Third-Party Risk Management (TPRM) is the process of analyzing and minimizing risks associated with outsourcing to third-party vendors or service providers.
There are many types of digital risks within the third-party risk category. These could include financial, environmental, reputational, and security risks. These risks exist because vendors can access intellectual property, sensitive data, personally identifiable information (PII), and protected health information (PHI). Because third-party relationships are vital to business operations, Third-Party Risk Management is an essential component of all Cybersecurity programs.
What is a Third-Party?
A third party is any entity that your organization works with. This includes suppliers, manufacturers, service providers, business partners, affiliates, distributors, resellers, and agents.
They can be upstream (suppliers and vendors) and downstream (distributors and resellers) and can include non-contractual entities.
For example, they could provide a SaaS product that keeps your employees productive, provide logistics and transportation for your physical supply chain, or they could be your financial institution.
What's the Difference Between a Third-Party and a Fourth-Party?
A third party is a supplier, vendor, partner, or other entity doing business directly with your organization, whereas a fourth party is the third party of your third party. Fourth parties (or "Nth parties") reflect relationships deeper in the supply chain that aren't necessarily contractually contacted by your organization but are connected through third parties.
Why is Third-Party Risk Management Important?
Third-party risk management is essential because using third parties, whether directly or indirectly, have an impact on your cybersecurity posture. Third parties increase the complexity of your information security for several reasons:
- Every business relies on third parties, as it's often better to outsource to an expert in a given field.
- Third parties aren't typically under your control, nor do you have complete transparency into their security controls. Some vendors have robust security standards and sound risk management practices, while others leave much to be desired.
- Each third party is a potential attack vector for a data breach or cyber attack. If a vendor has a vulnerable attack surface, it could be used to gain access to your organization. The more vendors you use, the larger your attack surface and the more potential vulnerabilities you could face.
- The introduction of general data protection and data breach notification laws like GDPR, CCPA, FIPA, PIPEDA, the SHIELD Act, and LGPD have dramatically increased the reputation and regulatory impact of inadequate third-party risk management programs. For example, if a third party has access to your customer information, a data breach at that third party could result in your organization facing regulatory fines and penalties–even if you weren't directly responsible for the breach. A famous example of this is when one of Target's HVAC contractors led to the exposure of millions of credit cards.
What Types of Risks Do Third-Parties Introduce?
There are many potential risks that organizations face when working with vendors. Common types of third-party risks include:
- Cybersecurity risk: The risk of exposure or loss resulting from a cyberattack, security breach, or other security incidents. Cybersecurity risk is often mitigated via a due diligence process before onboarding a vendor and continuous monitoring throughout the vendor lifecycle.
- Operational risk: The risk of a third-party causing disruption to the business operations. This is typically managed through contractually bound service level agreements (SLAs) and business continuity and incident response plans. Depending on the criticality of the vendor, you may opt to have a backup vendor in place, which is common practice in the financial services industry.
- Legal, regulatory, and compliance risk: The risk of a third-party impacting your compliance with local legislation, regulation, or agreements. This is particularly important for financial services, healthcare, government organizations, and business partners.
- Reputational risk: The risk of negative public opinion due to a third party. Dissatisfied customers, inappropriate interactions, and poor recommendations are only the tip of the iceberg. The most damaging events are third-party data breaches resulting from poor data security, like Target's 2013 data breach.
- Financial risk: The risk that a third party will have a detrimental impact on the financial success of your organization. For example, your organization may be unable to sell a new product due to poor supply chain management.
- Strategic risk: The risk that your organization will fail to meet its business objectives because of a third-party vendor.
Why You Should Invest in Third-Party Risk Management
There are a number of reasons why you should invest in third-party risk management:
- Cost reduction: It's appropriate to think of third-party risk management as an investment. It costs you money (and time) upfront but saves you money over the long term. The average cost of a data breach involving third parties is $4.55 million. An effective third-party risk management strategy can dramatically reduce the risk of a data breach.
- Regulatory compliance: Third-party management is a core component of many regulatory requirements such as FISMA, SOX, HITECH, CPS 234, GLBA, and the NIST Cybersecurity Framework. Depending on your industry and the type of data you handle (e.g., PII or PHI), you may be legally required to assess your third-party ecosystem to avoid being held responsible for third-party security incidents. Third-party risk management is now part of industry standards in most sectors, and non-compliance is not an option.
- Risk reduction: Performing due diligence streamlines the vendor onboarding process and reduces the risk of third-party security breaches and data leaks. In addition to initial due diligence, vendors must be reviewed continuously over their lifecycle as new security risks can be introduced over time.
- Knowledge and confidence: Third-party risk management increases your knowledge and visibility into the third-party vendors you work with and improves decision-making across all stages, from initial assessment to offboarding.
Implementing a Third-Party Risk Management Program?
To develop an effective third-party risk management framework that can feed into your overall enterprise risk management, it's essential to establish a robust third-party risk management process that includes the following steps.
Step 1: Analysis
Before onboarding a third party, it's essential to identify the risks you would be introducing to your organization and the level of due diligence required.
UpGuard Vendor Risk can help you find and assess the security performance of new vendors against 70+ attack vectors. Learn more >
To accurately evaluate the likely impact of third-party risks on your security posture, risk profiles need to be compared against a well-defined third-party risk appetite.
Step 2: Engagement
If the vendor's security rating is sufficient, the next step is to have the vendor provide (or complete) a security questionnaire that offers insights into their security controls that aren't visible to outsiders.
Consider using UpGuard Vendor Risk to automate your security questionnaire workflows with our in-built questionnaire library. And if you want more information on a specific questionnaire, see our posts on HECVAT, CAIQ, SIG, CIS Top 20, NIST SP 800-171, and VSA questionnaires.
Step 3: Remediation
If the vendor has unacceptable risks, you may not want to work with them until they fix the security issues you have found. This is where a tool that can help with remediation is vital, as, without one, you can lose essential issues in Excel spreadsheets and email inboxes quickly.
We can also help with remediation. The UpGuard Vendor Risk dashboard automatically prioritizes the most critical risks, and our remediation workflows ensure risks are resolved quickly and with an audit trail.
Step 4: Approval
After remediation (or lack thereof), your organization can decide whether to onboard the vendor or look for a different vendor based on your risk tolerance, the criticality of the vendor, and any compliance requirements you may have.
Step 5: Monitoring
It's essential not to stop monitoring a vendor's security once they have been onboarded. If anything, it's even more important to monitor them as they now have access to your internal systems and sensitive data to deliver their services.
This is where continuous security monitoring (CSM) comes in. Continuous security monitoring (CSM) is a threat intelligence approach that automates the monitoring of information security controls, vulnerabilities, and other cyber threats to support organizational risk management decisions.
What is a Vendor Management Policy?
This could include ensuring all vendor contracts meet a minimum security rating, implementing an annual inspection, replacing existing vendors with new vendors who can meet security standards, or the requirement of SOC 2 assurance for critical vendors. It may also provide a short overview of your organization's third-party risk management framework and processes.
Many organizations enter vendor relationships not fully understanding how the vendor manages and processes their customers' data despite investing heavily in their internal security controls.
How to Evaluate Third-Parties
Various solutions and methods exist for evaluating third parties. Generally, senior management and the board will decide on the ways that are most relevant to them, depending on their industry, the number of vendors employed, and information security policies. Common solutions and methods include security ratings, security questionnaires, penetration testing, and virtual and onsite evaluations.
Security ratings, like those offered in UpGuard Vendor Risk, are an increasingly popular part of third-party risk management. They can help with the following:
- Understanding third-party and fourth-party risk (vendor risk) posed by supply chain, third-party vendor, and business partner relationships in real-time.
- Cyber insurance underwriting, pricing, and risk management allow insurers to gain visibility into the security program of those they insure to assess better and price their insurance policies.
- Investment in or acquisition of a company by providing organizations with an independent assessment of an investment or M&A target's information security controls.
- Enabling governments to understand better and manage their vendors' cybersecurity performance.
Security questionnaires (or third-party risk assessments) are designed to help you identify potential weaknesses among third-party vendors, business partners, and service providers that could result in a data breach, data leak, or other types of cyber attack. If you want to add security questionnaires to your third-party risk management processes, see our vendor risk assessment template and guide to the top questionnaires for more information.
And if you're looking for a pre-built library and a complete Vendor Risk Management solution designed to streamline and automate the security questionnaire process, look no further than UpGuard Vendor Risk.
Penetration testing, or ethical hacking, is the process of testing a computer system, network, or web application's cybersecurity by looking for exploitable security vulnerabilities. Penetration testing can be automated with penetration testing tools or manually by penetration testers.
Virtual and Onsite Evaluations
Virtual and onsite evaluations are typically performed by an outside entity and can include policy and procedure reviews, as well as a physical review of physical security controls.
What are the Common Challenges of Third-Party Risk Management?
There are several common difficulties most organizations face when implementing and running a third-party risk management program. These include:
Lack of Speed
It's no secret that getting a vendor to complete a security questionnaire and processing the results can be a lengthy process. A process that is made worse when questionnaires come in the form of lengthy spreadsheets with no version control, resulting in an error-prone, time-consuming, and impractical process that doesn't scale.
Speed is the most crucial feature of any TPRM solution. This is why UpGuard prioritizes speed when developing its Vendor Risk Management products.
Lack of Depth
Many organizations make the mistake of believing they don't need to monitor low-risk third parties, such as marketing tools or cleaning services. In today's world, you need to monitor all vendors, which is why most companies have turned to automated tools like UpGuard Vendor Risk.
Lack of Visibility
Traditional risk assessment methodologies like penetration testing, security questionnaires, and on-site visits are time-consuming, point-in-time, expensive, and often rely on subjective assessment. Additionally, it can be challenging to verify the claims a vendor makes about their information security controls.
Even if a questionnaire reveals the effectiveness of a given vendor's security controls, it only does so for that point in time. IT infrastructure is in flux at most organizations, so it may not reflect the current realities a few months down the line. This is why organizations are using security ratings alongside traditional risk assessment techniques.
By using security ratings in conjunction with existing risk management techniques, third-party risk management teams can have objective, verifiable, and always up-to-date information about a vendor's security controls.
Cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships.
The problem of limited visibility extends to the Stakeholders and Board members who are often left out of TPRM conversations, which reduces the chances of further TPRM investments. To combat this, Vendor Risk Management teams must be capable of effectively communicating third-party risks to the board.
Lack of Consistency
Ad-hoc third-party risk management processes mean that not all vendors are monitored, and when they are, they are not held to the same standard as other vendors.
While it's fine, even recommended, to assess critical vendors more heavily than non-critical vendors, it's still essential to assess all vendors against the same standardized checks to ensure nothing falls through the cracks.
Lack of Context
Many organizations fail to provide context around their assessment, even though different types of vendor relationships (even with the same vendor) can pose different levels of risk. For example, a supplier may only transfer non-sensitive information, such as blog posts, while another supplier may handle, store, and process your customer's sensitive data.
While protecting one may not be a priority, taking action to mitigate any risks associated with the latter is critical as they pose a significant risk to you and your customers' privacy.
Many UpGuard Vendor Risk customers use our labeling feature to label vendors based on their criticality. This allows their security teams to focus on the most significant threats first and effectively use their limited time and budget.
Lack of Trackability
Your organization likely employs hundreds or even thousands of third parties, and keeping track of them can be challenging. It's essential to closely monitor who your vendors are, who has been sent security questionnaires, how much of each questionnaire has been, and when they were completed.
Lack of Engagement
Communicating the importance of cybersecurity, particularly to time-poor vendors who may have different perspectives and goals than your organization, is difficult. It's not uncommon to follow up for weeks or even months to get a vendor to answer a questionnaire.
To encourage engagement, correspondences, and remediation efforts should not be managed via emails and multiple solutions. Instead, the entire TPRM life cycle, including questionnaire management and remediation tracking, should all be managed from a single TPRM solution.
What Features Should I Look For in a TPRM Platform?
Software can be an effective way to manage third-party risk. It's important to consider all the lists outlined above when assessing a potential third-party risk management platform like UpGuard Vendor Risk. A good product can address the complete lifecycle from analysis through to continuous monitoring.
Security ratings or cybersecurity ratings are a data-driven, objective, and dynamic measurement of an organization's security posture. They are created by a trusted, independent security rating platform, making them valuable as an objective indicator of an organization's cybersecurity performance.
Just as credit ratings and FICO scores aim to provide a quantitative measure of credit risk, security ratings aim to give a quantitative measure of cyber risk.
The higher the security rating, the better the organization's security posture.
Look for a solution that provides a library of pre-built questionnaires so you can quickly monitor your vendors against industry best practices and regulatory requirements.
Beyond standardized questionnaires, some organizations may want to develop their own security questionnaires based on their unique needs and desires. With UpGuard Vendor Risk, you can create your own security questionnaires by either editing existing questionnaires or building one from a blank canvas.
Scalability and Automation
Not every solution will be able to provide the automation needed to rapidly scale and manage hundreds or even thousands of third parties.
Nor does every solution provide the same level of coverage. If your organization employs small specialist vendors, ensure the solution covers them. For example, UpGuard scans over 2 million organizations daily, and customers can automatically add new vendors.
A platform with remediation workflows will allow you to request remediation from a specific vendor based on automated scanning and completed questionnaires. It will also allow you to view current remediation requests, what risks were requested to be remediated, and when the request was sent.
It's essential to be able to report on the results of your third-party risk management program, whether that be to the Board, senior management, regulators, or colleagues. This is why a robust and easy-to-understand reporting capability is essential to a TPRM program.
It's essential to understand who your fourth-party vendors are. While you may not have a contractual agreement with them, they can still impact the confidentiality, integrity, and availability of your organization.
For example, even if you don't rely on AWS, you have lots of vendors who do an AWS outage could result in your organization being unable to operate as well.
Continuous monitoring ties off the TPRM lifecycle. After all vendor-related security risks have been addressed, your improved security posture needs to be continuously monitored to confirm its stability. Continuous monitoring also gives your security teams advanced awareness of emerging threats before they’re exploited to achieve a data breach.
Accuracy and Thoroughness
Your third-party risk management program is only as effective as the data it relies on. If you use security questionnaires, try to use a well-tested template, and if you use security ratings, look for ones that adhere to the Principles of Fair and Accurate Security Ratings.
- Transparency: UpGuard believes in providing complete and timely transparency to our customers and any organization that wants to understand its security posture, which is why we offer a free trial of our product.
- Dispute, Correction, and Appeal: UpGuard is committed to working with customers, vendors, and any organization that believes their score is not accurate or outdated.
- Accuracy and Validation: UpGuard's security ratings are empirical, data-driven, and based on independently verifiable and accessible information.
- Model Governance: While the datasets and methodologies used to calculate our security ratings can change from time to time to better reflect our understanding of how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.
- Independence: No commercial agreement, or lack thereof, gives an organization the ability to improve its security rating without improving its security posture.
- Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. Nor do we provide third parties with sensitive or confidential information on rated organizations that could lead to system compromise.
Third-Party Risk Management FAQs
What is third-party risk management?
Third-Party Risk Management is a risk management framework focused on identifying and mitigating all forms of third-party risks.
What is a third-party risk?
Third-party risks include any risks to an organization originating from its third-party vendors. Third-party risks commonly refer to vendor security risks.
What is a third-party risk management process?
In the context of mitigating cyber risks, the third-party risk management process involves identifying critical vendors, continuously monitoring vendor security postures, and remediating security risks before they develop into breaches.
How do you create a third-party risk management program?
Identify all your vendors and their sensitive data access levels. Perform due diligence to compare each vendor’s risks against your risk appetite. Implement security controls to keep vendor risk below your risk threshold. Establish a risk management team for managing ongoing compliance with security regulations.