What Is Third-Party Risk Management?
It’s not easy to evaluate the cybersecurity of those with whom you do business—but not doing so can cost you millions. Just ask those who’ve been hacked.
Third-party risk management is the practice of identifying and mitigating risks to an organization from external business partners such as suppliers, vendors, service providers, and contractors. The process requires organizations to understand with whom they’re doing business—and, by extension, with whom those businesses are doing business—so they can implement safeguards to reduce risk.
Modern organizations of every size outsource essential services and operations, relying on third-party businesses for services like cloud hosting, payroll, and facility management. When third-party partners fail to deliver a product or service, it can have potentially devastating consequences. Consider an e-commerce business that relies on Amazon Web Services (AWS) to host its website. If AWS were to experience a service disruption, the website would go offline—resulting in lost transactions for the business and, if the website were down for an extended period, a diminished reputation among its customers.
Third-party access to an organization’s physical facilities and IT systems opens them up to a greater level of risk. If an organization’s customer data gets exposed because of a third party’s security vulnerability, for example, the organization is still liable for the attack. It’s a growing concern for businesses today, with 93% of companies having suffered a cybersecurity breach because of weaknesses in their supply chain or third-party vendors.
Third parties also outsource parts of their business to other businesses. Those entities become next-level parties to the organization, and each of their security postures, in turn, ultimately has an impact on the organization contracting with the third party. Simply put, each additional third-party business relationship magnifies an organization’s risk.
A classic example of third-party risk is the 2013 Target credit card breach. Attackers targeted a third-party refrigeration contractor, using a phishing email to dupe an employee into installing malware that gave them access to login credentials for Target’s vendor portal. (Some sources believe the contractor used free security software that didn’t offer real-time protection.) Attackers installed malware on Target’s point-of-sale system and stole 40 million credit card numbers and compromised 70 million customers’ personal details. Even though the attack originated with a contractor, Target was held responsible and had to pay an $18.5 million settlement.
It’s essential for organizations to vet all the businesses they partner with. Third-party risk management helps organizations identify and assess the risks third parties create and then works with them either to control those risks or to find a more secure replacement.
What is the role of a third party?
A third party provides an essential component or service for a business, such as software, physical goods, or supplies. Third-party partners commonly include:
- Software vendors
- Cloud service providers
- IT management services
- Staffing agencies
- Payroll service providers
- Fidelity management services
- Tax professionals
- Suppliers and contractors
Because third-party businesses can access and process an organization’s data, it’s critical to ensure they meet proper
security standards.
What does third-party risk entail?
Most third-party risks fit into one of the following categories:
- Cybersecurity. Third parties are an increasingly popular source of cyberattacks. Hackers compromise one or more links in an organization’s supply chain and leverage their access to launch bigger attacks on higher-value targets.
- Regulatory compliance. A lack of third-party security controls may result in data loss and subsequent regulatory violations
and penalties. - Operational. Third-party failures can cause an organization to shut down. For example, a cyberattack on software vendor Geographic Solutions disrupted unemployment benefits and job-seeking assistance for people in the states that used
their software.
Even though the attack originated with a contractor, Target was held responsible and had to pay an
$18.5 million settlement.
- Strategic. When business strategies of the organization and third party don’t align, regulatory and other security standards may not be met.
- Reputational. Negative publicity from a third party’s security breaches, compliance violations, or other issues can reflect poorly on the organization using its products or services.
- Financial. Financial damage may result from being unable to provide contracted services, supplying defective products, or lowering the quality of work a third party performs. Fines or legal fees a third party incurs can also increase financial risk for an organization.
In practice, third-party failure typically impacts an organization in overlapping ways. The Target data breach, for example, disrupted the company’s operations, posed a regulatory threat, and resulted in financial and reputational damage for the company.
Why do third parties introduce risk?
An organization may not have the same visibility into and control over another company’s staff, network, information technology, and business practices as it does over its own. That leaves the organization exposed to an array of potential operational, financial, reputational, regulatory, and security issues. Because an organization is ultimately responsible for the actions of the third parties that enable its business, any incident can have dire consequences for
the enterprise.
What are some examples of third-party risks?
Common third-party risks include the following:
- Poor security. Attackers can target third-party security gaps and use them to steal customer data, financial information, and intellectual property. That’s what happened in 2014 when the data of 15,000 Boston Medical Center patients was exposed through the website of its transcription service because the vendor’s site didn’t use password protection for patient records.
- Employees. Attackers often employ social engineering techniques to target employees of third-party businesses. Employees typically receive an email or text message that appears to be from a trusted source and attempts to get them to divulge login credentials or install malware that captures login information. The Target data breach is an example of how employee deception can set off a catastrophic chain of events.
- Strategic misalignment. A failure to align the business strategies of third parties and the organizations they support can create a variety of risks. This was the cause of the 2020 Health Share of Oregon data breach. Attackers exposed the personally identifiable information of more than 650,000 members when a laptop was stolen from the medical transportation vendor GridWorks. The vendor had failed
to follow Health Share’s policy that requires business partners to use encryption on all portable devices containing
patient information.
How does third-party risk differ from internal risk?
Internal risks arise from issues within your organization—lax security controls, aging IT systems, inadequate employee training—that can result in security vulnerabilities and data breaches. Third-party risks stem from many of the same issues but instead originate from a business partner’s systems, processes, and people.
An organization is ultimately responsible for the actions of the third parties that enable its business.
The critical difference between internal risk and third-party risk involves the level of control an organization has over risk mitigation. While an organization has oversight over its own security controls, it has little visibility into the controls of third-party partners and outsourced service providers. This expands an organization’s attack surface while obscuring the origins of risk.
What is third-party due diligence?
Organizations undertake due diligence before entering a relationship with a business partner. This essential vendor risk-management process involves creating an inventory of potential third parties and assessing the level of risk they bring to a partnership. During the process, the organization collects information about the third party’s ownership, organizational structure, financial condition, operations, and reputation.
The information helps the organization to determine whether a third party can mitigate risks associated with its product or service. Due diligence is the responsibility of the board and senior management and should be done before the signing of a contract and throughout the relationship to ensure that new risks get addressed as they arise.
[Read also: 6 cybersecurity questions I always tell boards to ask]
What are the advantages of third-party risk management?
Third-party risk management offers many benefits, including:
- Greater visibility into third-party environments. Granular visibility into relationships with suppliers, service providers, and other third-party businesses enables companies to better understand the interconnectivity among parties and the location of potential risks.
- Reduced risk. Due diligence allows executives to make better-informed decisions about the organizations they do business with. From the beginning of the relationship, risks can be identified and controlled, with regular due diligence reviews and immediate remediation throughout the third-party life cycle.
- Better regulatory compliance. Third-party risk management is a requirement of many industry standards and regulations, such as FISMA, HIPAA, HITECH, SOX, GLBA, and the NIST Cybersecurity Framework. Regularly assessing third-party relationships ensures that organizations stay in compliance with regulators and avoid costly fines and penalties.
- Cost savings. While third-party risk management remains an upfront investment, it saves money by reducing the risk of data breaches, which cost organizations $4.2 million on average
per incident.
What are best practices in third-party risk management?
Executives can minimize third-party risk by keeping the following advice in mind:
- Take inventory. To understand where your third-party risk comes from, you must know who you’re doing business with. Take a complete inventory of the third parties you’ve hired. They could include everything from large organizations to individual contractors, as well as any company those businesses subcontract services to. Also, be sure to identify and document the systems, applications, and data each party can access.
- Classify risks. Look at third parties individually to determine the likelihood and potential outcomes of a hack, then classify them according to the level of risk they pose. You should focus your mitigation efforts on the highest-risk parties first.
- Consider all types of risks. Risks involve more than hacking. A history of poor customer interaction, a low credit rating, delayed deliveries, and any similar red flags indicate how a third party conducts business and the risks it presents.
- Collect information from third parties. Send each party a questionnaire to gather information about its organizational structure and governance, the cybersecurity practices it has
in place, the networks and digital assets it needs to access,
and the security measures it will take when it accesses your company resources. - Mitigate the risks. Once you’ve identified all your third parties and their risks, you can work to mitigate or manage them. Depending on the risk, mitigation may require taking security measures, such as restricting access to certain assets. The third party may also need to address vulnerabilities or implement stronger security controls. In situations where risks can’t be reasonably reduced, you may decide to end your relationship.
- Monitor. Because third-party behavior changes over time, potentially introducing new risks, it’s important to perform regular assessments. Monitoring can be done continuously in real time with the help of a vendor risk-management platform.
- Repeat the process for each new third party. The above practices should be adopted each time you enter into a relationship with a new supplier, vendor, service provider, or contractor. Constant vigilance will ensure third parties receive only the level of network and data access they need to conduct business with you.
What are the challenges of third-party risk management?
Most organizations have little idea of the risks that third-party relationships expose them to. The reasons include the following:
- Complex vendor networks. Modern businesses work with hundreds of vendors, suppliers, and service providers, each of which outsources and subcontracts to its own network of third parties. Risks can arise anywhere in this web at any time. Most organizations don’t have enough detailed visibility into the entire structure of relationships to understand and manage their risks.
- Manual processes. Organizations often use spreadsheets, questionnaires, and other manual processes to manage third-party risk. An inefficient approach can increase the time it takes to find and mitigate issues.
[Read also: 5 steps to a rock-solid incident response plan
- Lack of scalability. Manual processes are prohibitively difficult to extend as third-party networks grow, which can create additional risks.
- Organizational silos. Divisions among company departments, functions, and business units can make it difficult to gather comprehensive risk information across the organization.
- Greater regulatory pressure. Many federal and state regulations require that risk-management policies extend to an organization’s third-party business partners. However, these entities lie outside an organization’s direct control, making implementation challenging.
What is the third-party risk-management life cycle?
Companies take a series of steps in a third-party relationship, ranging from the inception of a contract to its termination. No definitive map of the life cycle exists, and each organization’s process will vary. But the life cycle can be broadly divided into three stages of risk that need to be managed:
- Pre-contract stage. Before entering into a contract with a third party, the organization assesses the third party’s risk, determines the sensitive information it needs to access, and learns whether the other company will subcontract any of the services it provides.
- Contract stage. The organization outlines any risks the two parties will assume and how they will collectively mitigate risk, along with other terms of the partnership.
- Post-contract stage. Ongoing management of the third-party relationship happens through monitoring, reporting, and reviews. Offboarding procedures also take effect when the relationship is terminated.