In today’s interconnected digital landscape, organisations rely heavily on third-party vendors and partners to drive efficiency, innovation, and growth. This reliance however, comes with inherent risks. Cybersecurity professionals are acutely aware that a single weak link in the supply chain can lead to devastating consequences. This is why Gartner has just listed Third Party Risk Management (TPRM) as a top cybersecurity trend for 2024.

Given these trends, at 33N we’re recently taken the topic to discussion at our CISO circle, jointly reflecting on adoption trends, market drivers, pain-points yet unaddressed and areas of innovation in TPRM. Despite the increased tailwinds, the topic still presents challenges at several organisations. Let’s start.

Adoption trends and Market Drivers: Why TPRM Matters

The global Integrated Risk Management market was valued at 5.0bn$ in 2022 and is expected to grow at 15% yoy to 19.7bn$ in 2032, representing a resilient opportunity, with key drivers underpinning it.

1. Escalation of high profile (and large impact) data breaches

Publicised incidents (no need to highlight examples anymore!) have continued to highlight the risk of 3^rd party supply chain compromises. Organisations must extend their security perimeter beyond their own walls to include third-party vendors. Enterprises now recognise that their security posture is only as strong as their weakest link, which often lies in their vendor ecosystem.

2. Stringent Compliance Mandates

The TPRM market has witnessed remarkable growth, fueled by stringent regulatory compliance requirements for cybersecurity and data protection. While recent SEC regulations mandate disclosure of critical cybersecurity incidents and risk management strategies (including TPRM) starting 2024 in the US, recent NIS2 and DORA regulations in Europe have set clear guidelines for TPRM practices specifically. These regulations underscore the importance of due diligence, risk assessment, and continuous monitoring of third-party vendors.

3. Business Continuity in global distributed enterprises

Supply chain disruptions, remote work arrangements and increased reliance on digital services underscore the need for robust TPRM practices. Ensuring business continuity (think of a tier-1 bank having been its systems compromised and looking to restore its systems) requires extending TPRM into creating third-party-specific incident playbooks, conduct tabletop exercises and define a clear offboarding strategy for data access.

4. Organisational need to bring together security, risk management and procurement

While the selection of TPRM vendors could be often seen falling under the CISO, this is not always the case. Most often than not, the Chief Risk Office will be called to view cybersecurity risks within a more comprehensive view of business risks and business continuity, while Procurement teams will be paramount in considering TPRM in their vendor selection, onboarding and management process.

5. Cyber Insurance

Very much tied to business continuity, cyber insurance continues to mature as a practice, highlighted by incidents such as Merck’s 1.4bn$ insurance claim settlement, organisations have the need to demonstrate effective 3^rd party cyber risk management for coverage.

While TPRM is pervasive across industry sectors, critical infrastructure and industrial verticals are emerging sectors for TPRM and currently facing a period of heightened malicious activity. These segments bring on a complex ecosystem that relies heavily on partnerships with suppliers, vendors, and other service providers, introducing a higher number of attack vectors. A recent illustrative example includes German company PSI Software, which supplies software specialised for energy providers and other industrial processes. PSI said last week it had been the victim of a cyberattack, specified on Monday that it had been hit by ransomware, and took its systems offline to prevent further intrusions.

TPRM 2.0: Automation, Integration and (inevitably) AI

At our recent CISO circle, participants had wide knowledge and adoption of traditional 1^st gen players like Bitsight and SecurityScorecard (with exceptions of organizations who de-prioritize TPRM in favor of their own pen-testing & breach simulation capabilities). New needs and pain-points were however outlined as emerging ones:

• Increased integration with cybersecurity assets to provide not only an outside in view, but also  accelerate incident response and remediation are desired

• Response for business continuity; new approaches are emerging on how to launch a minimum viable company to ensure business continuity

• Increased automation and productivity for security departments in onboarding new suppliers instead of pen-testing themselves

New vendors, such as 33N’s portfolio company Panorays, among others, are providing automation (eg. in vendor questionnaires), visibility (eg. uncovering the entire vendor ecosystem and avoiding shadow IT) and integrations (eg. with threat intelligence), simplifying the risk assessment process and visibility as well as drawing lines towards incident remediation.

In an inside-out perspective, Panorays can identify the associated risks across third parties, while its AI capabilities benefit third-party risk managers with AI-assisted responses to security questionnaires based on users’ previous answers, reducing friction for third parties and enabling quicker and more accurate answers. Panorays also uses AI to parse new data, in an outside-in perspective, to stay on top of the latest data breaches so that your organisation can mitigate risks proactively, rather than responding to any security incident once it’s too late.

As per the profile of the early adopters of these next-gen solutions, emerging medium-sized organisations will likely continue to be prime consumers, not being bound by organisational inertia replacing 1st-gen vendors and being much more permeable to automation and integration with their cybersecurity stack. Similarly, emerging segments such as critical infrastructure and industrial verticals, as mentioned, have witnessed increased interest and leap-frog the use of more traditional solutions (though not only).

As we look to the horizon, the convergence of TPRM and AI/automation, the extension of TPRM’s scope to incident response and remediation and the enabler integration with the existing cyber assets, holds immense promise for bolstering cyber resilience and fostering a culture of proactive risk management. By embracing AI-driven solutions and staying abreast of regulatory developments, organisations can navigate the turbulent waters and changing winds of third-party risks with confidence and foresight.

Let the tailwinds keep blowing!