2024 State of Third-Party Risk Management

The barrier between “us” and “them” is eroding when it comes to managing cyber risk. The Security and Exchange Commission’s (SEC) recent ruling is a perfect example, concluding that investors see no difference between a breach occurring in first vs. third-party systems when assessing the materiality of an cyber event. This study examines the evolution of third-party risk management (TPRM) programs since the 2020 pandemic and finds they have grown significantly in strategic priority and size.

A full 90% of organizations now consider TPRM a growing priority, up from 63% just three years ago. The stakes for managing vendor risk are higher than ever, with 23% of organizations reporting a security incident related to a third party—more than doubling the rate found in 2020. Portfolio sizes are also exploding; the number of TPRM programs managing 250+ vendors has doubled, further straining teams where only 57% feel adequately staffed.

Assessment methods are undergoing a shift toward efficiency through automation. Use of security ratings services surged from 42% to 61%, as firms struggle with the diminishing returns of questionnaires. The report rewards the reader with a sobering look at questionnaire validity, revealing that while surveys are getting longer, only 4% of respondents express high confidence that the answers they receive actually match reality. It offers a clear picture of how TPRM teams are rising to meet these increased stakes.

Key Findings

• 90% Priority Rate: 90% of organizations now report that TPRM is a growing strategic priority, a significant leap from 63% in 2020.
• Third-Party Breach Surge: 23% of firms suffered a security breach from a third party last year, up from only 9% reported in 2020.
• The 4% Confidence Gap: Only 4% of security professionals are highly confident that vendor questionnaire responses accurately reflect the vendor’s actual security posture.
• Vendor Portfolio Explosion: Twice as many organizations are now managing portfolios of 250+ vendors compared to 2020 data (26% vs. 13.5%).
• 61% Adoption of Security Ratings: Use of cybersecurity ratings has surged to 61% of organizations as a more scalable alternative to traditional onsite assessments.
• Risk-Based Authority Deficit: Only 28% of TPRM programs have the authority to terminate an existing vendor over security concerns, despite 49% being able to block new vendors.