February 27, 2019
Six months ago, we wrote about the prevalence and cost of data breaches and looked at some expensive examples of cyber-crime in the legal sector. We cited The World Economic Forum’s 2018 Global Risks Report which reported that in terms of likelihood, CyberAattacks and Data Fraud or Theft fell 3rd and 4th in international risks facing businesses, both rating at around 4 out of 5. This was alarming, although not particularly surprising, particularly within Corporate Legal Departments and Legal Operations.
In 2018 Information Security stopped being a suggestion.
Many companies are still adjusting to the compliance requirements and subsequent international impact of the General Data Protection Regulation (GDPR) which became enforceable on May 25th of this year, as well as the wave of data transparency and breach legislation across the US. In 2018, Information Security stopped being a suggestion.
16 years after California enacted the first mandatory breach notification law, all 50 U.S. states have now enacted their own breach notification laws. In addition, 2018 was a big year for regulatory oversight of Outsourcing Risk Management programs. From California’s Consumer Privacy Act (CCPA) and Colorado’s HB18-1128 to Nebraska’s LB 757 and Alabama’s SB 318v, regulators and legislators made it clear that not only were companies required to maintain reasonable security practices and procedures, but that they must also flow down those obligations to their vendors and third parties.
And it seems to have worked!
The 2019 Global Risks Report (GRR) reported that in terms of likelihood, Cyber attacks and Data Fraud or Theft fell to 4rd and 5th in international risks facing businesses, both rating under 4, at about 3.75 out of 5 (a 25% reduction!). It’s encouraging to see progress, and we can expect data security will continue to improve as long as we continue to as well.
One thing the GRR does not consider in detail is third-party contribution to risk, and when we look at a more third-party risk focused survey, the results are far less complimentary. 59% of respondents reported a third party data breach in 2018, a steady increase from past years (56% in 2017, 49% in 2016).
So why is third party risk increasing?
The problem isn’t that companies are just ignoring third party risk, it’s that many expect a one-size-fits-all solution to vendor assessment, selection, onboarding, and management. This leaves compliance managers and department leads with 400 question assessments that neither their vendors want to spend time completing nor do they want to spend time reviewing. As more regulations are passed and pressure on companies to show proof of third-party oversight, generalized solutions won’t work anymore. Clients and vendors are both quickly getting overwhelmed and as manpower is delegated away to deal with the management demands, things slip through the cracks.
Wise companies recognize the costly inefficiency of this method and have recognized the value of delegating specialized Vendor and Third Party Risk Management resources to departments such as Legal Operations. And others are catching on - almost 60% of institutions said they expect to increase their enterprise risk management budgets during the next three years.
How to select the risk third party risk management platform? We wrote a quick piece on what to look for in your IT and software vendors and what 6 questions to ask to ensure that your data will be secure.