Global survey report: Emerging Issues in Third Party Cyber Risk

Assessing and managing cyber risk of third parties and vendors has never been more critical. Breaches and security incidents affecting third party vendors continue to dominate the news, leading global regulators to adopt new requirements and closely examine third party cybersecurity programs. With added risk and oversight, boards and senior executives are focusing their time and effort ensuring that they have the right governance, technology, and program framework in place. How have companies responded to these challenges? What are their future priorities and initiatives?
 
The objective of this survey is to develop an understanding of emerging best practices in managing third party cyber risk, with a focus on:

  • Tools, technologies, and approaches
  • Budget and decision-making
  • Executive oversight
  • Future direction                                                                                                         
 
All those who participate will receive a complimentary full copy of the final in-depth report and will also be entered into a prize draw to their choice of our 2019 conferences

The results of this survey will of course remain anonymous and will be formed to make an in-depth research report, please provide your details at the end of the survey to receive your copy of the final report.       

Question Title

* 1. What best describes your industry?

Question Title

* 4. Where is your company headquartered?

Question Title

* 5. What is your job level?

Question Title

* 6. Cyber risk affecting third parties/vendors is:

Question Title

* 7. Who has primary accountability for third party cyber risk in your organization?

Question Title

* 8. My firm's executives receive reports/briefings on cyber risk posed by our third parties/vendors: 

Question Title

* 9. My firm's board receive reports/briefings on cyber risk posed by our third parties/vendors:

Question Title

* 10. Who is responsible for reporting third party/vendor cyber risk to the executives and/or the board?

Question Title

* 11. When it comes to my firm's efforts to measure and manage third party/vendor cyber risk, I believe our executives and board are:

Question Title

* 12. What do you think will be the greatest challenges for third party cyber risk management in your firm in the next 12 months?

Question Title

* 13. What approaches does your firm find most useful to assess third party/vendor cyber risk?

Rank on a scale of 1-5, with 5 being the most useful.

  1 - Not at all useful 2 3 4 5 - Most useful N/A
Questionnaires
Document review (e.g. audit, third party assessment, certification)
Security Ratings
Facility tour
Remote or on-site interviews
Penetration test/red team

Question Title

* 14. What issues related to the vendor cyber assessment process are you concerned about?

Rank on a scale of 1-5, with 5 being of “higher concern”

  1 - Lower concern 2 3 4 5 - Higher concern
Speed of assessment process
Cost of on-site assessments
Scope of assessment process (not being able to review more vendors)
Quality/accuracy of data we receive
Actionability of data we receive from vendors/third parties
Timeliness of the data we receive from vendors/third parties
Unclear responsibility internally

Question Title

* 15. My company would decline a business relationship or would terminate an existing business relationship because of a third party’s/vendor’s cybersecurity performance

Question Title

* 16. To continuously monitor cybersecurity performance of third parties/vendors, my company:

Question Title

* 17. Over the next 3 years, I expect my firm’s technology budget for third party/vendor cyber risk management will:

Question Title

* 18. Over the next 3 years, I expect my firm’s services budget for third party/vendor cyber risk management will:

Question Title

* 19. The budget for acquiring the technologies and services that my firm uses to assess or monitor third party cyber risk lies with:

Question Title

* 20. With respect to fourth party cyber risk, my firm (check all that apply):

Question Title

* 21. What initiatives related to third party cyber risk management are most critical for your organization to address over the next 12 months?

Question Title

* 22. Please leave your information if you would like to be sent a copy of the final report

(Please note, all survey respondents will be kept anonymous within the report)

T