Third-Party Breaches Are a Threat—And Many Companies Aren't Ready
A new report from the Ponemon Institute found that most companies think third-party data breaches are a growing threat, but few companies have taken steps to mitigate the risk.
November 20, 2018 at 03:43 PM
3 minute read
Image by Shutterstock
Third-party data breaches are becoming the new norm, but most companies aren't taking important steps to protect themselves.
Ponemon Institute's third annual “Data Risk in the Third-Party Ecosystem” study, released Monday, found that 59 percent of respondent companies experienced a data breach caused by a third party or vendor. Another 22 percent of respondents said they didn't know if they had been impacted by a third-party data breach over the past year.
Ponemon's study was sponsored by global compliance and risk management solutions Opus and surveyed more than 1,000 chief information security officers from a variety of industries in the U.S. and U.K.
American companies were more likely to say they'd experienced a third-party breach, at 61 percent. According to the report, that's a 5 percent increase from last year and a 12 percent increase from 2016. More than 75 percent of all respondents said third-party data breach incidents are on the rise.
“It's growing,” Lee Kirschbaum, the senior vice president and head of product, marketing and alliances for Opus told Corporate Counsel. ”It's not getting better, it's getting worse, especially in the U.S.”
But only 16 percent of respondents said their companies are “highly effective in mitigating third-party risks.” Nearly two-thirds of companies don't keep a comprehensive inventory of third parties. Most respondents cited lack of centralized control, lack of resources and the complexity of third-party relationships as the reason for not keeping a comprehensive inventory.
Dov Goldman, the vice president of innovation and alliances of Opus, said it's important that companies mitigate the risk of third-party breaches.
“The third-party ecosystem is an ideal environment for cyber criminals looking to infiltrate an organization, and the risk only grows as these networks become larger and more complex,” Goldman said in a press release. “To stay ahead of the risk, companies and executives need to collaborate around plans for third-party detection and mitigation that supports automated technology and strong governance practices.”
Most respondents said their company's management of third-party risks is not effective or a priority, that they don't have sufficient resources to manage those relationships and that they're unaware of whether vendors are doing enough to prevent a breach.
Some companies, however, have been effective at preventing third-party breaches from impacting them. Ponemon's study highlighted tactics those organizations have used to stay protected.
Respondents said best practices include evaluating security and privacy practices of third parties, keeping a comprehensive inventory of third parties used, requiring third parties to provide notice when a breach happens and including the board of directors in risk management programs.
“A takeaway for me was that so many companies just weren't doing [best practices],” Kirschbaum said. “I don't think it's obvious to the market.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Google Fails to Secure Long-Term Stay of Order Requiring It to Open App Store to Rivals
'Am I Spending Time in the Right Place?' SPX Technologies CLO Cherée Johnson on Living and Leading With Intent
9 minute read
'It Was the Next Graduation': How an In-House Lawyer Became a Serial Entrepreneur
9 minute read
Renee Meisel, GC of UnitedLex, on Understanding and Growing the Business
6 minute readTrending Stories
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
