99+ Essential Third-Party Risk Statistics and Trends for 2024

  • September 12, 2024
Author

Emily Bonnie

Senior Content Marketing Manager

The average company is sharing confidential information with 583 third-party vendors.

Modern organizations are more dependent than ever on third-party vendors for business-critical services—from cloud storage to supply chain logistics. But with that dependence comes a looming challenge: how do you make sure these partners don’t become a weak link in your security armor?

In 2024, the stakes are higher than ever. A single misstep by a third-party partner could open the door to costly data breaches, compliance violations, or significant financial loss. Cyber threats are evolving fast, regulations are tightening, and supply chain transparency has become a non-negotiable expectation. 

We scoured the latest survey results and research reports to collect the key statistics shaping the third-party risk management landscape today. By understanding the numbers, you’ll gain a clear view of the current TPRM landscape, what’s driving change, and how you can stay ahead of emerging threats before they impact your organization.

Third-party data breach statistics

Third-party data breaches are becoming alarmingly common, and even the most secure organizations can fall victim if their external partners aren't up to par. This section highlights the latest statistics on third-party data breaches, shedding light on how widespread the issue is and the serious consequences companies face when they don't manage these risks effectively.

  • 98% of organizations have a relationship with a third party that has been breached. (SecurityScorecard)
  • 61% of companies experienced a third-party data breach or cybersecurity incident in 2023. (Prevalent)
  • 73% of organizations have experienced at least one significant disruption caused by a third party within the past 3 years. (KPMG)
  • The number of third-party breaches rose 49% year over year, increasing threefold since 2021. (Prevalent)
  • 75% of third-party breaches targeted the software and technology supply chain. (SecurityScorecard)
  • At least 29% of breaches have third-party attack vectors. (SecurityScorecard)
  • 35% of third-party breaches affected healthcare organizations. (SecurityScorecard)
  • 64% of all third-party breaches occurred in North America. (SecurityScorecard)
  • 7% of organizations that experienced a third-party security incident had sustained, significant adverse effects. (Venminder)
  • The biggest impacts of a third-party cybersecurity incident were financial damage (29%), reputational damage (26%), and regulatory scrutiny (19%). (Venminder)
  • In 2023, organizations’ top concern regarding third parties – by far at 74% -- was a data breach or other security incident. (Prevalent)
  • 84% of survey respondents said that third-party risk incidents resulted in operations disruptions, 66% cited adverse financial impact, 60% noted increased regulatory scrutiny, 59% indicated an adverse reputational impact, and 33% said regulatory action was taken. (Gartner)
  • The cost of a third-party cyber breach is typically 40% higher than the cost to remediate an internal cybersecurity breach. (Gartner)
  • Only 34% of respondents say that they have confidence that a primary third party would notify them of a data breach. (RiskRecon and Ponemon Institute)

TPRM program structure and staffing insights

A strong third-party risk management program doesn’t just happen on its own—it requires proper structure, leadership, and resources. In this section, we'll dive into the key statistics around how companies are building and staffing their TPRM programs, and what’s working (or not) when it comes to keeping risk in check.

  • 52% of organizations use a centralized operating model for their third-party risk management programs. 37% use a hybrid model, 10% are decentralized, and 1% are completely outsourced. (Venminder)
  • 90% of organizations are moving toward centralized risk management. (EY)
  • More than 62% of respondents reported understaffing was the biggest obstacle to better safeguarding their organizations from third-party breaches. The average respondent said they need to double their current staff dedicated to third-party security. (Prevalent)
  • 37% of respondents said they had between 1-4 people currently involved in assessing third parties, but said they needed between 5-9 people. (Prevalent)
  • Less than half (43%) of survey respondents say their TPRM program is adequately staffed. (RiskRecon)
  • 48% of TPRM leaders expressed the need to strengthen the role of executive leadership in managing and governing third-party relationships. (Deloitte)
  • Only 40% of respondents say their organizations regularly report to the board about the state of their third-party risk management programs and the risks facing them. (RiskRecon and Ponemon Institute)
  • 47% of TPRM leaders would like to prioritize improving skills and talent related to TPRM. (Deloitte)

TPRM program goals and key metrics 

Setting clear goals and tracking the right metrics are essential to an effective third-party risk management program. In this section, we explore the most important objectives companies are setting for their TPRM programs and the key performance indicators they’re using to measure success.

  • 22% of organizations have fully defined and operational metrics to measure their TPRM programs. (Venminder)
  • 87% of organizations say the primary objective of their TPRM program is to reduce risk exposure. 65% say maintaining regulatory compliance, 46% say meeting customer requirements, and 30% say it’s satisfying executive mandates. (RiskRecon)
  • The number of TPRM programs managing at least 250 vendors doubled between 2020 and 2023. (RiskRecon)
  • 49% of TPRM programs say they have the authority to block new vendors due to risk; 59% say they can require additional controls; and 28% can terminate existing vendors due to risk. (RiskRecon)
  • 63% of TPRM leaders would like to prioritize revisiting and refreshing their organization’s TPRM methodology. (Deloitte)
  • Third-party risks organizations were most concerned about going into 2024 included an increase in cybersecurity attacks; use of AI by vendors; pending or anticipated regulatory changes; availability of vendors in an unexpected event; changes in a vendor’s financial health; ESG disclosure and reporting; and identifying and reporting on the diverse status of vendors. (Venminder)
  • 96% of respondents said their organization believes there is ROI for third-party risk management activities. (Venminder)

TPRM program maturity

How developed is your third-party risk management program? Understanding the maturity of your TPRM strategy is crucial to identifying areas for improvement. This section covers the statistics that reflect where organizations stand in terms of TPRM maturity and what separates mature programs from those still in the early stages.

  • Only one third of respondents indicated their third-party security programs were highly coordinated. (Prevalent)
  • Less than half (48%) of businesses strongly believe their risk monitoring program is meeting contractual and regulatory requirements. (Supply Wisdom)
  • 90% of organizations are making investments to improve their TPRM program's effectiveness.  (EY)
  • Less than one-third of survey participants have run a TPRM program for longer than five years. (EY)
  • Only 39% of respondents rate their company’s third-party risk mitigation as highly effective. (RiskRecon and Ponemon Institute)
  • A third (33%) of the organizations surveyed have already established and implemented third-party risk management programs, while another 38% are committed to improving their existing programs. (Venminder)
  • 90% of organizations consider TPRM a growing priority (up from 63% in 2020) (RiskRecon)
  • 70% of survey respondents say third-party risk management is a growing investment in terms of headcount and budget. (Moody’s Analytics)
  • Nearly 6 in 10 TPRM leaders (56%) believe their organizational culture has become much more supportive in understanding and managing ESG risks and opportunities in their third-party ecosystem. (Deloitte)
  • 32% of organizations felt no pressure to improve their third-party risk management program. Of those that did, 34% said pressure was coming from auditors and regulators, 28% indicated internal management or the board, and 6% cited client demand. (Venminder)
  • At least 82% of organizations had an audit or regulatory exam within the past year. Of these, 28% received feedback that TPRM improvements were needed. (Venminder)
  • 44% of organizations expect to use managed service providers for TPRM more in the next two to three years. (EY)
  • 61% of survey respondents believe their organization’s TPRM program is undervalued. (KPMG)

Best practices in TPRM

With evolving risks and regulations, organizations must create adaptable TPRM strategies. This section highlights the latest best practices in third-party risk management, offering insights into how leading companies are navigating today’s challenges and mitigating risk.

  • 86% of organizations have a defined set of criteria to identify their critical vendors. (Venminder)
  • The top three challenges organizations are facing regarding TPRM are getting the right documents from vendors (48%); lack of internal resources (36%); and time management (27%). (Venminder)
  • 58% of respondents updated their inherent risk assessments within the last year, 25% within the last one to two years, 10% of respondents reviewed every three years or longer, and 7% didn’t conduct any inherent risk assessments at all. (Venminder)
  • Risk domains with the highest focus in 2023 include cyber and information security risk (62%); geopolitical risk (33%); resiliency and business continuity risk (32%); and data privacy (29%). (Deloitte)
  • 67% of organizations say they last updated their third-party risk management policy less than a year ago. 23% updated it 1-2 years ago; 2% three years ago; 3% more than 3 years ago, and 5% do not have a TPRM policy. (Venminder)
  • Only 48%  of organizations have exit strategies or contingency plans for high-risk third parties, leaving more than half unprepared. (EY)
  • 45% of survey respondents are increasing the diversity of their suppliers to meet ESG goals. (EY)
  • The number of businesses assessing all third parties for environmental risk is expected to reach 30% within three years. (KPMG)
  • 23% of survey respondents said if a key supplier did not meet their ESG requirements, they would stop working with that supplier. (EY)
  • 23% of companies say cyber threat and vulnerability risk mitigation is lacking from their risk monitoring program.  (Supply Wisdom)
  • 89% of TPRM programs assess non-cyber risks or will soon begin doing so. Privacy was cited as the most-common non-cyber risk factor considered within the scope of TPRM programs (85% of respondents). Other factors include operational risk (65%), financial ratings (64%), regulatory sanctions (61%), environmental and social governance (47%), and geopolitical risk (39%). (RiskRecon)

Third-party risk assessment trends

Knowing your third-party risks is one thing; assessing them properly is another. How often are companies assessing their partners? What factors are they prioritizing, and what challenges do they face? This section covers the most up-to-date statistics on third-party risk assessments, giving you insight into the methods and frequency companies are using to stay ahead of potential threats.

  • Nearly 50% of the companies surveyed do not rank their vendors and third-party providers by risk level at all. (Supply Wisdom)
  • Only 36% of respondents say that before starting a business relationship that requires the sharing of sensitive or confidential information their company evaluates the security and privacy practices of all vendors. (RiskRecon and Ponemon Institute)
  • Respondents reported assessing or monitoring only 33% of their vendors. (Prevalent)
  • About half (47%) of respondents say they do not conduct evaluations because of third parties’ requirement to comply with data protection regulations (RiskRecon and Ponemon Institute)
  • Only 29% of companies remediate risks found during the vendor sourcing and selection stage. (Prevalent)
  • 49% of organizations report their current method for assessing third-party risk is not able to assess risk at every stage of the vendor lifecycle. 51% say their current method is not able to deliver the automation and reporting necessary to efficiently demonstrate compliance. (Prevalent)
  • 66% of the respondents have formal processes in place to assess residual risk. However, the remaining 34% either don’t have an established process or are uncertain about residual risk in the context of third-party risk management. (Venminder)
  • 51%  of organizations maintain an integrated resiliency plan for critical third parties, 47% conduct integrated resiliency testing, and 45% perform scenario analysis. (EY)
  • Only 44% of respondents say their organizations conduct audits and assessments of third-party data handling practices (RiskRecon and Ponemon Institute)

Vendor security questionnaire usage

Vendor security questionnaires remain a foundational tool for evaluating third-party risk, but how are organizations using them in 2024? In this section, we break down the current trends in questionnaire usage.

  • Security questionnaires are the most popular method of assessing third-party risk, with 84% of respondents using them. (RiskRecon)
  • Up to 75% of vendors either do not answer security questionnaires or fail to do so in a timely manner. (Viso Trust)
  • 35% of TPRM programs include at least 100 questions in their vendor questionnaires (up from 19% in 2020).  (RiskRecon)
  • 57% of TPRM programs use custom security questionnaires, versus just 18% that use an industry standard such as a SIG questionnaire. 42% use a modified industry standard. (RiskRecon)
  • Only 4% of respondents say they’re highly confident that vendors are actually meeting security requirements based on their questionnaire responses. (RiskRecon)
  • The percentage of organizations using cybersecurity ratings services jumped from 42% in 2020 to 61% in 2023. (RiskRecon)
  • 37% of organizations are not currently monitoring AI usage among their third-party vendors. 15% monitor usage through security questionnaires. (Venminder)
  • 52% of companies say it takes 31-60 days to perform control assessments of third parties. 38% say it takes 61-90 days, while just 8% can perform control assessments within 7-30 days. (EY)
  • 77% of organizations send between 101 and 350 questions on third-party control assessments. (EY)

Ongoing third-party risk monitoring

Monitoring your vendors isn’t a one-time task; it requires constant monitoring. In this section, we look at the importance of ongoing third-party risk monitoring and the ways companies are keeping an eye on vendor risks over time to ensure partners remain secure and compliant.

  • Only 32% of respondents say their organization maintains a comprehensive inventory of third-parties with whom it shares sensitive information. 61% of respondents say their organization does not have such an inventory, and 6% are unsure. (RiskRecon and Ponemon Institute)
  • Nearly 90% of companies track risks from the sourcing and selection phases, but fewer than 80% track service-level agreements (SLAs) and offboarding risks later in the relationship lifecycle. (Prevalent)
  • 50% of survey respondents say their companies do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information, or they are unsure. The primary reason for not monitoring is confidence in the third party’s ability to secure information (49%). (RiskRecon and Ponemon Institute)
  • Of the 50% of respondents that say their companies do monitor the security and privacy practices of third parties to ensure the adequacy of these practices, 53% do so via random tests or spot checks. (RiskRecon and Ponemon Institute.
  • 28% of organizations review and re-assess vendor risk on an annual basis. (Venminder)

Nth party and downstream risk trends

It’s not just about who you directly work with—your third parties have their own network of vendors and partners. These "Nth party" or downstream risks can create ripple effects for your business. Here, we’ll take a look at the statistics surrounding Nth party risks, highlighting how far the chain of risk extends and why it’s a growing concern in 2024.

  • 59% of organizations currently examine and assess their vendors’ third-party risk management practices to manage fourth-party risk. (Venminder)
  • Only 10% of organizations conduct direct risk assessments of fourth parties. 27% do not assess or monitor fourth parties at all. (Venminder)
  • Only 39% of survey respondents say their third parties’ data safeguards and security policies and procedures are sufficient to respond effectively to a data breach and only 40% say they are sufficient to prevent a data breach. (RiskRecon and Ponemon Institute)
  • Only 36% of respondents say their organizations are notified when third parties share their information with Nth parties with whom they have no direct relationship. (RiskRecon and Ponemon Institute)
  • Only 29% of respondents say their organizations have visibility into Nth parties that have access to sensitive and confidential information. Of this 29%, 56%say this visibility is due to reliance upon contractual agreements and 53% of respondents say they trust the third party to notify their organizations when their data is shared with their Nth parties. (RiskRecon and Ponemon Institute)
  • More than half of respondents say they are relying upon the third party to notify their organization when data is shared with Nth parties. (RiskRecon and Ponemon Institute)
  • Of organizations that experienced a third-party data breach, 38% say the breach was caused by an Nth party, indicating the flaws in third-party security controls in place for Nth parties. (RiskRecon and Ponemon Institute)
  • North American companies use fewer third-party & Nth party vendors than European companies. 47% of European companies report vendors in as many as 49 countries, compared to 22% of North American companies who said the same. (Supply Wisdom)

TPRM tools and technology adoption

Managing third-party risk is a complex task, but the right tools and technologies can make it significantly easier. This section breaks down the numbers on how organizations are leveraging automation, artificial intelligence, and other solutions to improve their TPRM processes and stay on top of an evolving risk landscape.

  • Although most organizations report having TPRM programs in place, 60% of respondents are not using a dedicated TPRM platform. (Prevalent)
  • 45% of TPRM leaders stated that continued investment in technology, automation, and data for TPRM is important. (Deloitte)
  • While only 5% of companies are currently leveraging AI for their TPRM programs, 61% of organizations say they are actively investigating its uses for TPRM. (Prevalent)
  • 54% of organizations say their top goal in investigating AI for TPRM is to speed up questionnaire completion by automatically completing responses using existing questionnaires and available evidence. (Prevalent)
  • 77% of respondents now rely on software with vendor management features and functionality to streamline the management of vendor risk. (Venminder)
  • 39% of organizations plan to integrate automation into their ESG function to better manage risks over the next two years. (EY)
  • Over 50% of respondents not currently using AI in risk monitoring, more than half acknowledge the need to monitor for AI-related risks, indicating a growing awareness of technology's impact on risk management. (Supply Wisdom)
  • Only 14% of procurement and 13% of supplier management professionals report using continuous monitoring tools to assess suppliers. (Supply Wisdom)

Strengthen your third-party risk management with Secureframe

As the landscape of third-party risk management continues to evolve, staying ahead of emerging threats and maintaining a secure vendor ecosystem is critical. The statistics and trends we've covered highlight just how complex managing third-party risk can be, but with the right tools and strategies in place, it doesn’t have to be so challenging.

Secureframe’s compliance automation platform is designed to strengthen and streamline your third-party risk management efforts. Centralize your TPRM program by keeping all vendor details—from profiles and risk assessments to historical logs—in one easy-to-access dashboard. Continuous monitoring ensures your vendor list is always up-to-date, even detecting shadow IT and apps that aren't on your approved vendor list.

Comply AI simplifies the security review process by automatically extracting key answers from vendor documents like SOC 2 reports, saving time and reducing manual effort. Plus, the platform is fully customizable, allowing you to create custom scores, tags, departments, and risk assessments to tailor the program to your specific needs.

Schedule a demo to learn more about how Secureframe can give you the visibility, insights, and automation you need to safeguard your business against third-party risk. 

Use trust to accelerate growth

Request a demoangle-right
cta-bg