A Complete Guide to Third-Party Risk Management

Download this eBook to learn how to better manage vendor risk with an effective Third-Party Risk Management Program.

Download Now

A third-party vendor is any entity that your organization does business with.

This includes suppliers, manufacturers, service providers, business partners, affiliates, brokers, distributors, resellers and agents. 

Vendors can be upstream (suppliers and vendors) and downstream (distributors and resellers), as well as non-contractual entities. 

Outsourcing to service providers provides strategic advantages such as cost savings and outside expertise but also introduces third-party risk and fourth-party risk.

It is no longer enough to solely focus on your internal cybersecurity. Due diligence and cybersecurity risk assessments must be used prior to onboarding new vendors.

Information risk management means looking beyond your organization's walls to third and fourth-party vendors who have access to your sensitive data

What Risks Do Third-Party Vendors Bring?

Third-party vendors, partners, contractors and consultants can bring needed expertise and services to your organization, but can often have access to internal systems and sensitive data. This means they can steal company data, change system configurations or sabotage critical infrastructure.

Even with no malicious intent, poor third-party vendor security represents a large security risk. 

This is why governments around the world have introduced strict regulatory requirements that require a form of vendor risk management to ensure sensitive data and personally identifiable information (PII) is transferred, stored and processed in a way that protects information security.

Financial institutions, e.g. APRA CPS 234, and healthcare organizations, e.g. HIPAA, come under particular regulatory scrutiny. 

Do I Need to Worry About Vendors Who Don't Work on Critical Business Activities?

Yes, third-parties who don't conduct critical business activities can still represent significant third-party vendor risk. In some cases, cleaners can represent a larger third-party risk than a typical Software-as-a-Service (SaaS) provider. 

This is because the cleaner may have access to the CEO's computer that stores information that could be the target of corporate espionage

The role and size of the third-party is generally not  as important as the nature of the vendor relationship, the criticality of its activities, the level of access it has to sensitive data or property and your organization's accountability for its inappropriate actions.

This is why a cleaner could introduce more cybersecurity risk than an outsourced business function. 

The key takeaway is to understand your organization's security standards are only as good as your weakest third-party vendor's security practices. 

For example, the 2013 Target data breach began with a single store's HVAC provider installing malware

Every vendor is a possible attack vector that cyber criminals can use to launch cyber attacks.

What are Examples of Third-Parties? 

Recall that a third-party vendor is anyone who provides a product or service to your organization including:

  • Manufacturers and suppliers (everything from PCBs to groceries)
  • Services providers, including cleaners, paper shredding, consultants and advisors
  • Short and long-term contractors. It's important you need to manage short and long-term contractors to the same standard and assess the information that they have access to.
  • Any external staff. It's important to understand that understanding of cyber risk can be widely different depending on the external staff.
  • Contracts of any length can pose a risk to your organization and the Internal Revenue Service (IRS) has regulations about vendor and third-party relationships that go beyond specific time frames so even the length of a contract can pose risk. In the IRS's eyes, a vendor working onsite with a company email address for longer than a specific period of time should be classified as employees and receive benefits.

What is Vendor Risk Management?

Vendor risk management (VRM) or third-party management deals with the management and monitoring of risks resulting from third-party vendors and suppliers. 

VRM programs are concerned with ensuring third-party products, IT vendors and service providers do not damage business continuity, data security or expose sensitive information like credit card numbers or personally identifiable information (PII).

The demand and need for vendor risk management has grown in recent years due to the introduction of laws like the EU General Data Protection Regulation (GDPR), as well as the fact organizations are entrusting more of their business processes to third-parties.

Vendor security must be a key part of your overall cybersecurity strategy. 

It's not enough to focus on service-level agreements (SLAs) and disaster recovery in your third-party risk management program. You need real-time, ongoing monitoring to be a part of your third-party vendor management program. 

Your information security policy needs to focus on both first and third-party security to minimize total cyber risk. Spend some time creating a third-party risk management framework and operationalizing it. Consider investing in automating vendor risk management.  

Is My Business Liable For Third-Party Breaches?

It depends on your industry.In the United States, the Office of the Comptroller of the Currency (OCC) wrote in its risk management guidance:

A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.

Along with the OCC, the Federal Reserve System (FRS) and the Federal Deposit Insurance Corporation (FDIC) have statutory authority to supervise third-party service providers in contractual agreements with regulated financial institutions. 

Even if you aren't legally liable your customers expect you to protect their data and probably don't care that a data breach was the result of a third-party. 

The Supervision of Technology Service Providers booklet from the FFIEC, highlights the use of third-party providers "does not diminish the responsibility of the...board of directors and management to ensure that activities are conducted in a safe and sound manner and in compliance with applicable laws and regulations, just as if the institutions were to perform the activities in-house."

What are Fourth-Party Vendors?

A fourth-party vendor is a third-party vendor of your third-party vendor. In other words, it's a vendor who you don't have direct contact with but may still have an impact of your organization in the event of a data breach or data leak

You need to understand four things about your fourth-party vendors:

  1. Who they are
  2. What products and services they provide to your vendor
  3. What level of due diligence your vendor has done on their vendors
  4. Their cybersecurity rating 

This will allow your organization to better understand what risks may reside and how your sensitive data may be being shared or stored in a fourth-party vendor's system.

A fourth-party data breach can be as impactful as a first or third-party breach, especially if they are storing your customers' personally identifiable information (PII).

How Can I Get Information About My Fourth-Party Vendors?

Ask your third-party vendors to provide you with:

Best in class organizations who want to minimize third-party risk and fourth-party risk are continuously monitoring and scoring third-party and fourth-party vendors and sending security questionnaires over the lifecycle of the vendor relationship.

Read our white papers on the buyer's guide on third-party risk management and vendor questionnaires for more information.

Even former third-party vendors can create risk to your organization. For example, TigerSwan’s former recruiting vendor left sensitive information publicly available in an S3 bucket until only recently. While the contract with the vendor was terminated in February 2017, thousands of resumes remained stored in the Amazon S3 subdomain “tigerswanresumes.”

With the cost of a data breach at its highest ever ($3.92 million) and breaches involving third-parties ballooning to $4.29 million, it pays to prevent data breaches.

Ready to see
UpGuard in action?

Ready to save time and streamline your trust management process?