Third-Party Risk Management: Guidance for InfoSec Teams

In the past three years, organizations have seen a greater number of high-profile security breaches through third-party vendors as these firms shift business functions to external parties to reduce costs. A lack of third-party monitoring and consistent reporting have left organizations especially vulnerable to risk. And many third-party risk management programs continue to focus just on compliance. 

Recently, the SEC proposed new rules that would require U.S. public companies to report cybersecurity incidents along with risk management plans and governance. This reflects a heightened focus on cybersecurity risk and the wider implications of risk across global markets, making third-party risk management more important than ever. 

This piece explains why security teams and their organizations must be aware and understand the importance of third-party risk management. Learn the steps to take to build an effective third-party risk management process. 

Types of Third-Party Risk Management 

At a high level, risk management is defined as the process of identifying, assessing and monitoring threats to an organization. Most organizations have numerous third parties. Many are vendors, but others fall into different categories, such as partners, contractors and suppliers. Third-party risk management is the process of ensuring a third-party does not introduce risk into the organization. Many third parties are complex technology partners, and if they lack security controls, cyber vulnerabilities and incidents are bound to occur—and impact you. 

Third-party risk terms are sometimes used interchangeably, but they have very different meanings and it's important to understand the distinctions. 

• Third-party risk encompasses third parties that provide a product or service directly to your customers or to your organization. Third parties can include partners, consultants, vendors or suppliers.  
• Fourth-party risk includes your vendors' vendors. Many times, an organization will be unaware of these, highlighting the importance of direct third parties having solid vendor risk management plans. 
• Vendor risk comprises the third parties you and your organization buy from (your own vendors and suppliers). 
• Supply chain risk is the flow of goods and services and may be internal or external (third-party) entities. It incorporates other risk areas like cyber, geopolitical and man-made or natural disasters. 

READ: Risk Management Terminology for InfoSec Teams 

The Importance of a Third-Party Risk Management Plan 

Third-party risk can affect the organization across multiple business segments, including financial, operations and compliance. It’s critical to know your vendors and have a plan in place that clearly identifies how your organization analyzes and addresses risk. 

An effective third-party risk management plan is a component of an organization’s overall risk management plan. The plan details various risk area across the organization to create the overall enterprise risk profile and helps to identify which strategies can reduce third-party risk to help minimize exposure in areas like information security.  

READ: How to Create an Enterprise Risk Appetite Statement

How to Minimize Third-Party Security Risk 

To reduce the chances of a third-party security breach, begin by teaming with all related third parties to assess their security risk profile and build a third-party risk management plan. It’s important to rank your third-party portfolio based on the risk they pose, along with assessing the security framework they have in place now to mitigate your risk. 

This process is key because you will not have direct visibility or control of a third-party vendor’s risk measures to safeguard its own and your security program. The goal is to identify, classify and categorize the risk associated with every vendor and supplier relationship. 

Steps to Build an Effective Third-Party Risk Management Program   

Effective enterprise third-party risk management plans must be structured, collaborative and incorporate the following steps, each of which has several components:  

1. Assess third-party risk: Start with documenting your risk universe of third-party risks and categorizing the actual risks (high to low) to the organization, taking time to identify all current and possible third-party risks. Be sure to inventory all types of third-party risk, including vendors, partners, suppliers and the supply chain. 
2. Analyze third-party risk: Once third-party and associated risks are documented, the next step is to analyze their probability and potential impact (according to exposure, cost and damage potential). Prioritize third parties with a risk assessment matrix to identify the probability of third-party risks, as well as to evaluate the potential damage or interruption caused by those risks. 
3. Mitigate third-party risk: Risk mitigation is the action plan your security team and organization take to reduce exposure. Security programs can then be implemented that reduce the third-party risk down to acceptable levels. Risk programs must be tested to ensure they are correctly designed and will operate effectively. 
4. Monitor third-party risk: Third-party and other risks can change over time. The potential impact and probability of minor risks can suddenly grow into significant threats to the business. Ensure you monitor risks constantly via recurring security risk assessments. 

Risk Management Is a Process 

Our third-party networks and relationships continue to expand and it’s critical to build a consistent third-party risk management program that is scalable over time. Third-party risk management is vital to managing information security risks, and it includes establishing a comprehensive third-party risk management program throughout the organization.  

As security teams work to minimize threats and mitigate risks before they have an adverse impact, it’s important that risk management becomes an integral, continuous process across an organization. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.