Third-party risk is any risk brought on to an organization by external parties in its ecosystem or supply chain. Such parties may include vendors, suppliers, partners, contractors, or service providers, who have access to internal company or customer data, systems, processes, or other privileged information.
While an organization may have strong cybersecurity measures in place and a solid remediation plan, outside parties, such as third-party vendors, may not uphold the same standards. These third-party relationships can increase vulnerabilities by providing an easier way for potential threats to attack even the most sophisticated of security systems.
Why Should I Care About Third-Party Risk?
With most organizations relying on outsourcing to handle at least some aspects of their day-to-day operations, third-party risk should be front of mind. This is especially true given the rising number of security breaches that are arising from third-party relationships.
A recent study shows that almost a third of third-party vendors would be considered a material risk if a breach occurred. Furthermore, another study revealed that 80% of surveyed organizations experienced a data breach originating from a third party in 2020.
Ultimately, your organization's board of directors and senior management are responsible for managing third-party relationships. The identification and control of associated risks should be held to the same standard as activities that were handled from within the organization.
Despite the numerous risks that arise from third-party relationships over the vendor life cycle, many organizations still do not manage third-party risks as diligently as internal ones.
Failure to manage these risks can leave organizations exposed to regulatory action, financial action, litigation, reputational damage, and can impair the organization's ability to gain new or service existing customers.
Types of Third-Party Risks
There are many potential risks that third parties can bring to an organization, spanning six key areas:
- Cybersecurity risk: The risk of exposure or loss resulting from a cyber attack, data breach, or other security incidents. This risk is often mitigated by performing due diligence before onboarding new vendors and ongoing monitoring over the vendor lifecycle.
- Operational risk: The risk that a third party will cause disruption to the business operations. This is generally managed through contractually bound service level agreements (SLAs). Depending on the criticality of the vendor, you may opt to have a backup vendor in place to ensure business continuity. This is common practice for financial institutions.
- Legal, regulatory, and compliance risk: The risk that a third party will impact your organization's compliance with local legislation, regulation, or agreements, e.g. the EU's General Data Protection Regulation (GDPR). This is particularly important for financial services, healthcare, and government organizations as well as their business partners.
- Reputational risk: The risk arising from negative public opinion caused by a third party. Dissatisfied customers, inappropriate interactions, and poor recommendations are only the tip of the iceberg. The most damaging events are third-party data breaches resulting from poor security controls, like the high-profile Target data breach in 2013.
- Financial risk: The risk that a third party will have a detrimental impact on the financial success of your organization. For example, your organization may not be able to sell a new product due to poor supply chain management.
- Strategic risk: The risk that your organization will fail to meet its business objectives because of a third-party vendor.
It’s worth noting that these areas often overlap, for example, if a business experiences a cybersecurity breach and customer data is compromised, this would also pose operational, compliance, reputational, and financial risks.
How Can I Minimize Third-Party Risks?
The immediate action you will need to take to mitigate third-party risks depends on the status of your organization’s third-party risk management (TPRM) program. Firstly, you should assess your current TPRM program to identify which security measures, if any, you currently have in place. Put simply, the initial stages of the vendor risk management process should cover:
1. Keep an Up-to-Date Vendor inventory
Who are your vendors? You first need to accurately identify who your vendors are. A third-party vendor is any person or organization who provides a product or service to your organization, who does not work at your organization, e.g. manufacturers and suppliers, service providers, short and long-term contractors, and external staff. The inventory should be kept up-to-date, track onboarding and offboarding workflows, and extend to fourth parties (your third-party vendor’s vendors).
To automate the process of discovering new vendors and third-party assets, risk management teams should use an Attack Surface Management solution.tracking emerging IP addresses in your attack surface in real-time.
For an overview of how to keep an up-to-date inventory of your digital assets with attack surface management techniques, watch this video.
2. Establish a Vendor Assessment Process
After creating a comprehensive inventory of vendors, you need to develop a third-party risk assessment workflow. Organizations use this process to assess and approve potential third-party vendors and suppliers to ensure they can meet all contracted stipulations and agreements. At this stage, you should include a vendor questionnaire template to streamline the onboarding of new vendors and the assessment of current vendors.
Vendor risk assessment could reveal the following valuable risk mitigation insights:
- Risk and Compliance Information - Risk assessment data will indicate regulatory compliance gaps.
- Vendor Management Efficacy - The efficacy of a vendor’s VRM program will indicate your likelihood of being impacted by fourth-party risks.
- Security Posture Levels - Risk assessment provide deeper insights about a vendor’s security posture. When supported by security ratings, this process allows you to track each vendor’s cybersecurity levels against industry standards.
To understand the ideal structure of a risk assessment workflow, watch this video:
3. Implement A Third-Party Risk Management Program
While these steps are important in establishing a strong foundation for TPRM, they are not enough on their own. An effective Third-Party Risk Management program should also consider the following:
- Most large organizations manage hundreds or thousands of vendors, with each posing differing risk levels. Each risk tier has a unique due diligence and risk assessment process and other tier-specific requirements, meaning your information security team will need to individually categorize each vendor accordingly. They will also need to engage with vendors to prompt risk profile questionnaire completion and communicate the importance of TPRM within the organization.
- Managing such a large number of vendors also requires prioritization of high-risk over lower-risk vendors. However, it is still essential to regularly assess all vendors against the same standardized checks to ensure nothing falls through the cracks.
- Managing third-party risk is not a “set-and-forget” endeavor. Vendor questionnaires should not only be part of the onboarding process but also be completed on at least an annual basis. Vendors require continuous monitoring, with regular assessments and checks to ensure their security posture is healthy.
With these considerations in mind, it is clear that effective TPRM requires significant time and resources. Information security teams must attend to all other facets of your organization’s security program and may not have the necessary capability to thoroughly manage third-party risk. The most cost-effective workaround to this problem is to leverage the services of a managed TPRM provider.
For an overview of the processes involved in a Third-Party Risk Management service, watch this video: