10 Vendor Risk Statistics to Be Aware Of - Veridion
Blog

10 Vendor Risk Statistics to Be Aware Of

By: Stefan Gergely - 18 July 2024
vendor risk statistics featured image

Today, businesses rely more on outside partners, vendors, and suppliers for critical services and functions. 

These third parties offer many benefits, but also bring risks.

How well do organizations know their vendors and the risks they pose? 

And even more importantly, how well do you know the third parties you work with?

To answer these questions, or at least the first one, we will review ten current statistics on vendor risks.

Without further ado, let’s see how companies deal with this crucial part of risk management.

27% of Effort Allocated to Vendor Risk Identification Happens During the Relationship With the Vendor

According to Gartner’s 2019 Third-Party Risk Management model, legal and compliance leaders spend only 27% of their total effort on identifying risks with their vendors over the course of their ongoing relationship.

statistic showing that 27% of vendor risk identification happens during the relationship with the vendor

Illustration: Veridion / Data: Gartner

But what about the remaining 73%?

All of it is allocated to two points in time: due diligence and recertification.

While it is praiseworthy that companies put effort into comprehensive due diligence, this method is mostly ineffective for two main reasons:

  • It causes longer onboarding and waiting times.
  • It misses risks that emerge during the ongoing vendor relationship.

Why? Because vendor risks are not static.

They can change due to various factors like financial instability, changes in ownership, cybersecurity threats, and compliance issues.

So, without dedicating more effort to identifying, assessing, and mitigating these risks throughout the vendor relationship, you put your organization in danger and could experience significant issues. 

Financial, legal, reputational, quality issues, you name it. 

83% of Legal and Compliance Leaders Say They Identified Vendor Risks Only After Due Diligence

The same research shows that, for most companies, vendor risks can often only be identified once you are already working with the vendor, confirming what we have just discussed above.

Of more than 250 surveyed legal and compliance leaders, 83% identified vendor risks only after due diligence and during their ongoing relationship with vendors.

statistic showing that 83% identified vendor risks only after due diligence

Illustration: Veridion / Data: Gartner

Moreover, 31% of these risks resulted in a material impact. 

And 92% of leaders stated that these material risks simply could not have been identified through due diligence alone.

What does this tell us? 

For the majority of companies, standard point-in-time due diligence and risk management policies are no longer sufficient.

Chris Audet from Gartner explains that the future lies in an iterative approach to risk management and ongoing risk identification:

quote about the importance of an iterative approach to risk management and ongoing risk identification

Illustration: Veridion / Quote: Gartner

But how is this achievable?

The most optimal way is by using the right tools that can assist you both at the vetting stage and afterward by monitoring your vendors for risks.

Our Veridion solution is just the perfect fit. 

Veridion provides the latest and most accurate global supplier data to speed up your supplier discovery and vetting process.

veridion screenshot

Source: Veridion

And the best part? 

It also helps you quickly spot risks and changes in your vendors’ business activities after you start collaborating with them.

With control over confidence scores, custom risk factors, and real-time alerts, you can easily manage vendor risks and avoid disruptions to your business.

61.7% of Organizations Report Having Experienced a Cyber Incident Linked to a Third Party

Another critical statistic to be aware of comes from a June 2023 survey by Cyber GRX and ProcessUnity.

Over 60% of organizations experienced a cyber incident caused by third parties, whether through their actions or vulnerabilities.

statistic showing that 60% of organizations experienced a cyber incident caused by third parties

Illustration: Veridion / Data: Cyber GRX

As we mentioned earlier, businesses today work with numerous vendors and third parties, all of whom use many systems and technologies. 

While these partnerships are beneficial, they also come with more risks, particularly cyber-related.

Hacking, malware, data breaches, or other malicious activities can bring you financial loss, disruption, or damage to your reputation. 

If your vendor has weak security measures, their vulnerabilities can be exploited by attackers, which, in turn, can compromise your organization’s data and systems. 

For example, if a vendor’s system is hacked, the attackers might gain access to your sensitive information.

This happened to Bank of America in November 2023.

screenshot of a news article headline about a supply chain cyber attack

Source: IT Security Guru

After this incident, Erich Kron, Security Awareness Advocate at KnowBe4shared an important reminder:

To prevent such cyber attacks on your vendors, you must ensure your contracts clearly define what data you share with vendors and how long they can keep that data: 

“Making sure that contracts define what information is being processed and how long it’s been retained is a very important part of this data management with third parties. In addition, information should be limited as much as possible and anonymized whenever it’s an option.”

Overall, this high number confirms that external vendors and partners are significant sources of cybersecurity risks. 

If anything, it further emphasizes the need for organizations to extend their cybersecurity measures beyond their internal networks to include third-party relationships.

64% of Organizational Leaders View Third Party Risk Management as an Organizational Strategic Imperative

Thankfully, most leaders realize they need to change their approach to risk management and focus more on managing risks related to third-party vendors when it comes to cybersecurity.

In fact, 64% of leaders think that managing these risks is vital for their overall business strategy, according to the aforementioned report by Cyber GRX and ProcessUnity.

statistic showing that 64% of leaders think that managing third party risks is vital for their overall business strategy

Illustration: Veridion / Data: Cyber GRX

The same report lists several reasons why this is the case:

Boosting cybersecurityThird-party risk management (TPRM) helps spot and fix vulnerabilities in relationships with third parties, preventing costly and disruptive cyber incidents.
Saving moneyTPRM helps organizations save money by avoiding legal penalties and reducing the need for expensive reactive measures.
Aligning with business goalsTPRM makes sure that cybersecurity efforts support the company’s overall goals, protecting key business functions and sensitive data.
Building trustEffective TPRM builds trust with customers and partners, boosting the company’s reputation and giving it a competitive edge.

Given all these benefits, it’s clear why more and more leaders prioritize third-party risk management in their risk management strategies.

90.9% Of Organizations Report Conducting Regular Assessments of Third-Party Vendors

The next statistic, also from Cyber GRX and ProcessUnity, shows that most organizations regularly check and evaluate their vendors.

statistic showing that 90.9% of organizations regularly check and evaluate their vendors

Illustration: Veridion / Data: Cyber GRX

This positive trend indicates that organizations are aware of the various risks associated with third-party relationships, including operational, financial, and compliance risks.

And these regular assessments help ensure that vendors meet the organization’s standards, maintain quality, and do not introduce unnecessary risks. 

At the same time, companies are able to safeguard their overall stability and reputation.

On the other hand, these regular assessments can also improve vendor performance, foster stronger business relationships, and ensure regulatory compliance. 

59% of Organizational Leaders Consider the Use of Third Parties to Be the Most Significant Corruption Risk

If we previously focused on cyber risks from vendors, another creeping risk is corruption.

According to the Global compliance risk benchmarking survey from White & Case and KPMG, 59% of leaders see working with external vendors as the biggest potential source of corruption within their organization.

This risk is particularly significant in the pharmaceuticals and healthcare industry, as well as the technology, media, and telecommunications industry, where numbers go up to 83% and 72%, respectively.

statistics about third party corruption risk in different industries

Illustration: Veridion / Data: White & Case

Also, larger organizations—both in terms of revenue and number of employees—are more likely to view third-party use as the biggest corruption risk. 

This is likely because bigger companies deal with a wider range of third parties.

But why do third parties come with corruption risks?

Third parties can be risky because they might not be as closely watched or controlled as internal operations.

This can lead to conflicts of interest or failing to follow anti-corruption rules. 

These risks are even greater when third parties operate in areas known for high corruption or in industries prone to corrupt practices.

Overall, these numbers show that there is a need for strong third-party risk management strategies to reduce corruption risks. 

This means keeping a close eye on third parties and doing thorough checks and audits to make sure they follow ethical standards and regulations.

60% of Companies Don’t Monitor the Security and Privacy Practices of Vendors With Whom They Share Sensitive Information

A report from BuckleySandler LLP and Treliant Risk Advisors LLC reveals more worrying statistics about how companies manage their vendors.

37% of companies believe that their vendors wouldn’t notify them if they had a data breach involving their company’s sensitive or confidential information.

And yet, more than half of the surveyed companies do not check how their vendors handle and protect sensitive information shared with them.

statistic about how 60% of companies don’t monitor the security practices of vendors with whom they share sensitive information

Illustration: Veridion / Data: Buckley Firm

In fact, 60% of companies don’t even have a complete list of all the third parties they share sensitive and confidential information with.

Some reasons for this include:

  • No centralized control over third-party relationships
  • Not a priority for the company
  • Lack of resources to track third parties
  • Complexity in managing third-party relationships
  • Frequent turnover in third-party vendors makes tracking difficult

So, what do these numbers tell us about vendor risks?

Well, they show that a majority of companies are vulnerable to data breaches and other security incidents due to inadequate monitoring of vendors.

Many companies are not prepared to handle or even detect issues arising from third-party relationships, and there is a significant communication gap between companies and their vendors regarding security breaches.

Knowing this, the following statistic doesn’t surprise us one bit.

49% of Companies Had Their Confidential Information Misused Due to Data Breaches Caused by Vendors

The same report reveals that almost half of companies experienced a data breach caused by one of their vendors that resulted in the misuse of sensitive or confidential information.

statistic about how 49% of companies experienced a data breach resulting in misuse of confidential information

Illustration: Veridion / Data: Buckley Firm

The statistic warns that poor oversight of vendor security practices can lead to significant risks, including misuse of confidential information. 

And when this happens, what does it mean for you?

Think about how:

  • A data breach can severely damage your company’s reputation and cause customers and partners to lose trust in you.
  • Handling a data breach can cause major disruptions to your business operations because you have to divert resources and focus from core activities.
  • Your company may face legal actions and penalties for failing to protect sensitive information adequately.

With that in mind, it’s more than clear that companies must prioritize better vendor risk management to safeguard their sensitive data.

27% of Organizations Apply the Same Risk Management Approach to All Third Parties Regardless of Risk Level

The 2023 State of Risk & Compliance Report by Navex, which includes survey responses from over 1,300 risk and compliance professionals worldwide, doesn’t bring the most optimistic stats, either.

Namely, it reveals that more than a quarter of organizations do not differentiate their risk management practices based on the risk level each vendor presents.

However, the survey did show that 26% of organizations at least rely on unique risk assessment factors during the initial onboarding process. 

Additionally, the most optimistic statistic reveals that 29% of organizations categorize vendors by risk level and apply different levels of checks and precautions based on that risk throughout their relationship with the vendor.

The latter is, naturally, the best option.

statistics about different approaches to third party risk management

Illustration: Veridion / Data: Navex

Still, 27% of companies use the same risk management method for all vendors, no matter the risk level.

What does this mean for them?

Well, this approach can lead to inadequate protection against higher-risk vendors and unnecessary efforts spent on lower-risk ones. 

Without differentiating risk levels, organizations may overlook specific risks unique to certain vendors, leaving themselves vulnerable to unforeseen issues.

For example, high-risk vendors may not receive the scrutiny they require, increasing the chances of significant problems like data breaches, supply chain disruptions, or compliance failures.

In short, by not tailoring risk management approaches to the specific risks presented by different vendors, organizations expose themselves to higher levels of potential disruption and inefficiency.

72% of Companies Find That Their Third-Party Due Diligence Program Significantly Reduces Their Legal, Financial and Reputational Risks

However, most organizations do recognize the importance and effectiveness of thorough third-party due diligence.

The same survey from Navex revealed that 72% of respondents believe that it greatly reduces legal, financial, and reputational risks.

statistic about how 72% of respondents believe that their due diligence program reduces risks

Illustration: Veridion / Data: Navex

This indicates a widespread acknowledgment that careful vetting of third-party vendors is crucial for protecting the organization from various potential issues.

The next step for better vendor risk management is realizing that ongoing vendor monitoring is another key piece in this equation.

In other words, both due diligence and regular vendor risk assessments and monitoring are key factors for efficient vendor risk management. 

Conclusion

By now, you have probably noticed that vendor risk statistics are predominantly negative.

While some optimistic statistics show that leaders recognize the importance of third-party risk management, the majority indicate that too little effort is being put into managing vendor risks. 

Many companies face significant challenges, from inadequate monitoring and lack of communication to frequent data breaches and the misuse of sensitive information.

Despite these negative trends, there is a clear opportunity for improvement. 

By focusing on better vendor risk identification, assessment, and overall management, your company can stand out and safeguard itself from these common pitfalls.

So, compare how you stand in relation to these statistics, and use this information to guide you towards more successful vendor risk management. 

Be the company that protects its interests and maintains strong, secure vendor relationships.