New Global Study of Financial Sector Shows Deep Concern About Third-Party Cyber Risk, Reveals Major Opportunity to Improve Monitoring and Reporting

Bitsight and the Center for Financial Professionals release results of a joint survey on current and emerging third-party cyber risk management approaches and challenges

Boston, Mass. — April 2, 2019 — Bitsight, the Standard in Security Ratings, and the Center for Financial Professionals (CeFPro) today released a joint study shedding light on how financial institutions are addressing challenges associated with third-party cyber risk. Based on a survey of financial services professionals from around the world, the “Third-Party Cyber Risk for Financial Services: Blind Spots, Emerging Issues & Best Practices” report found that managing third-party cyber risk is critical to their businesses, but a lack of continuous monitoring, consistent reporting, and other blind spots are creating challenges that could leave organizations vulnerable to data breaches and other consequences.

Most organizations work with hundreds, if not thousands, of third parties, creating new risks that must be actively managed. The financial industry, in particular, has a massive business ecosystem made up of legal organizations, accounting and human resources firms, management consulting and outsourcing firms, and information technology and software providers. Each of these vendors poses a potential weak spot for cyber defenses if risk is not actively managed to protect the exchange of data and other sensitive information.

“Managing third-party cyber risk has rapidly become the #1 concern for businesses,” said Jake Olcott, Vice President of Communications and Government Affairs at Bitsight. “Many in the financial sector are taking action to manage that risk, but as our survey shows, there is vast room for improvement in key areas like continuous monitoring and effective board reporting.”

Key findings from the Third-Party Cyber Risk for Financial Services Report

  • Third-party cyber risk is driving key business decisions. Nearly 97 percent of respondents said that cyber risk affecting third parties is a major issue. Meanwhile, nearly 80 percent of respondents said they have terminated or would decline a business relationship due to a vendor’s cybersecurity performance. 1 in 10 organizations has a role specifically dedicated to vendor, third-party or supplier risk.

  • There is a lack of consistent third-party risk measurement and reporting. Only 44 percent of respondents are reporting on this risk to their executives and boards on a regular basis. This lack of regular reporting could be the reason why nearly 1 in 5 respondents think boards and executives are not confident or do not understand their approaches to third-party risk management (TPRM).

  • A majority of organizations aren’t using critical tools. Respondents reported that they still rely on tools like annual on-site assessments, questionnaires and facility tours to assess third-party security posture, giving them limited visibility into their third-party cyber risk. Meanwhile, only 22 percent of organizations are currently using a security ratings service to continuously monitor the cybersecurity performance of third parties, though 30 percent are currently evaluating security ratings providers.

  • TPRM challenges and concerns for the future continue to grow. Companies are concerned with the accuracy and actionability of risk assessment data, as well as an unclear responsibility for this type of risk management within their organizations. Looking toward the future, respondents are focused on making their security programs more effective while staying up-to-date on new regulations and prioritizing continuous monitoring and visibility.

“This report raises a number of interesting questions and challenges for the industry; with C-suite professionals taking responsibility, it is clear that the vast majority of respondents’ organizations understand the critical importance of third-party cyber risk; it is also apparent that there needs to be clarity going forward, with increased communication up to the Board level,” said Andreas Simou, Managing Director at CeFPro. “Although there has been a significant increase in effectiveness, attention, and resources focused toward third-party cyber risk over the last few years, there is still much to be done; utilizing more effective tools and techniques to overcome the ever-increasing challenges being faced within the industry, with third- (and fourth-) party cyber risk as just one key area to be addressed. The report highlights a number of potential solutions and ways forward.”

New tools and best practices are becoming readily available to help organizations address some of the key challenges and concerns uncovered by the survey. In order to effectively manage this growing risk and stay ahead of future challenges, organizations must utilize best practices and trust continuous monitoring solutions like security ratings to help measure and manage their cyber risk with third-party risk data that is accurate and actionable.

For more information on the findings and best practices for effective third-party risk management, download the “Third-Party Cyber Risk for Financial Services: Blind Spots, Emerging Issues & Best Practices” report here. For more information on Bitsight, visit

About “Third-Party Cyber Risk for Financial Services: Blind Spots, Emerging Issues & Best Practices” Report

The “Third-Party Cyber Risk for Financial Services: Blind Spots, Emerging Issues & Best Practices” report consisted of an online survey conducted by Bitsight and CeFPro of 126 financial services professionals from various industry sectors from across the globe. These sectors included banking (49 percent), insurance (16 percent) and professional services (13 percent), among others. The majority of the respondents are from the United States (35 percent), Europe (28 percent, not including the UK), and the United Kingdom (16 percent).

About Bitsight

Founded in 2011, Bitsight transforms how organizations manage cyber risk. The Bitsight Security Ratings Platform applies sophisticated algorithms, producing daily security ratings that range from 250 to 900, to help organizations manage their own security performance; mitigate third party risk; underwrite cyber insurance policies; conduct M&A due diligence and assess aggregate risk. With over 1,500 global customers and the largest ecosystem of users and information, Bitsight is the most widely used Security Ratings Service. For more information, please visit, read our blog or follow @Bitsight on Twitter.

About CeFPro

The Center for Financial Professionals (CeFPro) is an international research organization and the focal point for a global community of finance, technology, operations, risk and compliance professionals from the financial services industry.

CeFPro is driven by and dedicated to high quality and reliable primary market research; providing an excellent portfolio of peer-to-peer conferences and thought-leadership content.Recently, CeFPro have launched a membership area for the industry to connect; inclusive of industry led content such as: Live interactive webinars, 50+ page quarterly magazine, filmed conference sessions, interviews, research reports, international surveys and much more. Find out more at