Findings suggest increased regulatory scrutiny is contributing to program growth and maturity
London, U.K. Companies may have reached a positive turning point when it comes to managing their vendor risks, according to the annual Vendor Risk Management Benchmark Study, released today by the Shared Assessments Program, a collaborative consortium, and Protiviti, a global consulting firm. The study found that organisations across all industries, and in particular financial services, are increasing their focus on managing vendor and third-party risks. The maturity levels associated with different vendor risk management program areas have improved noticeably, yet awareness levels and compliance measures aren’t where they need to be.
In its third year, the Vendor Risk Management Benchmark Study examined information from nearly 400 C-suite executives, risk management and audit professionals, who rated their public and private organisations using the Shared Assessments Program’s Vendor Risk Management Maturity Model (VRMMM) – a holistic benchmarking tool for evaluating the quality and maturity of third-party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls. The surveyed organisations represent a mix of industries with the largest contingent in financial services.
Key survey findings for 2016 include:
- A clear correlation between boards with high engagement in and understanding of cybersecurity risks and organisations with higher levels of reported process maturity, with a 1.6-point gap (on a 5.0-point scale) between organisations with high and low board engagement.
- While many boards (39%) have a high level of engagement in and understanding of cyber risks within their own organisation, significantly fewer (26%) understand and are engaged in reducing cyber risks in vendors that directly support their organisations. Even at the board of directors’ level, third-party risk management awareness levels are still lagging.
- Despite higher maturity levels in all of the eight vendor risk components, the Benchmark Studyshows there is still a long way to go until organisations routinely have fully operational third-party risk programs with all recommended compliance measures in place.
- A narrowing of the maturity gap between financial services and all other verticals, most likely a function of increased regulatory pressure in sectors that include insurance and health care.
“This study documents in detail what many have believed to be true – that for organisations in which boards have high engagement in and knowledge of critical cybersecurity risk issues, vendor risk management maturity levels are noticeably higher,” said Cathy Allen, CEO, The Santa Fe Group.
The positive momentum portrayed in the 2016 survey is a significant change from the findings of prior years. In 2015, respondents rated their overall maturity across the eight vendor risk management categories to be virtually identical to those reported in 2014. In financial services, the improvement seen in 2016 could be motivated, in part, by significantly increasing regulatory scrutiny, especially in areas related to cybersecurity.
In particular, one key event that may have influenced and increased focus is the June 2015 publishing of the Cyber Security Assessment Tool (CAT) by the Federal Financial Institutions Examination Council (FFIEC). Regulators are also more actively referring to FFIEC’s Information Technology Examination Handbook to closely examine the cybersecurity and third-party risk management proficiencies of financial institutions.
“We speak with many client board members who are highly engaged in their organisations’ cybersecurity risks, which is helping create a strong tone at the top to drive improvements in cybersecurity and privacy capabilities,” said Cal Slemp, managing director, security program and strategy services, Protiviti. “The key now is to build strong board engagement specifically in vendor risk management because it poses just as significant a risk to companies as their own cybersecurity practices.”
Cyber Security Incident Response Findings
This year’s updates to the report include a new section on organisations’ cybersecurity and incident response capabilities. The addition reflects the increasing regulatory focus on boards’ risk management responsibilities. Key findings from this section include:
- Sixty-five percent of all organisations have an incident response plan for events at vendors or third parties.
- Financial services organisations are more likely to have an incident response plan in place – 75 percent currently have established plans.
- Sixty-one percent of organisations test their plans for vendor or third-party events.
“This year’s survey shows improvement in incident reporting and focus on policy and standards related to communications. That said, on balance, the ‘Communications and Information Sharing’ category of the survey lags others at a time when internal two-way communications (top down and bottom up) and external information sharing are more important than ever,” said Shared Assessments member Linnea Solem, Chief Privacy Officer, vice president, risk and compliance, Deluxe Corporation.
Resources Available to Learn More
A complimentary copy of the 2016 Vendor Risk Management Benchmark Study and an infographic of survey highlights are available at www.protiviti.com/vendor-risk.
The VRMMM is a holistic tool for evaluating maturity of third-party risk programs including cybersecurity, IT, privacy, data security and business resiliency controls. The focus of the VRMMM is to provide third-party risk managers with a tool they can use to evaluate their program against a comprehensive set of best practices. Click here:https://sharedassessments.org/products/2017-vendor-risk-management-maturity-model-vrmmm/ to learn more and obtain a free copy.