In a recent study by cybersecurity firm BlueVoyant, more than 90% of the 301 American CIOs, CISOs and chief procurement officers surveyed have experienced a data breach in the past year because of a weakness in their supply chain. However, 69% said that they do not monitor all the third-party vendors they work with, and 27% reported that they only reassess and report on third-party cyberrisk once every six months or even less often, leaving major vulnerabilities. Additionally, 40% said that they inform a supplier when they discover a problem and expect the supplier to address it, while 38% said that they rely entirely on the supplier to have adequate security precautions.

Some organizations have adjusted their budget to confront this problem, with 86% saying they increased the budget for third-party cyberrisk management in the past year. “Despite investment being on the rise, there remains a lack of clarity over where ultimate responsibility for third-party cyberrisk lies,” said Jim Penrose, COO at BlueVoyant. “Ownership of this challenge at the senior leadership level is crucial to operationalizing third-party vendor cyberrisk management.”