Data Security in the UK and US: A Look at Third-Party Risk

The 2018 Ponemon Institute Report explores how organizations approach third-party risk management in the United Kingdom and the United States.

Organizations in the United Kingdom and the United States agree — cybersecurity incidents involving third parties are increasing. 76% of companies in both countries believe so, recent research from Opus and the Ponemon Institute found.

As a result, companies are taking a closer look at the data security practices of their vendors, suppliers and partners. However, UK data breach trends indicate that UK companies experience fewer data breaches than companies in the US.

In its third-annual Data Risk in the Third-Party Ecosystem report, the Ponemon Institute explored how companies in both countries approach risk management. Here we look at similarities and differences between UK and US companies and how third-party risk management (TPRM) practices increase or decrease the likelihood of a third-party breach.

Third-Party Data Security Trends in the UK and US

Whether for compliance, to protect customers or to safeguard a company’s reputation, strong third-party risk management is a must to keep sensitive information secure. Positively, 100% of respondents to the Ponemon study said their companies have a third-party data risk management program in place. But the processes included in a TPRM program make all the difference.

1. UK companies report fewer breaches caused by third and Nth parties

UK data breach trends indicate that companies in the United Kingdom are experiencing fewer third party data breaches. In the past 12 months, 38% of UK organizations have experienced a third-party data breach, compared to 45% of US companies. Overall, 55% of UK companies sy they’ve have experienced a third-party breach at least once, compared to 61% of companies in the US.

US companies are also more susceptible to an Nth party breach. 25% of companies in the US have experienced such a breach versus 21% in the UK.

2. Both US and UK companies lack visibility into their third and Nth parties

The biggest threat to data security is not knowing who has access to sensitive information. The Ponemon Study found that 65% of UK organizations and 60% of US organizations do not have a comprehensive inventory of all third parties they share sensitive and confidential information with.

The situation worsens when you take you consider Nth parties, a step removed. Very few companies require notifications when third parties share confidential information with their own contractors. Only 16% of UK organizations have visibility into Nth parties, compared to 15% in the US. Until companies can gain full visibility, data breaches will continue.

3. UK companies have more confidence that a third or Nth party would notify them should a data breach occur

Despite the lack of visibility, UK companies are more confident that a third-party or Nth party vendor would notify them of a data breach involving sensitive and confidential information. 32% of UK companies have confidence their vendors would alert them to a breach, versus 27% of US companies.

GDPR data breach notification requirements are one possible explanation for why UK organizations are more confident. Failure to disclose a breach under the regulation results in stiff penalties. It’s wiser – and required – to report breaches swiftly.

The most upfront way to guarantee notifications from third and Nth parties it to include the requirement in vendor contracts.

4. The US is generally ahead of the UK in monitoring, taking a more strategic, risk-based approach

The primary responsibility for reviewing the security and privacy practices of third parties lies with legal and procurement in both the UK and US. From there, approaches to monitoring differ.

In general, the US is taking a more strategic approach, adopting automated monitoring tools (41%), security rating firms (25%), and independent audits or verification by a third party (25%) vs. the UK, who relies on less timely, annual self-certifications (41%). The UK, however, takes a slight edge on legal contract reviews. 50% of UK companies conduct such reviews versus 45% of US companies.

5. UK and US organizations have similar perceptions about third-party risk

Companies know that outsourcing to vendors, suppliers and external partners is inherently risky. But the problem isn’t outsourcing itself. Sensitive data is at risk because companies have not made TPRM a vital business concern. 48% of UK companies and 45% of US companies believe that managing outsourced relationships is not a priority.

The main issue is a lack of resourcing for TPRM programs. Only 38% of risk professionals in the UK and 37% in the US believe their organization allocates sufficient resources to managing outsourced relationships. To keep up with data risk, those responsible for TPRM need to advocate for the people, budget and technology necessary to continually monitor and assess their third-party partners.

Data security practices in the UK and US will continue to evolve as new cyber threats and regulations make their way onto the scene. Protecting sensitive data starts with knowing who all an organization’s third parties are, which is something our team at Opus can help with. We leverage automation technology to give you clear, up-to-date, insight into your core partners.

Get in touch with us to learn how you can confidently manage your outsourced relationships.

Download the full Data Risk in the Third-Party Ecosystem: Third Annual Study from the Ponemon Institute.

Dov Goldman
Dov Goldman
VP, Innovation and Alliances