecurity disclosures and makes this related observation:

Some companies simply stated that their cybersecurity risk management processes included assessing, identifying and managing material risks arising from threats associated with third-party vendors. Others provided a highly detailed discussion of their efforts to address third-party cyber risks. […]

More commonly, companies provided a general description of their efforts to identify and manage cybersecurity risks during the vendor approval and contracting process, and indicated that these efforts involved a combination of risk assessments and contractual commitments from their vendors.

– Meredith Ervine