---

In today’s world, organizations are increasingly depending on their third-party vendors, suppliers, and partners to support their operations.

This way of working, in addition to the digitalization era we’re in, can have great advantages such as being able to offer new services quickly while relying on other’s expertise or cutting costs on already existing processes. However, by opening their (digital) doors to third-parties or by sending them their precious data, organizations are exposing themselves to a broader range of risks. From data breaches caused by third-parties and unauthorized accesses through third-parties to regulatory compliance failures, the organization’s risk exposure should also factor in third-party security risks.

Third-Party Risk Management (TPRM) evolves around the ability for organizations to identify, and remain in control of, the risks that emanate from working with their third-parties. In fact, relying on third-parties comes with a shared responsibility between you and your third-party of which you ultimately bear the end responsibility.  

In this very first blogpost, within a series dedicated to TPRM, we’ll introduce TPRM and its key components. In the next blogposts, we will tackle specific topics and address questions you might have on TPRM.

---

So, what is Third-Party Risk Management?

TPRM is the process of identifying, minimizing, and keeping a control on the risks that come from working with third-parties or service providers. In very simple terms, we’re assessing the maturity of third-parties (e.g. suppliers), in terms of cybersecurity, before signing the contract with them. By “third-parties” & “service providers” we aim at any organization which either:

1. Manages any of your sensitive information (e.g. has access to, collects, processes, stores or archives). As example: cloud providers (IaaS, PaaS, SaaS), business service providers, etc.
2. Is connected to, or has access to, your internal network or systems. As example: IT services providers, etc.
3. Can impact the reputation of your organization in any other way based on the context of the relationship. As example: A business partner whose services you recommend to your own customers, or a business partner which hosts an internet facing website which is branded with your organization’s logo.

In building strong TPRM foundations, organizations can minimize risks before they even exist by identifying them before having signed any contract, and by asking the third-party to remediate some of the findings. Through TPRM, an organization can ensure, to some extent, the alignment of their own security requirements across the entire supply chain (whether internal or outsourced). Organizations with a mature TPRM process will also monitor the activities of their third-parties, and regularly reassess the risks.

---

Why should we give TPRM the right level of importance?

Our introduction so far already provides you with ideas on the importance of Third-Party Risk Management. As we said, organizations become more and more digitally interconnected and reliant on their third-parties Let us stress here the key reasons of the importance of TPRM in your security program:

1. Ensuring Operational Resilience: Whether a third-party has access to your internal systems in order to assist with your organization’s operation, or whether part of your operations is entirely outsourced to a third-party; an incident emanating from third-parties can heavily disrupt your activities and your ability to deliver services.
2. Protecting Sensitive Data: As the exchange of sensitive customer data & intellectual property between organizations increases, so does the risk of data disclosure.
3. Managing Reputational Risk: Data disclosures & operational continuity issues, even caused by the mistakes of a third-party, can impact the reputation of an organization; leading to loss of business opportunities & customers.
4. Meeting Regulatory Compliance: Many industries are subject to strict regulations and compliance requirements such as the well-known GDPR, the feared NIS2 or DORA. Engaging with non-compliant third-parties can expose organizations to compliance violations, fines, and reputational damage. Furthermore, for some industries performing Third-Party Risk Management can be a regulatory requirement on its own.
5. Strengthening Competitive Advantage: As customers’ and partners’ expectations on security are more & more a priority; organizations which can demonstrate a mature approach to information security, including third-party risk management, can gain the trust of their customers and stakeholders – giving them a competitive advantage.

A mature and well maintained TPRM program will make it easy to demonstrate to higher management that this is all under control.

According to ENISA’s Threat Landscape (2023), Supply Chain Attack/Third-Party Security breaches is one of the top threats to be considered. Does your organization consider it?

---

How to build your TPRM framework?

Based on our experience, we propose a couple of building blocks to structure your TPRM activities.

1. Obtain visibility on all your third-parties.

To start your TPRM efforts, you first need to have an eye on all the third-parties your organization is involved with. A central inventory of your third-parties is a must.

If your organization has a procurement team, they’ll typically already have such an inventory. We recommend to link your efforts with the procurement team, rather than recreate such an inventory on your side; as this will add complexity in keeping both inventories aligned. With procurement being the gatekeeper of contracts, joining forces will also help your TPRM efforts in identifying new third-parties or third-parties for which the relationship has ended.

Would your organization not yet have a procurement team, or such an inventory, clear communication & processes with the business side will be crucial for them to share with you the list of third-parties they are aware of.

2. Start from your risk management program and risk appetite to steer your efforts.

Next, you should determine your security risk appetite and use this to steer your third-party risk management efforts. Don’t be mistaken, just as with every security discipline, you will spill resources if you don’t set your focus right. Applying the concept of tiering based on inherent risk¹ is crucial in this aspect (refer to 3. below).

3. Execute with operational excellence.

TPRM is often perceived, by the business wanting to contract with the third-party, as a time consuming constraint. It is of utmost importance that your TPRM program is well integrated with other existing functions within your organization, such as procurement, data protection office, IT, etc.

Running a third-party risk management program should focus based in our opinion on 3 key activities:

• Assessment execution, for risk identification and analysis:
  • Identifying the third-parties that should be assessed based on their criticality for you (for example through tiering based on inherent risk for your organization).
  • Assessing the third-parties, with different assessment types, depending on this risk-type: either by sending them a security questionnaire, by conducting interviews and/or by analyzing their existing information security certifications. More companies are also providing assurance through trust portals such as SafeBase (the SafeBase Trust Center enables Security teams to proactively share and automate access to security, compliance, and privacy information/ complete security questionnaires). These assessments could be complemented with technical audits, such as PenTests or vulnerability scans.
  • Consider the contractual agreements that should be setup with the third-party, such as information security, data privacy or business continuity requirements. The contract could be updated to ensure the third-party’s commitment to fix the finding you have identified.
  • Plan for the end before it even begins. What do you expect the third-party to do once the relationship ends? Return your data to you and then delete it of course!
  • Set up clear agreements for third-parties on the reporting of security incidents which might affect you, so that you can easily ingest this in your standard incident response activities.

• Debriefing of results & next steps:
  • Notifying relevant stakeholders (such as the business that will be responsible for the service) of the risk and findings (if any) that resulted from the assessment, and explaining the risk(s) of working with the third-party.
  • Help the stakeholders in defining an action plan to further reduce the risk (e.g. risk treatment), which they can then also coordinate with the third-party.

• Monitoring of agreed actions and changes:
  • First aspect of monitoring, which a lot of companies are not succeeding in yet, is to monitor risk treatment by verifying the third-party effectively remediated the risks.
  • Your organization should also monitor the evolution of the relationship/service with the third-party. While at the beginning a service can seem ‘low risk’, new bits & pieces, such as a brand-new feature on a platform, can be added along the months or years. The once ‘low risk’ service can rapidly evolve into a ‘high risk’ service which might require you to reassess the third-party based on the updated criteria.
  • As we typically see companies focusing more and more on cybersecurity, it would be natural to expect companies to improve their stance in that regard. However, it is not impossible for a company’s maturity (regarding cybersecurity) to go down. So even if the service has not evolved, you should always consider reassessing your third-parties regularly.

Finally, your organization will want to define indicators to be able to monitor both:

• The progress of the Third-Party security activities regarding the Third-Party portfolio and process execution (KPIs); and
• The risk posture and exposure of the organization regarding its Third-Parties (KRIs).

Because measuring will allow you to identify areas for operational excellence improvement and better risk coverage.

As a lot of companies still organize their TPRM efforts mostly manually, it can be interesting to explore automation capabilities to achieve further operational excellence. For ideas on this we refer to an earlier blogpost.

---

Conclusion

As organizations are more and more interconnected with their third-parties and relying on them to support their operations, the need for effective Third-Party Risk Management becomes inevitable. By focusing on TPRM, organizations can minimize the risks of engaging with their third-parties and remain in control of these risks. TPRM will not only proactively protect organizations’ sensitive data, operational continuity, and reputation but will strengthen trust with the organization’s stakeholders & customers by demonstrating your control over your supply chain.

Thanks for reading our blogpost. Feel free to reach out with NVISO and in particular the dedicated Enterprise GRC team to dig further into this subject, share your feedback or discuss on how we can built something together.

1. Inherent risk is the natural risk level in a process that has not been controlled or mitigated in risk management. ↩︎

---

About the authors

David & Noé both joined NVISO about 5 years ago. Since then, they have worked on different TPRM projects at some of Belgium’s biggest financial institutions, including 3 years together in the same TPRM project.