Gartner Says 52% of Legal & Compliance Leaders Are Concerned About Third-Party Cybersecurity Risk Since COVID-19

A Gartner, Inc. survey of 145 legal and compliance leaders on April 14, 2020 revealed that since the onset of COVID-19, more than half of respondents believe that cybersecurity and data breach is the most-increased third-party risk their organizations face.

“Remote working has been hastily adopted by suppliers to keep their business running, so it’s unlikely every organization or employee is following best practices,” said Vidhya Balasubramanian, managing vice president in the Gartner Legal and Compliance practice. “Legal and compliance leaders are concerned about the new risks this highly disruptive environment has created for their organizations.”

Bribery and corruption, privacy, fraud, and ethical conduct were all noted as the most-increased third-party risks (10% of respondents for each) for a signification number of respondents (see Figure 1).

“Legal and compliance leaders need to act now to mitigate third-party risk while still enabling their supply chain partners to flex to the current pressures on the system,” said Ms. Balasubramanian. “This will likely mean managing the contractual risks and opportunities of current relationships, mitigating emerging issues, and streamlining due diligence for new third-parties. Legal and compliance leaders will also be looking at other ways to reduce the compliance burden on third parties.”

Navigate the Contractual Relationship
Legal and compliance leaders are managing the contractual risks of disrupted supply chains by:

• Working with procurement or supply chain leaders to identify which critical suppliers have manufacturing facilities, or a portion of the workforce, located in high risk areas
• Contacting high-risk, critical suppliers to understand their preparedness for COVID-19, and the likelihood that they will meet contractual obligations.
• Anticipating ongoing financial or business disruption by conducting a review of existing contracts with high-risk suppliers to identify those with force majeure and other relevant clauses

Mitigate Amplified Third-Party Risks
Gartner identified several emerging practices from the survey respondents:

• Reviewing third-party compliance activities, including third-party work from home policies, as well as privacy and security training plans
• Updating contracts to include clauses intended to mitigate cybersecurity & data privacy risks (e.g., clauses on VPN use, data use)
• Reducing the compliance burden on suppliers by:
  * Entering into temporary “workaround agreements” by amending contracts to maintain services in a remote environment
  * Postponing supplier audits until later in the year
  * Modifying payment structures to those suppliers needing to boost cash flow

Streamline Third-Party Due Diligence
Emerging practices in this area include:
 

• Talking to functional partners about working with new third parties if needed to alleviate supply chain issues.
• Identifying critical, zero tolerance risks and revising due diligence processes to flag these.
• Identifying and prioritizing critical third parties and helping them manage risk throughout the pandemic.
• Conducting remote audits.
• Decreasing the amount of information requested from potential suppliers about general risks.

“Legal and compliance leaders have had to pivot quickly to support their supply chain and other business partners as part of this rapidly shifting third-party risk landscape,” Ms. Balasubramanian said. “The most progressive companies have approached this crisis as an opportunity to clarify and streamline compliance obligations, strengthen current relationships, and focus their risk management efforts on the most critical, urgent risks.”

Gartner for Legal & Compliance Leaders clients can access the full research in Responding to COVID-19: What We are Hearing From Legal and Compliance Leaders

Non-clients can register for this complimentary webinar: Leading Through COVID-19: The Impact on Third-Party Risk Management and find many complimentary pieces of content and research at Gartner’s coronavirus site.

About the Gartner Legal & Compliance Practice
The Gartner Legal & Compliance practice supports senior legal and compliance executives with their most critical priorities. Gartner offers a unique breadth and depth of content to support clients’ individual success and deliver on key initiatives that cut across finance functions to drive business impact. Learn more at https://www.gartner.com/en/legal-compliance/role/legal-compliance-leaders.

About Gartner

Gartner, Inc. (NYSE: IT) is the world’s leading research and advisory company and a member of the S&P 500. We equip business leaders with indispensable insights, advice and tools to achieve their mission-critical priorities today and build the successful organizations of tomorrow.

Our unmatched combination of expert-led, practitioner-sourced and data-driven research steers clients toward the right decisions on the issues that matter most. We are a trusted advisor and an objective resource for more than 15,000 enterprises in more than 100 countries — across all major functions, in every industry and enterprise size.

To learn more about how we help decision makers fuel the future of business, visit gartner.com.