CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Incident Response

Businesses Doubtful That Vendors Would Disclose a Breach: Survey

Companies in the United States aren’t confident that third-party vendors (or providers hired by their vendors) would inform them about breaches involving sensitive and confidential information, a recent survey from the Ponemon Institute reveals.

Companies in the United States aren’t confident that third-party vendors (or providers hired by their vendors) would inform them about breaches involving sensitive and confidential information, a recent survey from the Ponemon Institute reveals.

The study (PDF)Data Risk in the Third Party Ecosystem, focused on the concerns that companies have about their third-party vendors, and also looked into the businesses’ perception of fourth-nth-party vendors (indirect service providers or subcontractors).

The survey found that 37 percent of respondents don’t believe their third-party vendor would notify them in the event of data breach, while 73 percent believe that a fourth-nth-party vendor would not notify them. The study reminded that companies have both direct and indirect relationships with third parties and fourth-nth parties that are important in meeting business needs.

Would Vendors Disclose a Breach?However, despite a large number of interactions, companies can’t easily detect and mitigate risks associated with third parties that have access to confidential and/or sensitive company information, the study found.

The report shows that companies are often uncertain if their third parties experienced a data breach, with 49 percent of respondents confirming a data breach caused by a third-party vendor, while 16 revealing they were unsure. While 73 percent of respondents said the number of cybersecurity incidents involving vendors is increasing, 65 percent say that they find it difficult to manage cybersecurity incidents involving vendors.

Although they are not able to determine if a vendor’s safeguards and security policies are sufficient to prevent a data breach, 58 percent of respondents still share sensitive data. Only 41 percent of respondents said they were confident in their vendors’ data safeguards and security policies as being sufficient to respond effectively to a data breach.

According to the survey, just 31 percent of respondents believe their vendor’s risk management program is highly effective, yet only 38 percent track the effectiveness of the vendor risk management program. Only 48 percent of respondents said they have a vendor risk management committee. What’s more, 62 percent of respondents said their board of directors does not require assurances that vendor risk is being assessed, managed or monitored appropriately, or they were unsure.

Earlier this year, Google decided to open source its Vendor Security Assessment Questionnaire (VSAQ) framework to help companies improve their security programs. The interactive questionnaire application was developed to support security reviews by facilitating the collection of information and allowing users to display it in a template form. Google uses such questionnaires to evaluate third-party vendors’ security and privacy posture, but the company pointed out that they can also be used for self-assessment or for becoming familiar with security issues.  

“Despite the number of publicized data breaches throughout the US, there continues to be a significant lack of confidence and understanding within companies as to whether their security posture is sufficient to respond to a data breach or cyberattack. In fact, 60 percent of respondents said their companies still do not monitor the security and privacy practices of vendors with whom they share sensitive or confidential information, often citing lack of having the internal resources to check or verify or that the third party will not allow for independent monitoring,” Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, said.

Advertisement. Scroll to continue reading.

Conducted by the Ponemon Institute, the survey was commissioned by BuckleySandler LLP and Treliant Risk Advisors LLC.

Related: Cyber Security Risk Underestimated at Nuclear Facilities: Report

Related: The NIST Cybersecurity Framework Revisited

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.