What is Third-Party Risk Management?

Third-party risk management focuses on identifying and reducing risks relating to vendors, suppliers, partners, contractors, and service providers.

It has become more important than ever due to the growing trend in third-party data breaches.

Incidents such as the SolarWinds hack put the threat in the mainstream, while a Ponemon Institute study found that 51% organizations have suffered a data breach caused by a third party.

The SolarWinds incident was an extreme example of third-party risk. The software provider is responsible for the network management system Orion, and like all software, it’s frequently updated to patch vulnerabilities.

Unfortunately, the organization inadvertently applied a patch that was infected with malicious code, which become the vehicle for a massive cyber attack.

Not every vulnerability will be as glaring as that, and most won’t have the same widespread repercussions.

However, the incident demonstrates that if even a corporation such as SolarWinds can make such a mistake – one that wasn’t spotted by any of its suppliers – then it can happen to anyone.

Why you need third-party risk management

Almost all organizations use third parties to improve their operations. Typically, they will outsource work to access greater expertise or efficiency for a particular activity.

This usually means sharing sensitive information or giving the third party partial access to your network.

The purpose of third-party risk management is to mitigate the damage that can be caused when doing this.

There are various types of risks, including strategic, reputational, operational, transactional, credit, and compliance. Reputational damage is the most harmful result of a hack.

Ideally, you want to prevent an unauthorized actor – whether it’s a criminal hacker or malicious insider at the third party – from compromising your systems or affecting your business-critical operations.

However, depending on the nature of your relationship, this might not be possible and the best that you can hope for is to limit the damage.

How to manage risk

The process of managing risk will be familiar to any organization that has implemented ISO 27001, the international standard for information security management.

It involves assessing the risk, then measuring and monitoring it. This process can be broken down into four phases:

  1. A risk assessment of the third party
  2. Exercising due diligence in selecting the third party
  3. Risks should be discussed, and a treatment plan should be incorporated into your contract
  4. Measurement and monitoring of risk management

Managing third-party risk can be time-consuming, which is why you should prioritize organizations that you work with most often or which pose the biggest risk.

The types of critical information that should get the most attention include sensitive personal data, cross-border transfers of personal data, and information that’s critical for a business function.

Third-party lifecycle

Third-party risk also needs to be managed in a defined lifecycle. This includes:

  • Vendor identification
  • Evaluation and selection
  • Risk assessment
  • Risk mitigation
  • Contracting and procurement
  • Reporting and record-keeping
  • Ongoing monitoring
  • Vendor offboarding

The ongoing monitoring should be performed at defined intervals and can be automated with software.

The most difficult part of this process is the risk assessment. Risk assessments are always tricky – particularly as they are often subjective.

When performing this task, organizations should consider a third-party risk exchange to access pre-completed assessments. With assessments on multiple vendors, comparisons are much easier.

Subscribe to our Weekly Round-up to get more cybersecurity tips like this delivered straight to your inbox.