Cyber Due Diligence for Third Parties Still Lacking

Stay current on changes and developments in corporate law with a wide variety of resources and tools.

By Yin Wilczek

July 21 — Many C-suite executives remain surprisingly complacent about third-party cybersecurity due diligence, a recent study finds.

In addition, many boards may not be engaging enough on the issue of cybersecurity.

According to the report, “2015 U.S. State of Cyber Crime Survey,” 62 percent of the respondents indicated that they evaluate the security risks of third-party partners, while 57 percent said they do so for contractors.

However, only 42 percent of the respondents said they consider supplier risks. Moreover, only 16 percent of the respondents said they evaluate their third-party partners' cybersecurity more than once a year, while 23 percent said they do not evaluate third-party security at all.

Almost one-fifth of the chief executive officers, chief operation officers and chief financial officers polled said they did not worry about supply chain risks.

From the survey results, it is clear “that due diligence of business partners is far from adequate,” the report concluded.

Joint Effort 

Released July 16, the report was a joint effort by PricewaterhouseCoopers US, IDG Enterprise, the U.S. Secret Service and Carnegie Mellon University. It polled more than 500 executives from U.S. companies, law enforcement services and government agencies.

Among other findings, the report confirmed that cyber breaches are a growing threat. Seventy-nine percent of the respondents said they detected a security incident in the last 12 months. The respondents also reported 163 security incidents per organization on average, compared to 135 the previous year.

The study found that large organizations detected 31 times more breaches than small organizations.

Board Involvement 

Meanwhile, only 30 percent of the respondents said their senior security officers make quarterly security presentations to their boards, while 26 percent said such presentations occur only once a year. Twenty-eight percent of the respondents said their security officers make no presentations at all.

The study also found that 49 percent of boards view cybersecurity as an information technology issue rather than an enterprise-wide concern.

The report offered seven reasons why boards must view cybersecurity as a key governance issue requiring oversight, including that:

• the financial impact of a breach can be significant, especially if class actions are filed;

• regulatory changes are making compliance harder and increasingly expensive; and

• the Internet of Things is bringing new threats.


Separately, a recent survey by the National Association of Corporate Directors found that boards must significantly improve their understanding of cybersecurity risks.

To contact the reporter on this story: Yin Wilczek in Washington at

To contact the editor responsible for this story: Ryan Tuck at

The report is available at


Request Corporate on Bloomberg Law