Opus & Ponemon Institute Announce Results of 2018 Third-Party Data Risk Study: 59% of Companies Experienced a Third-Party Data Breach, Yet Only 16% Say They Effectively Mitigate Third-Party Risks

Third parties are one of the fastest-growing risks to an organization’s sensitive data, yet less than half of all companies say managing third-party relationship risks is a priority

Dr. Larry Ponemon and Opus to Discuss Findings in Live Webinar Wednesday, December 5 at 11 a.m. ET

NEW YORK & LONDON--()--Opus, the leading provider of global compliance and risk management solutions, today announced the results of the third annual Ponemon Institute “Data Risk in the Third-Party Ecosystem” study. Sponsored by Opus, the study surveyed more than 1,000 CISOs and other security and risk professionals across the US and UK to understand the challenges companies face in protecting sensitive and confidential information shared with third-party vendors and partners.

According to the Opus and Ponemon study, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent -- up 5 percent over last year’s study and a 12 percent increase since 2016. What’s more, many breaches go undetected: 22 percent of respondents admitted they didn’t know if they’d had a third-party data breach in the past 12 months. Overall, more than three-quarters of organizations believe that third-party cybersecurity incidents are increasing.

A key contributing factor is the growing complexity of the third-party landscape. Companies continue to increase their reliance on third parties and, on average, share confidential and sensitive information with approximately 583 third parties. Yet, only 34 percent keep a comprehensive inventory of these third parties, a statistic that’s even worse for Nth parties, at 15 percent. Sixty-nine percent of respondents indicated that a lack of centralized control was the key reason for not having the comprehensive inventory. Additional key reasons included lack of resources and the complexity of third-party relationships.

Furthermore, less than half of all companies say managing third-party relationship risks is effective and a priority within their organization. Only 37 percent indicate that they have sufficient resources to manage third-party relationships and only 35 percent rate their third-party risk management program as highly effective. More than half of companies do not know if their organizations’ vendor safeguards are enough to prevent a breach.

“The third-party ecosystem is an ideal environment for cyber criminals looking to infiltrate an organization, and the risk only grows as these networks become larger and more complex,” said Dov Goldman, VP, Innovation & Alliances of Opus. “To stay ahead of the risk, companies and executives need to collaborate around plans for third-party detection and mitigation that supports automated technology and strong governance practices.”

The study also included a special analysis of those organizations that have been able to avoid a third-party data breach in the past 12 months (36 percent) or ever (32 percent). These high-performing organizations implemented governance and IT security best practices that were strongly correlated with a reduced incidence of third-party data breaches:

  • Evaluation of the security and privacy practices of all third parties – Conduct regular audit and assessments to evaluate security and privacy practices of third parties.
  • An inventory of all third parties with whom you share information – Track all third parties that have access to sensitive data and how many of these parties are sharing this data with others.
  • Frequent review of third-party management policies and programs – Implement formal processes to regularly evaluate security and privacy practices of third and Nth parties, particularly to address new technologies and innovations like Internet of Things devices.
  • Third party notification when data is shared with Nth parties – Mandate that third parties provide information and transparency into their Nth party relationships prior to sharing sensitive data.
  • Oversight by the board of directors – Involve senior leadership and boards of directors in third-party risk management programs. High-level attention to third-party risk may increase the budget available to address these threats.

“While corporate executives understand the implications of a data breach or cyberattack to their business, far fewer are aware of the source of these attacks and the vulnerabilities that their organizations need to address to properly secure their data,” commented Dr. Larry Ponemon. “Considering the explosive growth of outsourced technology services and the rising the volume of third parties, companies need to take control of their third-party exposure and implement safeguards and processes to reduce their vulnerability.”

Download Full Report & Register for the Webinar

To download the 2018 Data Risk in the Third-Party Ecosystem: Third Annual Study, visit opus.com/ponemon.

To attend the Opus and Ponemon Institute webinar discussing the report on Wednesday, December 5, 2018 at 11:00 AM ET register here.

About the Study

A sampling frame of 15,800 individuals located in the United States and 10,995 individuals located in the United Kingdom were selected as participants in this survey. To ensure knowledgeable responses, all respondents are familiar with their organization’s approach to managing data risks created through outsourcing and are involved in managing the data risks created by outsourcing. The final sample consisted of 1,038 surveys.

About Opus

Opus is a global risk and compliance SaaS and data solution provider, founded on a simple premise: that faster, better decisions in compliance and risk management give businesses an extraordinary advantage in the marketplace.

Today, the world’s most respected global corporations rely on Opus to free their business from the complexity and uncertainty of managing customer, supplier and third-party risks. By combining the most innovative SaaS platforms with unparalleled data solutions, Opus turns information into action so businesses thrive.

For more information about Opus, please visit www.opus.com.


Diana Alickaj / Paul Bowhay
Email: opus@cognitomedia.com
Tel: +1-646-395-6300


Diana Alickaj / Paul Bowhay
Email: opus@cognitomedia.com
Tel: +1-646-395-6300