Recent incidents of cyberattacks impacting major organizations through exploited weaknesses in third-party relationships have highlighted the importance of holistic third-party risk management, creating an opportunity to revisit how risk-based vetting and continuous monitoring are pillars of a successful program.
As third-party providers support a huge range of core business functions for the modern enterprise, risk managers at organizations of all sizes would be wise to reevaluate whether their own TPRM programs are still up to the challenge of today’s risk landscape.
Let’s start by looking at some of the recent trends that have increasingly put TPRM in the spotlight.
Now Ubiquitous, Third Parties Can Create Risk
Sometimes described as part of an organization’s supply chain, third-party relationships and deeper, represent a huge swath of different entities and services. Some are physical suppliers, such as external manufacturers of certain product components, while others provide core internal operational functions such as employee identity verification.
Some organizations rely on thousands of service providers to fuel their business, with retail giant Walmart reporting over 100,000 suppliers as recently as last year. It’s not uncommon that external suppliers have their own third-party relationships, too.
As the reliance on third-party's grow, so too does an organization’s exposure to risk. These risks connected to third-party relationships are complex and broad, encompassing areas such as regulatory violations, reputational risk from ethical misconduct among suppliers and intellectual property theft.
In particular, information security incidents involving third-party suppliers have grabbed major headlines in recent years. Third-party suppliers often need access to some portion of an organization’s systems and data in order to deliver services, which creates a potential pathway of risk connecting the supplier and the client.
Providing a high level of access to third parties is common – a 2021 Security magazine report showed that 82 percent of companies provided highly privileged roles to third-party vendors.
Just as the third-party risk landscape is complex and highly specific to organization or industry, so too are the potential liabilities companies may face in a supplier incident. Yet reputational risks can be straightforward in a high-profile incident – for example, customer trust of an organization is eroded when the breach of a third-party vendor, one they’ve likely never heard of, allows the theft of private data.
Ensuring an Effective Third-Party Risk Management (TPRM) Program
No two TPRM programs will look exactly the same, but there are common strategies that every organization should consider in building or reevaluating their approach.
For one, asking the right questions during the onboarding of a new third-party is crucial. Organizations must first conduct an internal weighted assessment of third party-related risks – some potential risks may be acceptable amid the benefits of a certain relationship, while others are non-negotiable. These factors could incorporate specific industry issues, regulatory environments, geography, dependence on third-party services and financial risk.
Recent NAVEX survey data showed that 53 percent of organizations rated themselves as “good” to “great” in setting specific and accurate contract terms with their third parties. Almost as many, 48 percent, said they leveraged risk-based enhanced due diligence in their TPRM programs.
Another important effort is ongoing monitoring of third parties in two key areas. The first involves information security risk, where IT vendors should regularly prove that they are employing sufficiently robust information security measures for their own operations. Organizations should also evaluate whether the level of system and information access provided to vendors is appropriate.
Organizations should also monitor their third parties for evolving risks in areas such as media coverage, financial duress, sanctions or political dynamics. This allows opportunity for proactive reassessment of risk before it’s too late, though NAVEX data also show that only 35 percent of organizations feel they are “good” or “great” in their ongoing monitoring of third parties.
Managing third-party risk is a crucial task for any organization. For more information on managing risk across today’s third-party landscape, NAVEX provides additional guidance here.