GRC Viewpoint

5 Best Practices for Better Third-party Risk Management

Manage third-party ecosystems in a way that establishes a culture of trust, transparency and accountability.

The global supply chain has witnessed turbulent times, ranging from the Suez Canal blockage, the Covid-19 pandemic and the Russia-Ukraine war, all resulting in massive disruptions and creating an adverse impact on global commerce.

But supply chain risks aren’t just limited to the physical world. The increased reliance on third-party technology, applications, products and services are exposing organizations to an unprecedented number of cyber risks. A cyberattack or a data breach in a partner organization can lead to major disruptions, loss of sensitive information (credit card numbers, trade secrets, customer data, etc.), financial losses, legal entanglements, loss of customer trust, business reputation and more.

Another harsh reality is that third-parties often have weaker security controls than the organizations they provide services to. As a result, attacks on the supply chain have jumped over 300% in 2021, in comparison to 2020. Cybercriminals are keen to leverage the supply chain to steal credentials (e.g., Target), hijack sensitive files and data (e.g., Accellion) inject malicious code in software (Magecart), compromise software updates (SolarWinds) and take control of systems remotely (Log4j). In fact 54% of organizations have been breached via third-parties in the past 12 months. 

What is Third-party Risk Management and why is it so important?

As organizations scale, it becomes harder for them to keep their suppliers in check. 

Third-party risk management (TPRM) is an organized approach of cataloging, analyzing, controlling, monitoring and mitigating risks associated with third-party vendors, suppliers, contractors and service providers. 

TPRM helps establish vision, define objectives, develop an operating model and implement policies and procedures to vet supplier risks efficiently and effectively. A well-executed TPRM program helps reduce third-party risks, providing better control and visibility over supplier activities as well as improving compliance with regulatory requirements. Let’s explore some best practices involved in creating a comprehensive TPRM program,

  • Identify and classify all vendors

Sixty percent of organizations have more than a 1000 suppliers, while the average Fortune 500 company has at least 10,000. If your organization doesn’t have a comprehensive inventory of its third-parties, it’s time to create one. Start with vendors that manage critical supplies or deal with sensitive data. Once suppliers are identified, classify them based on information such as the type of services being offered, their total contract value, the systems and data they have access to, the location where they operate from and other risk indicators. Take account of all third parties that your business engages with, even if they don’t have access to secure data. 

Cybersecurity threats and financial risks aren’t the only risks you must worry about, even a casual association with a small vendor can lead to reputational risk if the vendor is not managed or monitored properly. 

  • Perform due diligence on high- and medium-risk vendors

Ensure you perform a thorough due diligence on high-risk vendors using a Vendor Risk Questionnaire. Evaluate things like the vendor’s credit rating, the number of subcontractors they use and if they share your confidential data with other contractors. Ask what cybersecurity measures they have in place. Do they have a comprehensive crisis management plan? Are they compliant with leading security standards such as ISO 27001, HIPAA, PCI-DSS, etc. 

Critical software suppliers must also provide an accurate Software Bill Of Materials (SBOM) so the organization has a clear idea on the composition of the software they supply. It is estimated that 40% to 80% of lines of code in software comes from third parties (such as libraries, components and SDKs) many of which are vulnerable.  

  • Prioritize risks and address them

Once your due diligence is complete, decide how you want to respond to each vendor individually. Update contracts and state control requirements clearly so that vendors understand your expectations and adhere to specified mandates. Security controls such as encryption, multi-factor authentication (MFA), security awareness training, etc. can help meet regulatory requirements and also mitigate supplier risks. List vendors that do not meet your security, privacy and safety standards and ensure you get these vendors to an acceptable level of security or prepare to offboard them without causing business continuity issues. 

  • Develop processes to monitor risks on an ongoing basis

Ensure processes are in place to continuously assess vendor risk levels (low risk vendors can grow to become high risk). Implement regular data analysis so that any red flags trigger alerts. Look at the full scope of your vendor processes — from on-boarding, classification, due-diligence, and then off-boarding. A majority (80%) of legal and compliance leaders agree that third-party risks are identified after initial onboarding. Review assessment protocols on a periodic basis. These include policies and procedural manuals, regulations, and service level agreements (SLAs), along with a process for feedback and correction requests.

  • Invest in tools and automation, seek help from experts 

For small- and mid-sized organizations that have limited resources, it might be prudent to outsource the assessment process to cybersecurity consulting firms that are experienced. For organizations that have a large pool of vendors and suppliers, it might be a good idea to invest in automated tools; manually managing multiple vendors is a resource-intensive and cumbersome process. Look for tools that make it easier to manage vendor workflows (contracts, onboarding, classification and off-boarding) and that can conduct risk assessments (initiates security assessments automatically, stores evidence and triggers notifications or escalations when something is missed). 

To summarize, it’s critical that businesses step up their TPRM efforts to reduce risk, protect revenue and avoid downtime. Adopting a proactive risk management approach using robust processes and security expertise helps mitigate risks before they become incidents. Manage third-party ecosystems in a way that establishes a culture of trust, transparency and accountability. 

See Related: 7 Key Elements of a 3-year Cybersecurity Plan

About the Author

Michelle Drolet is CEO of Towerwall, a specialized cybersecurity firm since 1993 offering compliance and professional onsite services with clients such as Foundation Medicine, Boston College and Middlesex Savings Bank. Founded in 1999 in Framingham, MA, Towerwall focuses exclusively on providing small to mid-size businesses customized cybersecurity technology programs. Email Linkedin:; Twitter @towerwall


Related Articles

Latest Articles