Data Risk in the Third-Party Ecosystem - Ponemon Survey ResultsElizabeth E. McGinn, Margo H. K. Tank, James T. Shreve, Douglas F. Gansler
Data breaches are on the rise and the percentage of those data breaches caused by third-party relationships is also expected to rise. In our recent survey, “Data Risk in the Third-Party Ecosystem,” conducted by the Ponemon Institute, 49% of respondents indicated their company had experienced a data breach caused by a vendor, and 73% expected the number of third-party-related cyber incidents to increase. In fact, many of the largest and most publicized breaches that have occurred since 2015 can be traced to third-party relationships.
As companies continue to embrace dynamic outsourcing and infrastructures, the inherent risks to data become much more difficult to manage. It is no longer possible to think of an enterprise as a single organization supported by a well-established and controlled “chain” but rather as the entry point to an ecosystem of suppliers, vendors and service providers each with their own sub-set of providers. These third-, fourth-, and nth- party relationships, and the risks associated with them, must be considered and managed when dealing with third-party risk. (Third-party vendors are direct service providers hired by a company. Fourth- through nth-party vendors are indirect service providers or subcontractors hired by a third-party vendor.)
Regulators are keenly aware of the risk posed by third parties to data assets and continue to publish guidance and update requirements with respect to managing it. Regulatory guidance generally requires companies do the following with respect to third parties: • Perform risk due diligence/assessment prior to establishing a relationship with a vendor
• Incorporate security standards and expectations into vendor contracts
• Limit data sharing and access to only those necessary for business purposes • Perform initial and ongoing assessment of third-party vendors
• Require third parties to report any event or change that impacts the security of company assets
For those companies that do not adequately identify and manage third-party data >risk, the impact of outsourcing fourth- and nth- party relationships will become all too apparent in their post-breach investigations.