CyberGRX Study Finds Current Third-Party Cyber Risk Management Practices and Technologies Fall Short Despite Significant Investment

Research by Ponemon Institute Highlights Massive Burden on Human and Financial Resources

CyberGRX, provider of the world’s first and largest global third-party cyber risk exchange, today announced the results of their inaugural Cost of Third-Party Cybersecurity Risk Management study executed by Ponemon Institute. Surveying over 600 IT security professionals, the study illustrates a persistent theme that organizations and third parties see their third-party cyber risk management (TPCRM) practices as important but ineffective. The survey respondents come from a variety of industries and are all directly involved in managing their organizations’ TPCRM programs.

The report identifies four major takeaways for key decision makers:

• Current practices and technologies used to support TPCRM and assess third parties are costly, inadequate and inefficient.
• Investing in better assessment and vetting tools can increase effectiveness in TPCRM while decreasing the cost of maintaining the program.
• Applying the same approach to all third parties can be quite costly. Taking the time to prioritize third parties and apply an appropriate level of due diligence to them will reduce costs and increase efficiencies in the long run.
• Control over budgets for TPCRM is dispersed throughout the organization which can make the allocation of resources inefficient because of competing interests.

These findings reinforce CyberGRX’s position that current TPCRM practices are not only draining resources but providing limited value in return. Over 53% of respondents experienced a third-party data breach in the past 2 years, costing them on average $7.5 million, yet surprisingly, the market has yet to adopt new approaches to manage third party cyber risk. For instance, over 80% of respondents agreed that vetting and assessing third parties is critical, however 60% remain disheartened that their current vetting processes aren’t working. Even when an assessment uncovers a third-party security gap, organizations do not proactively mitigate these risks. Only 24% confirm that their organizations collaborate with third parties to improve their security measures. And even still, organizations will request—not require—that third parties mitigate identified security gaps.

One of the most striking takeaways is the disparity in time spent by third parties on assessments and lack of perceived value and action taken by the receiving organizations. By and large, organizations still primarily use manual procedures such as spreadsheets (40%) and/or risk scanning tools (51%) to assess their third parties. 54% of these organizations, however, feel the results of these assessments provide at best, only somewhat valuable information. Meanwhile, third parties are spending, on average, 15,000 hours a year completing manual spreadsheets in order to maintain relationships with their customers, even though their customers only take action on 8% of those assessments. The results of this study illustrate beyond a doubt, that organizations and their third parties are wasting critical human and financial resources on programs that aren’t optimized to help them reduce cyber risk in their shared ecosystems.

“The current state of third-party cyber risk management is failing,” said David Monahan, Senior Analyst, EMA. “It is far too manual and therefore does not scale. To add to that, most of the programs rely on qualitative information that is often poorly verified. This generates a huge amount of labor for results that, as the research shows, holds little confidence on both the part of the target of evaluation and the recipient. We must move to a far more scalable and quantitative method of evaluation to reduce third-party cyber exposure and bring confidence back to this process.”

Third-party data breaches continue to be an extensive problem. Until organizations adopt TPCRM methods that provide greater and actionable visibility into third-party risks, at scale, human and financial resources will continue to be exhausted and third-party incidents will continue to threaten our data and ecosystems.

CyberGRX, David Monahan and Dr. Larry Ponemon will present key findings from the research during a webinar on April 25, 1:00ET/10:00PT.

Register for the webinar.

Download the full report.

About Ponemon Institute

Founded in 2002 by Dr. Larry Ponemon and Susan Jayson, Ponemon Institute conducts independent research on data protection and emerging information technologies. Our goal is to enable organizations in both the private and public sectors to have a clearer understanding of the trends in regulations and the threat landscape that will affect the collection, management and safeguarding of information assets. Ponemon Institute research informs organizations on how to improve upon their data protection initiatives and enhance their brand and reputation as a trusted enterprise. For more information, please visit: https://www.ponemon.org/.

About CyberGRX

CyberGRX provides enterprises and their third parties with the most cost-effective and scalable approach to third-party cyber risk management today. Built on the market’s first third-party cyber risk Exchange, CyberGRX arms organizations with a dynamic stream of third-party data and advanced analytics helping organizations efficiently manage risk in their partner ecosystems. Based in Denver, CO, CyberGRX was designed with partners including Aetna, Blackstone and MassMutual. For more information, visit www.cybergrx.com or follow @CyberGRX on Twitter.