Increased Reliance on Third Parties and the Benefits of Digital Transformation

2021 incident benchmarking shows an increase in incidents and breaches from external sources.

Privacy Program Metrics

The recently published 2022 RadarFirst Privacy Incident Benchmark Report provides a wealth of privacy management topics to explore. In this blog, read how to reduce incident management timelines and unlocking your digital transformation strategy here.

In this post, I turn my attention to the topic of third parties. At RadarFirst, we believe that a set of market forces are impacting our customers, much like the recent wet, dreary winter impacted my back patio, and now my time as a power washer has been added to the “to do” list.

Two of these market forces acting on companies are that:

1. Functional departments (e.g., sales, marketing) are being asked to do more while operating with limited staffing budgets (and lately due to increased attrition from the “great resignation”), and
2. The competition does not rest and therefore they will need to rely on third-party entities (contractors, service providers, business partners) to fill in the staffing and expertise gaps.

Companies with mature privacy management programs spend time ensuring that employees have proper training on handling sensitive data. Adding in third parties only increases the risk front, with more opportunities for undesired data exposure. As you will see next, the risk associated with external entities being the source of incidents is increasing, as our market forces predict.

In our benchmark report, we see that incidents associated with external sources have climbed from 2018 through 2021. As companies have to do more with less, they turn to “OpEx” spending, hiring contractors, service providers and business associates to perform staff-augmentation type work.

The chart below illustrates the benchmark’s findings – external sourced incidents have risen from just over 5% in 2018 to nearly 21% in 2021. Also note the dramatic increase in 2020 and again in 2021, possibly due to more reliance on third parties as the Great Resignation took hold.

When we look at the next downstream metric, incidents that require notification (aka, a breach), we see a similar pattern to incidents, albeit an external level that approaches 25% by 2021.

The above charts could be explained by the excellent employee (internal) training programs put in place that are preventing internally-sourced incidents. Surely some of that is true, but certainly not to the level of decline witnessed above. If anything, the “great resignation” might be contributing due to fewer “internal sources.”

From a privacy management perspective, a couple of thoughts come to mind, both around third parties – you need to become more risk aware, and you are a third party if you have a customer.

Risk Awareness

Having an incident management system that can attribute incidents to specific third parties is critical if you want to get a handle on risk management. Knowing which third parties are good stewards of your data, and those not, are vital as you continue to increase reliance. Sharing with your business development and legal teams a perspective on third party causation of incidents is invaluable.

Additionally, the contracts you have with third parties have written expectations, often around performance. Some, but likely not all, of these contracts also place notification expectations on your third parties – to inform you in a timely manner of an incident they caused, or at least discovered.

For an incident, did a third party inform you in the obligated time? If not, you must realize that as time passes, your risk of the event becoming more serious increases. If you are not tracking this information, then why write it into the contract?

There’s Always a Bigger Fish

While the entirety of this blog to this point has been about downstream third parties, if you have an upstream customer, then you are the third party. Your customer does not care if your downstream third party causes an issue involving their data; it’s your fault. Maybe you do not have an upstream customer, but you do have a jurisdiction to which you are responsible. Do you understand your obligations to notify of an incident?

Answers to these questions, and more, can be found in our digital transformation strategy guide for privacy.

RadarFirst Can Help

The RadarFirst incident management platform is unparalleled in the industry at assessing the risk of harm of an incident. We make it easy for our customers to tell us about important obligations, either imposed by them downstream or those they are subject to from upstream entities.

For every incident involving an obligation, we can help you track its completion, review its source and help you make risk-reduction decisions.