Ponemon Institute
5 minute read | April.04.2016
Data breaches are on the rise and the percentage of those data breaches caused by third-party relationships is also expected to rise. In our recent survey, “Data Risk in the Third-Party Ecosystem,” conducted by the Ponemon Institute, 49% of respondents indicated their company had experienced a data breach caused by a vendor, and 73% expected the number of third-party-related cyber incidents to increase. In fact, many of the largest and most publicized breaches that have occurred since 2015 can be traced to third-party relationships.
As companies continue to embrace dynamic outsourcing and infrastructures, the inherent risks to data become much more difficult to manage. It is no longer possible to think of an enterprise as a single organization supported by a well-established and controlled “chain” but rather as the entry point to an ecosystem of suppliers, vendors and service providers each with their own sub-set of providers. These third-, fourth-, and nth- party relationships, and the risks associated with them, must be considered and managed when dealing with third-party risk. (Third-party vendors are direct service providers hired by a company. Fourth- through nth-party vendors are indirect service providers or subcontractors hired by a third-party vendor.)
Regulatory Concerns
Regulators are keenly aware of the risk posed by third parties to data assets and continue to publish guidance and update requirements with respect to managing it. Regulatory guidance generally requires companies do the following with respect to third parties:
For those companies that do not adequately identify and manage third-party data risk, the impact of outsourcing fourth- and nth- party relationships will become all too apparent in their post-breach investigations.