Risky Business: Working with Third Parties Across the Globe

To show regional differences, BlueVoyant’s latest research report includes C-level executive responses from organizations in the U.S. and Canada, U.K., Continental Europe, and APAC. Singapore had among the lowest reported negative impacts from third-party cyber breaches, while the U.K. had the most.  

Regional differences play a notable role in shaping how organizations approach and handle third-party cyber risk management (TPRM). Our latest Supply Chain Defense survey shines a spotlight on how regions handle third-party cybersecurity risks, highlighting both strengths, such as less likelihood of being impacted by a breach, and areas for improvement, such as working with third parties to mitigate threats. 

Here is how the regions compare:

Over the past 12 months

U.S. and Canada 

Respondents from the U.S. and Canada continue to face challenges in third-party cyber risk management compared to other global survey participants. A significant 89% reported negative impacts from third-party cyber breaches over the past 12 months, greater than the global average of 81%. Digging in a bit more, 54% of this region’s respondents say they experienced negative impacts from 2 to 5 such incidents over the past 12 months. 

A concerning trend is the increasing lack of awareness regarding third-party issues, with 36% indicating they have no way of knowing if a cyber issue arises, up from 22% in 2023. Additionally, the adoption of continuous autonomous transparency tools is lower than the global average (11% compared to 15% globally).  

Encouragingly, 92% of respondents say their TPRM budget increased, compared to 86% globally, and up from 89% in 2023. This rise is reportedly driven by recent breaches or news of industry breaches, prompting increased budgets to utilize more external resources (54% compared to 50% globally). 

U.K. 

U.K. organizations face challenges in managing third-party cybersecurity risks, with some areas diverging from global trends. Similar to 2023, the U.K. continues to lag behind continental Europe.  

The U.K. faces a high incidence of negative impacts from third-party cyber breaches, with 95% of respondents reporting such incidents over the past 12 months. Despite this, U.K. organizations are more proactive in their monitoring efforts, with a higher likelihood of using continuous monitoring solutions and tiering vendors based on criticality. 

Interestingly, the U.K. is more likely to outsource reporting on third-party cyber risk management and is more proactive in briefing senior management about these risks.  

A silver lining in the U.K. is that 92% said their budget increased for third-party cybersecurity risk management programs, compared to 86% globally.  

Europe – DACH (Germany, Austria, Switzerland), Denmark, and the Netherlands 

As in previous years, European organizations often outperform global counterparts in key areas of TPRM, likely due to increased regulations, especially with new ones like NIS2, being enacted. 

European respondents are less likely to report negative impacts from breaches, with 76% indicating such issues over the past 12 months compared to 81% globally. Risk awareness is also higher, with only 28% stating they have no way of knowing about cyber issues with third parties, versus 30% globally. 

Europe leads in comprehensive vendor assessments, with 54% saying they periodically review all third parties under contract, compared to the global average of 50%. Continuous transparency into third-party cyber risks is also reportedly higher at 19%, compared to 15% globally. 

However, European organizations are less likely to say they had a TPRM budget increase (80% compared to 86% globally). 

APAC – Australia, the Philippines, and Singapore 

APAC respondents demonstrate a nuanced approach to third-party cybersecurity risk management, with both strengths and areas for improvement compared to global counterparts. Notably, they are less likely to report negative impacts from third-party cyber breaches (77% compared to 81% globally). 

Vendor management practices show that while APAC organizations most commonly report evaluating 501-1,000 vendors (44%), they regularly monitor only 101-500 for cybersecurity risk (47%), slightly behind global respondents. 

However, there is room for improvement in APAC’s handling of TPRM. Nearly 30% report no way of knowing if a cyber breach occurs in their third-party ecosystem. In addition, respondents say they are less likely to report using autonomous transparency tools. Forty-five percent of APAC respondents reported no autonomous transparency into their supply chain compared to 39% globally. 

TPRM budget trends are promising, with 90% of APAC organizations saying they had an increase, surpassing the global figure (86%), and up from 80% in 2023.  

Summary 

This year's survey on supply chain defense highlights the diverse approaches and challenges faced by different regions in managing third-party cyber risks. Regions and industry sectors have different regulatory requirements that drive some of the practices employed, but also there are various levels of maturity by region and sector. While some regions excel in certain areas, others identify opportunities for improvement.  

Check out the full report for insights and metrics to benchmark the performance of your own TPRM program relative to peers in your region: The State of Supply Chain Defense: Annual Global Insights Report 2024 

Interested in learning how BlueVoyant can help with your third-party cyber risk management? Find out more here.