Third-party risk management (TPRM) is the process of analyzing and minimizing risks associated with outsourcing to third-party vendors or service providers. This is commonly known as third-party risk or vendor risk and can include financial, environmental, reputational, and security risks due to a vendor's access to intellectual property, sensitive data, personally identifiable information (PII), and protected health information (PHI).
Third-party risk management has never been more important as organizations around the world are increasingly reliant on third-party relationships.
What is a third-party?
A third-party is any entity that your organization works with. This includes suppliers, manufacturers, service providers, business partners, affiliates, distributors, resellers, and agents.
They can be upstream (suppliers and vendors) and downstream (distributors and resellers), and can include non-contractual entities.
For example, they could provide a SaaS product that keeps your employees productive, provide logistics and transportation for your physical supply chain, or they could be your financial institution.
What's the difference between a third-party and fourth-party?
A third-party is a supplier, vendor, partner, or other entity doing business directly with your organization, whereas a fourth-party is the third-party of your third party. Fourth-parties (or "Nth parties") reflect relationships deeper in the supply chain that aren't necessarily contractually contacted to your organization but are connected through third-parties.
Why is third-party risk management important?
Third-party risk management is important because the use of third parties, whether directly and indirectly, impacts your cybersecurity. Third-parties increase the complexity of your information security for several reasons:
- Every business relies on third-parties as it's often better to outsource to an expert rather than business operation internally.
- Third-parties aren't typically under your control nor do you have complete transparency into their security controls. Some vendors have robust security standards and good risk management practices while others leave much to be desired.
- Each third-party is a potential attack vector for a data breach or cyber attack. If a vendor has a vulnerable attack surface it could be used to gain access to your organization. The more vendors you use, the larger your attack surface and the more potential vulnerabilities you could face.
- The introduction of general data protection and data breach notification laws like GDPR, CCPA, FIPA, PIPEDA, the SHIELD Act, and LGPD have dramatically increased the reputation and regulatory impact of inadequate third-party risk management programs. For example, if a third-party has access to your customer information, a data breach at that third-party could result in your organization facing regulatory fines and penalties–even if you weren't directly responsible for the breach. A famous example of this is when one of Target's HVAC contractors led to the exposure of millions of credit cards.
What risks do third-parties introduce?
There are many potential risks that organizations face when working with third-parties including:
- Cybersecurity risk: The risk of exposure or loss resulting from a cyber attack, security breach, or other security incidents. Cybersecurity risk is often mitigated via a due diligence process prior to onboarding a vendor and continuous monitoring throughout the vendor lifecycle.
- Operational risk: The risk of a third-party causing disruption to the business operations. This is typically managed through contractually bound service level agreements (SLAs), and business continuity and incident response plans. Depending on the criticality of the vendor, you may opt to have a backup vendor in place which is common practice in the financial services industry.
- Legal, regulatory, and compliance risk: The risk of a third-party impacting your compliance with local legislation, regulation, or agreements. This is particularly important for financial services, healthcare, and government organizations and their business partners.
- Reputational risk: The risk of negative public opinion due to a third-party. Dissatisfied customers, inappropriate interactions, and poor recommendations are only the tip of the iceberg. The most damaging events are third-party data breaches resulting from poor data security, like Target's 2013 data breach.
- Financial risk: The risk that a third-party will have a detrimental impact on the financial success of your organization. For example, your organization may not be able to sell a new product due to poor supply chain management.
- Strategic risk: The risk that your organization will fail to meet its business objectives because of a third-party vendor.
Why you should invest in third-party risk management
There are a number of reasons why you should invest in third-party risk management:
- Cost reduction: It's appropriate to think fo third-party risk management as an investment. It costs you money (and time) upfront but saves you money over the long-term. The average cost of a data breach involving third-parties is $4.29 million. An effective third-party risk management strategy can dramatically reduce the risk of a data breach.
- Regulatory compliance: Third-party management is a core component of many regulatory requirements such as FISMA, SOX, HITECH, CPS 234, GLBA, and the NIST Cybersecurity Framework. Depending on your industry and the type of data you handle (e.g. PII or PHI), you may be legally required to assess your third-party ecosystem to avoid being held responsible for third-party security incidents. The truth is third-party risk management is now part of industry standards in most sectors and non-compliance is not an option.
- Risk reduction: Performing due diligence streamlines the vendor onboarding process and reduces the risk of third-party security breaches and data leaks. In addition to initial due diligence, vendors need to be reviewed on a continuous basis over their lifecycle as new security risks can be introduced over time.
- Knowledge and confidence: Third-party risk management increases your knowledge and visibility into the third-party vendors you are working with and improves decision-making across all stages, from the initial assessment process to offboarding.
What does third-party risk management entail?
In order to develop an effective third-party risk management framework that can feed into your overall enterprise risk management, it's important to establish a robust third-party risk management process that includes the following steps.
Step 1: Analysis
Before onboarding a third party, it's important to identify the risks you would be introducing to your organization and the level of due diligence required.
An increasingly popular way of doing is this is to use security ratings to determine whether the external security posture of the vendor meets a minimum accepted score. If it does, you then move onto step 2.
UpGuard Vendor Risk can help you find and assess the security performance of new vendors against 50+ criteria.
Step 2: Engagement
If the vendor's security rating is sufficient, the next step is to have the vendor provide (or complete) a security questionnaire that provides insights into their security controls that aren't visible to outsiders.
Consider using UpGuard Vendor Risk to automate your security questionnaire workflows with our in-built questionnaire library. And if you want more information on a specific questionnaire, see our posts on HECVAT, CAIQ, SIG, CIS Top 20, NIST SP 800-171, and VSA questionnaires.
Step 3: Remediation
If the vendor has unacceptable risks, you may decide that you don't want to work with them until they fix the security issues you have found. This is where a tool that can help with remediation is important as without one, you can lose important issues in Excel spreadsheets and email inboxes easily.
We can also help with remediation. The UpGuard Vendor Risk dashboard automatically prioritizes the most critical risks and our remediation workflows ensure risks are resolved quickly and with an audit trail.
Step 4: Approval
After remediation (or lack thereof), your organization can decide whether to onboard the vendor or choose to look for a different vendor based on your risk tolerance, the criticality of the vendor, and any compliance requirements you may have.
Step 5: Monitoring
It's important to not stop monitoring the security of a vendor once they have been onboarded. If anything, it's more important to monitor them as they now have access to your internal systems, sensitive data, and are used in your business processes.
This is where continuous security monitoring (CSM) comes in. Continuous security monitoring (CSM) is a threat intelligence approach that automates the monitoring of information security controls, vulnerabilities, and other cyber threats to support organizational risk management decisions.
What is a vendor management policy?
This could include ensuring all vendor contracts meet a minimum security rating, implementing an annual inspection or replacement of existing vendors with new vendors who can meet security standards, or the requirement of SOC 2 assurance for critical vendors.
It may also provide a short overview of your organization's third-party risk management framework and processes.
Many organizations enter vendor relationships not fully understanding how the vendor is managing and processing theirs and their customers' data despite investing heavily in their own internal security controls.
How to evaluate third-parties
There are various solutions and methods that exist for evaluating third-parties. Generally, senior management and the board will decide on the ways that are most relevant to them, which depends on their industry, number of vendors employed, and information security policies. Common solutions and methods include security ratings, security questionnaires, penetration testing, and virtual and onsite evaluations.
Security ratings, like those offered in UpGuard Vendor Risk, are an increasingly popular part of third-party risk management. They can help with:
- Understanding third-party risk and fourth-party risk (vendor risk) posed by supply chain, third-party vendor, and business partner relationships in real-time.
- Cyber insurance underwriting, pricing, and risk management by allowing insurers to gain visibility into the security program of those they insure to better assess and price their insurance policies.
- Investment in or acquisition of a company by providing organizations with an independent assessment of an investment or M&A target's information security controls.
- Enabling governments to better understand and manage their vendors' cybersecurity performance.
Security questionnaires (or third-party risk assessments) are designed to help you identify potential weaknesses among your third-party vendors, business partners, and service providers that could result in a data breach, data leak, or other types of cyber attack. If you're looking to add security questionnaires to your third-party risk management processes, see our vendor risk assessment template and guide to the top questionnaires for more information.
And if you're looking for a pre-built library and a complete vendor risk management solution designed to streamline and automate the security questionnaire process look no further than UpGuard Vendor Risk.
Penetration testing, pen testing, or ethical hacking, is the practice of testing a computer system, network, or web application's cybersecurity by looking for exploitable security vulnerabilities. Penetration testing can be automated with penetration testing tools or manually by penetration testers.
Virtual and onsite evaluations
Virtual and onsite evaluations are typically performed by an outside entity and can include policy and procedure reviews, as well as a physical review of physical security controls.
What are the common challenges of third-party risk management?
There are a number of common difficulties most organizations face when implementing and running a third-party risk management program.
Lack of speed
It's no secret that getting a vendor to complete a security questionnaire and processing the results can be a lengthy process. A process that is made worse when questionnaires come in the form of lengthy spreadsheets with no version control, resulting in an error-prone, time-consuming, and impractical process that doesn't scale.
Lack of depth
Many organizations make the mistake of believing they don't need to monitor low-risk third parties, such as marketing tools or cleaning services. In today's world, you need to be monitoring all vendors, which is why most companies have turned to automated tools like UpGuard Vendor Risk.
Lack of visibility
Traditional risk assessment methodologies like penetration testing, security questionnaires, and on-site visits are time-consuming, point-in-time, expensive, and often rely on subjective assessment. Additionally, it can be difficult to verify the claims a vendor makes about their information security controls.
Even if a questionnaire reveals the effectiveness of a given vendor's security controls, it only does so for that point in time. IT infrastructure is in flux at most organizations, so it may not reflect the current realities a few months down the line.
This is why organizations are using security ratings alongside traditional risk assessment techniques.
By using security ratings in conjunction with existing risk management techniques, third-party risk management teams can have an objective, verifiable, and always up-to-date information about a vendor's security controls.
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.
Lack of consistency
Ad-hoc third-party risk management processes mean that not all vendors are monitored and when they are, they are not held to the same standard as other vendors.
While it's fine, even recommended, to assess critical vendors more heavily than non-critical vendors, it's still important to assess all vendors against the same standardized checks to ensure nothing falls through the cracks.
Lack of context
Many organizations fail to provide context around their assessment, even though different types of vendor relationships (even with the same vendor) can pose different levels of risk. For example, a supplier may only be used to transfer non-sensitive information such as blog posts while another supplier may handle, store, and process your customer's sensitive data.
While protecting one may not be a priority, taking action to mitigate any risks associated with the latter is critical as they pose a significant risk to you and your customers' privacy.
Many UpGuard Vendor Risk customers use our labeling feature to label vendors based on their criticality, allowing their security teams to focus on the biggest threats first and make effective use of their limit time and budget.
Lack of trackability
Your organization likely employs hundreds or even thousands of third parties and keeping track of them can be a challenge.
It's important to closely monitor who your vendors are and who have been sent security questionnaires, how much they have answered, and when they were completed.
Lack of engagement
Communicating the importance of cybersecurity, particularly to time-poor vendors who may have different perspectives and goals than your organization is difficult. It's not uncommon to have to follow up for weeks or even months to get a vendor to answer a questionnaire.
This is why it's so important to have a centralized place where you can send and review security questionnaires without having to keep track of different files and emails.
What features should I look for in a third-party risk management platform?
Software can be an effective way to manage third-party risk. It's important to consider all the lists outlined above when assessing a potential third-party risk management platform like UpGuard Vendor Risk. A good product will be able to address the complete lifecycle from analysis through to continuous monitoring.
Security ratings or cybersecurity ratings are a data-driven, objective, and dynamic measurement of an organization's security posture. They are created by a trusted, independent security rating platform making them valuable as an objective indicator of an organization's cybersecurity performance.
Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to provide a quantitative measure of cyber risk.
The higher the security rating, the better the organization's security posture.
Look for a solution that provides a library of pre-built questionnaires so you can quickly monitor your vendors against industry best practices and regulatory requirements.
Beyond standardized questionnaires, some organizations may want to develop their own security questionnaires based on their unique needs and desires. With UpGuard Vendor Risk, you can create your own security questionnaires or pay to have our team of experts create one for your organization.
Scalability and automation
Not every solution will be able to provide the automation needed to rapidly scale and manage hundreds or even thousands of third parties.
Nor does every solution provide the same level of coverage. If your organization employes small specialist vendors, ensure the solution covers them. For example, UpGuard scans over 2 million organizations every day, and customers can automatically add new vendors.
A platform with remediation workflows will allow you to request remediation from a specific vendor based on automated scanning and completed questionnaires. It will also allow you to view current remediation requests, what risks were requested to be remediated, and when the remediation request was sent.
It's important to be able to report on the results of your third-party risk management program, whether that be to the Board, senior management, regulators, or colleagues. This is why a robust and easy-to-understand reporting capability is an important part of
It's important to understand who your fourth-party vendors are. While you may not have a contractual agreement with them, they can still impact the confidentiality, integrity, and availability of your organization.
For example, even if you don't rely on AWS, but you have lots of vendors who do, an AWS outage could result in your organization being unable to operate as well.
To ensure you stay on top of new risks, you need a solution that is always up-to-date.
Accuracy and thoroughness
Your third-party risk management program is only as effective as the data it relies on. If you use security questionnaires, try to use a well-tested template, and if you use security ratings look for ones that adhere to the Principles of Fair and Accurate Security Ratings.
- Transparency: UpGuard believes in providing full and timely transparency not only to our customers but to any organization that wants to understand their security posture, which is why you can request your free security rating here and you can book a free trial of our platform here.
- Dispute, Correction, and Appeal: UpGuard is committed to working with customers, vendors, and any organization that believes their score is not accurate or outdated.
- Accuracy and Validation: UpGuard's security ratings are empirical, data-driven, and based on independently verifiable and accessible information.
- Model Governance: While the datasets and methodologies used to calculate our security ratings can change from time to time to better reflect our understanding of how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.
- Independence: No commercial agreement or lack thereof, gives an organization the ability to improve its security rating without improving their security posture.
- Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. Nor do we provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.
How UpGuard can help with third-party risk management
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar, and NASA use UpGuard's security ratings to protect their data, prevent data breaches and assess their security operations.
UpGuard Vendor Risk can minimize the amount of time your organization spends assessing related and third-party information security controls by automating vendor questionnaires and providing vendor questionnaire templates.
We can also help you instantly benchmark your current and potential vendors against their industry, so you can see how they stack up.
For the assessment of your information security controls, UpGuard BreachSight can monitor your organization for 70+ security controls providing a simple, easy-to-understand cyber security rating and automatically detect leaked credentials and data exposures in S3 buckets, Rsync servers, GitHub repos, and more.
This includes open ports and other services that are exposed to the public Internet. Our platform explicitly checks for nearly 200 services running across thousands of ports, and reports on any services we can't identify, as well as any open ports with no services detected.
You can read more about what our customers are saying on Gartner reviews.
If you'd like to see your organization's security rating, click here to request your free Cyber Security Rating.