A benchmark report reveals some stark differences in governance practices between companies who were able to avoid a third-party data breach in the past year (or ever) versus those who failed to prevent such a breach.

At a time when massive data breaches continue to make headlines, the findings from “Data Risk in the Third-Party Ecosystem” provide some powerful insight into how leading companies are detecting, mitigating, and minimizing data risk associated with third parties and their third parties (so-called Nth parties). The results were based on a survey of more than 1,000 IT and IT-security practitioners in the United States and the United Kingdom who are directly involved in their organizations’ approach to managing data risks.

The study was created by the Ponemon Institute, a research think tank dedicated to advancing privacy, data protection, and information security practices, and sponsored by Opus, a global provider of compliance and risk management solutions. Since 2016, when the study was first conducted, the number of companies to have suffered a third-party data breach increased from 49 percent to 61 percent in 2018. Moreover, third-party data breaches over a 12-month period increased from 34 percent to 45 percent in 2018.

“While corporate executives understand the implications of a data breach or cyber-attack to their business, far fewer are aware of the source of these attacks and the vulnerabilities that their organizations need to address to properly secure their data,” Larry Ponemon, founder of the Ponemon Institute, said in a statement.

In just the latest example, hotel chain Marriott announced on Nov. 30 that its guest reservation database may have compromised the personal information of upwards of 500,000 customers. Marriott determined that the pilfered data was from the Starwood guest reservation database and that there had been unauthorized access to the Starwood network since 2014.

In another recent example, Dunkin Brands reported a security incident, in which a third party attempted to access customer profiles and personal data. “Although Dunkin did not experience a data-security breach involving its internal systems, we’ve been informed that third parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts,” the company stated.

“Considering the explosive growth of outsourced technology services and the rising volume of third parties, companies need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability,” Ponemon said.

Leading practices

Companies that are looking to reduce their exposure to a third-party data breach will want to parse the findings of the Ponemon and Opus study, which conducted a special analysis on “high-performing” organizations, defined in the report as those who were able to avoid a third-party data breach in the past 12 months (36 percent of responding organizations) or that have never experienced one at all (32 percent of responding organizations). The survey then compared these high-performing organizations to those who have experienced a third-party data breach in the past 12 months (42 percent) or ever (59 percent).

Overall, the report found that high-performing organizations have more robust governance practices in the way they manage outsourced relationships. Such practices include, for example, executive-level support, sufficient resources, the evaluation of third parties’ security and privacy practices, and the regular review of third-party management policies and programs.

Any company seeking to better detect, mitigate, and minimize data risk associated with third parties and Nth parties should adopt the following governance practices that, according to the report, high-performing organizations share:

Communicate regularly with senior management and the board. According to the report, 53 percent of respondents within high-performing organizations said they have board- and executive-level engagement, compared to just 25 percent of respondents among organizations that have experienced a third-party data breach. Because the sample size of respondents is so large, even just a five percent variance is “statistically significant,” Ponemon said in a Webinar discussing the results.

“While corporate executives understand the implications of a data breach or cyber-attack to their business, far fewer are aware of the source of these attacks and the vulnerabilities that their organizations need to address to properly secure their data.”

Larry Ponemon, Founder, Ponemon Institute

A key part of board- and executive-level engagement is regular communication with the board and senior management. High-performing organizations regularly report, for example, on what steps have been taken to protect sensitive and confidential information from a third-party data breach and the effectiveness of these programs based on how they are assessing, managing, and monitoring third-party security practices and policies, according to the report.

Findings from the report further indicate that having board- and executive-level engagement tends to make it easier to get the sufficient amount of resources necessary to allocate toward managing outsourced relationships, which is critical considering that 60 percent of high-performing organizations said sufficient resources are allocated to managing outsourced relationships, versus just 15 percent of all other organizations.

“That finding seems to indicate that having necessary resources directly correlates to high performers’ success at preventing a third-party data breach,” says Lee Kirschbaum, senior vice president and head of product, marketing, and alliances at Opus. Moreover, simply having board engagement demands that data risk in the third-party ecosystem gets the attention it deserves, Kirschbaum says.

Evaluate security and privacy practices of all third parties. Although most companies rely upon contracts to ensure that their third parties have appropriate security practices and controls in place, “they don’t necessarily follow through in terms of assessing the security stance and practices of third parties,” Kirschbaum says. According to the findings, only 40 percent of respondents said their organizations evaluate the third parties with whom they share information.

In a contract, for example, some companies might require their third parties to disclose their most critical vendors; show evidence of a vendor management program; and/or include the right of the company to receive fourth-party audit reports. High-performing organizations, however, go one step further by following up on these contractual obligations.

According to the Opus and Ponemon Institute report, 50 percent of respondents from high-performing organizations said, in addition to having in place a contractual arrangement, they further conduct audits and assessments to evaluate the security and privacy practices of their third parties, compared to 31 percent of all other organizations who said they take such measures.

Take an inventory of all third parties and Nth parties with whom the organization has a relationship. “Ultimately, the only way you can assess risk is if you know who you’re doing business with,” Kirschbaum says. Forty-five percent of high-performing organizations said they create an inventory of third parties who have access to confidential information and how many of these third parties are sharing this data with one or more of their contractors. In comparison, just 22 percent of all other organizations said they take such an inventory. “A pretty stark difference,” Kirschbaum notes.

When asked why they do not have such an inventory, 69 percent of respondents that did not cited a lack of centralized control over the management of third-party relationships as the reason, and another 48 percent cited the complexity of third-party relationships as another barrier to creating a comprehensive inventory of all third parties.

Require notification from third parties when they share data with an Nth party. Another stark difference to come from the report is that 38 percent of high-performing organizations, versus just 18 percent of all other organizations, include in their vendor contract a requirement that third parties provide information about possible third-party relationships with whom they will be sharing sensitive information.

“When vendors have access to sensitive information, you can put in place controls to manage it, monitor, and track it,” Kirschbaum says. Being able to track sensitive data handled by the company is not just best practice, it’s a regulatory mandate under data protection laws like the EU’s General Data Protection Regulation. Thus, requiring notification from third parties when they share data with an Nth party is one way to track sensitive data.”

The overarching message to come from this report is that high-performing organizations not only have the internal support that they need, but also are able to keep their finger on the pulse of their outsourced relationships to a far greater degree than their peers with less mature programs. Such high-level governance practices are demonstrated through a strong showing of executive-level support and sufficient resources, the close and consistent evaluation of third parties’ security and privacy practices, and the regular review of third-party management policies and programs.

High-performing organizations will also have in place a third-party risk management committee; greater visibility into all parties with whom they do not have a direct relationship; and some formal level of accountability for the proper handling of the third-party risk management program to keep the program in check moving forward.

For some boards, the risk of a third-party data breach may not currently be top-of-mind, especially if it’s not part of an audit, but Kirschbaum foresees that changing. Even if it’s not a standalone risk, he says, “it may be part of a broader set of risk and compliance discussions and reviews with the audit committee in the future.”