Probability of Vendor Data Breach
Overall Observations
- Third-party program is better than Industry average for large data breaches over 1M+, biggest risk is the number of vendor
- Validate the type and volume of customer data for all vendors to ensure model accuracy
No risk appetite statement and framework to articulate the acceptable frequency of third-party data breach for large & small breaches
For the 59 vendors with no CISSP, how are there day to day cyber activities being performed?
For the 68 vendors with no CISA, how are there cyber audit activities being performed?
Large Breach 1M+ 3% probability
- Probability is 3% or every 34 years across your 69 vendors
- Is a 3% chance of data breach across 69 vendors within your risk appetite?
- 5 Tail vendors take up 40% of your risk budget (Company 3, 5, 10, 12, 16).
- Tail-vendors, limit your ability to leverage the value from more third-parties. Specifically, your competitiveness and growth
Small Breach 1K+ 9% probability
- Probability is 9% or every 11 years across your 150 vendors
- Is a 9% chance of a data breach across 150 vendors within your risk appetite?
- 17 Tail vendors take up 47% your risk budget (Company 1-17).
- Tail-vendors, limit your ability to leverage the value from more third-parties. Specifically, your competitiveness and growth.
Next Steps
Verify: Your data details (ie record count, encryption, data type); Vendor data details (ie CISA / CISSP and MCPE, managed contracts)
Determine: Cumulative Risk appetite for 3rd Party Data Breach (large, small); Accountability model (ie ARCI) and Leadership & Governance
Develop: Organizational Change management approach; Frameworks/ procedures / metrics to support the risk appetite
Implement: Rollout updated & new procedures / framework / metrics;
Manage: on-boarding & off-boarding; tail vendors; minimal certifications; vendor portfolio