Every year, Whistic surveys hundreds of Information Security and Risk Management professionals to understand what’s really going on when it comes to third-party risk management (TPRM) and Customer Trust. The TPRM Impact Report is a comprehensive overview and analysis of the findings—covering everything from third-party breaches, process and resource allocation, and vendor questionnaire response times to opportunities for automation and technology investments.

And the results are in for 2024.

Let’s take a closer look at three key takeaways that emerged from this year’s survey data.

First things first: How is the Impact Report built?

For the 2024 Impact Report, we collect detailed survey results from a wide range of security and risk professionals. Here’s a quick breakdown of the methodology and profile of this year’s respondents:

532 total responders—100% of whom have budgetary and decision-making authority for either third-party risk management or customer trust (36%) or both (64%)
23% represent companies with 1-500 employees; 47% represent companies with 500-1,000 employees; 30% represent companies with 1,000-5,000 employees
36% characterize their role as manager; 39% as director; 7% as vice president; and 18% as C-level executive

Key Takeaway 1: Companies are taking on more third-party risk

A confluence of factors contribute to this trend. First of all, the reliance on third parties is increasing rapidly. This year, 50% of the companies we surveyed report working with more than 100 vendors versus only 38% of companies last year. The average company in our survey works with 237 unique vendors.

Second, third parties themselves seem to carry more risk. We would expect the raw total of security incidents to naturally rise as the number of vendors increases (and they did). But this year, 88% of recent security breaches originated with a third party—an 11% increase since last year. This suggests that the average vendor is more likely to represent a security risk than they did before.

There are several reasons this could be the case: more sophisticated attackers or new vulnerabilities across digital supply chains are certainly contributors. But we also know that TPRM and customer trust resources are spread thin, while the demand for new vendors increases.

Stuck between the need to rigorously assess vendors and the demand to bring solutions fast, it seems that the TPRM process is getting the squeeze. 93% of companies surveyed said they would assess more vendors if they had additional resources, while 96% say they would perform more in-depth assessments if they could.

Why it matters

According to IBM’s 2023 “Cost of a Data Breach” report, the average cost of a breach is $4.45M per incident. This may not be the case for every company that experiences a breach (68% of the companies we surveyed have in the last three years), but a staggering bill isn’t the only price to pay for assuming more risk.

The true cost is felt in reduced business value through reputational harm and an erosion of consumer trust. It’s felt in the exodus of leadership and security talent that often follows in the wake of a breach. And it increases pressure on security and risk teams that are already strapped for resources.

Key Takeaway 2: The TPRM process is growing in complexity for buyers and vendors

The rising number of vendors per organization alone increases the complexity of the TPRM process—it means there are more vendors to assess and reassess. It also makes it more challenging to consistently categorize and rank risks, continuously monitor a growing ecosystem of vendors, and accurately map critical data.

The process of conducting an assessment is also growing in complexity. 88% of companies now use some kind of purpose-built software to assist with assessing vendors—this can increase efficiencies, but it also requires management and oversight of more login information, leads to decentralized documentation, and (of course) means more vendors to assess. Roughly 74% of companies also utilize some kind of customized questionnaire in their assessment process. These custom questionnaires have to be updated (87% of companies have to do this at least once a year), and they contribute to more back-and-forth and delays with vendors.

We’re also seeing other organizational complexities arise as a result. For example, companies are engaging more business units in the assessment process than even a year ago. Compliance, Legal, Privacy, and Procurement teams are all increasing their role in the process alongside IT and InfoSec.

Why it matters

Greater complexity requires greater management and oversight, more executive buy-in, and greater collaboration and coordination among business units. That combination is usually a recipe for additional resources (or longer hours), but security is still viewed as a cost center. That means additional resources are difficult to come by (and expensive—additional headcount costs an annual average of $109K per employee for the companies we surveyed).

Key Takeaway 3: Companies look to AI to reconcile the tension between assessment quality and quantity

If you’ve been reading along so far, you may think the challenges of those first two trends are pretty intractable. But it’s clear that companies are turning to AI as at least part of the solution.

95% of companies say it will have an impact in the security assessment process, and 93% are either using or testing AI in assessments now. Ditto Customer Trust, where 95% of customers see the importance of AI in questionnaire response (and 91% are using are testing it in that capacity).

Why it matters

It’s probably not a shocker that so many companies are looking to AI for TPRM and Customer Trust programs. They are likely looking to AI for every process they engage in across the board.

But when it comes to third-party risk management, AI isn’t merely a way to do what you’ve always done faster. Companies are already doing that—they are simply assessing fewer vendors, responding to fewer customer requests, and taking on or distributing more risk. Voilá: faster!

Instead, AI affords businesses the opportunity to assess all the vendors they’d like, as often as they need to, and with the depth and rigor that is necessary to make better business decisions, allocate the right resources, and actually manage risk (instead of managing administrative duties)—all without adding additional headcount or massively increasing the budget.

Whistic AI is modernizing the TPRM process by bridging the gap between quality assessments and high volume of demand in a number of ways:

AI-powered workflows for security assessments

Smart Search allows users to query security documentation from myriad sources for specific, context-rich answers (while also providing confidence scores and document citations). That means you can perform the customized assessments you need with the documents you have, rather than wrestle back and forth with a vendor.
Vendor Summary applies Smart Search to existing vendor catalogs, aligned to specific controls and exceptions. That accelerates reassessments by focusing on what’s changed, and it makes it easier to quickly assess vendors when a new threat emerges.
SOC 2 Summarization organizes hundreds of pages of reports into concise, control-specific summaries (that are also a great means of reporting up to senior leadership or keeping business stakeholders in the loop).

AI-powered customer trust programs

Knowledge Base consolidates all security documentation, certifications, and responses to previous questionnaires in a single, query-able location. This reduces the need to manage multiple log-ins, spreadsheets, repositories, or answer libraries while allowing InfoSec to maintain tight controls.
Smart Search allows anyone with permission the ability to query your Knowledge Base, so InfoSec doesn’t have to be a chokepoint in responding to customers. It also understands question intent, so even customized questionnaires can be automated.
Smart Response introduces even more automation: simply submit the questionnaire and AI will source responses, cite documentation, and provide confidence scores. You can quickly audit responses, and once they are approved, they’ll be added to your Knowledge Base to draw from for future questionnaires.

Download the 2024 TPRM Impact Report

These key takeaways are only a handful of the insights in our annual report. Download your free copy of the full report today to learn more about the ways third-party risk management is having an effect on buyers, sellers, and the future of your business.

If you’re one of the 90+% of companies thinking about AI as a part of your risk-management approach, schedule some time with our team of consultants. They’ll show you how Whistic’s integrated approach to AI is modernizing TPRM and reducing the headaches that come with reducing risk.