Vendors not keeping up on cyber risk management

Given the frequency and magnitude of cyber attacks, there is still a significant amount of risk management work to be done by vendors, says a benchmark study issued Wednesday.

“Vendor risk management programs require more substantive advances,” says the study issued by global consulting firm Protiviti Inc., a unit of Menlo Park, California-based Robert Half International Inc. and the Shared Assessments Program, which is a consortium of financial institutions, accounting firms and third-party risk management leaders.

The report was based on data from 450 c-suite executives, risk management and audit professionals who rated their organizations using a benchmark tool from the Shared Assessments Program that measures the quality and maturity of existing vendor risk management programs.

“The overall maturity rating for program governance in this year's survey (2.8 on a 5-point scale) should serve as a warning sign of the need for deeper changes that reach into organizational culture and behavior,” says the report, “2015 Vendor Risk Management Benchmark Study.”

Cyber security threats are “prominent challenges,” says the report, which states also that vendor risk management programs within financial services organizations are more mature compared to companies in insurance, health care and other industries.