What is Third Party Risk Management (TPRM)?
Third Party Risk Management (TPRM) is the end-to-end process of identifying, assessing, and managing the risks arising from engaging with third parties. These could be any external individual or team that your organisation relies on to perform specific business operations, supply goods, or provide services in support of the mission. When we apply a cyber security focus to TPRM, it involves evaluating the security and privacy measures a third party has in place to protect key systems and data.
More specifically, TPRM enables you to fully understand the security posture of all suppliers across your business, focusing on the most important control categories. This develops a fully informed picture of your exposure to vulnerabilities, threats and the risks arising from them. From here, your organisation can then manage residual risk and bring it down to a level that is within business risk tolerance. It also helps you develop remediation plans against those risks that are identified to be outside the business risk appetite.
Why is TPRM Important?
TPRM is increasingly important due to a growing reliance amongst organisations on third parties to provide critical services and capabilities that directly impact their success. Where suppliers access an organisation’s network or data, the potential attack surface and range of vulnerabilities is increased (if not managed effectively). These parties need to stay in compliance with the security stance of your organisation. Attackers will commonly look for the path of least resistance and will target the weakest link, which may be in your supply chain, and can be a gateway to your organisation or disrupt operations.
Typical supply chain attacks can result in potential regulatory fines, operational disruption, legal costs, and remediation efforts including time and cost. We see examples of this occurring more frequently. In March 2024, the American Express data breach impacted over 50,000 of their customers which arose from a third party merchant processor. Though their own systems remained secure, account information was stolen. Perhaps most famous is the 2020 SolarWinds hack. This breach affected thousands of organisations and government departments. Customers of SolarWinds unknowingly installed malware that the hackers could use to access their information systems.
What are the Key Components of TPRM?
The TPRM process should of course be tailored to your own organisation’s requirements. However, we’ve identified several key components that you should include.
Risk Assessment
One of the aspects we often see our clients struggle with is applying the right amount of effort and resource to the right suppliers. Extra time and resources are often used on low-risk, more casual suppliers rather than the high-risk, critical ones. One way to address this issue is through proper categorisation or tiering.
All suppliers should be tiered according to the potential impacts they could have on your organisation; based on risks identified during initial risk assessments. Your organisations can then tailor its TPRM efforts based on risk priority. You can also perform regular deep-dive risk assessments for those vendors deemed higher-risk, while lighter touches can be made on lower-risk relationships. This will lighten the burden on internal efforts.
Due Diligence
This process allows your organisation to validate that third parties have implemented adequate security measures before you engage with them. Due diligence processes are performed to output a compliance report or overall security posture. These results can then be used to enable risk-based decisions regarding the vendor relationship.
Contractual Agreements
Contracts are critical to TPRM processes and must contain clear security requirements and standards that the third party must adhere to so that clear accountability and liability is understood. Best practice is to complete the due diligence process prior to signing the contract so that any remediation requirements can be stipulated in the contract where necessary.
There are many important clauses that should also be included where possible. One example is the responsibility to notify your organisation should any breaches occur. Your organisation needs to know about third party breaches promptly so that you can coordinate incident response efforts appropriately. In addition, the right to audit should be included in the contract. An effective contract includes this, or a similar clause, so that you can periodically audit the third party’s security practices and ensure ongoing compliance.
Ongoing Monitoring and Review
Both the threat landscape and security postures change over time. By continuously monitoring third parties, you ensure they continue to uphold the agreed upon security standards. Quarterly or bi-annual review meetings with third parties allows you to discuss performance and incidents that may have occurred, including lessons learned and subsequent improvements made. It also allows you to look at additional security enhancements that have been identified by updates throughout the business.
You can use vulnerability scanning tools to monitor your vendors or more advanced threat intelligence software to proactively monitor for supply chain threats.
What are the Best Practices for Third Party Risk Management?
Though there are many practices to address third party risk, we’ve identified four key practices for discussion:
Develop a Comprehensive Third Party Risk Management Framework
Establish Clear Communication and Expectations
Implement Regular Assessments and Audits
Create a Response Plan for Cyber Incidents
Develop a Comprehensive Third Party Risk Management Framework
Strategies are the foundation of effective risk management and should detail how your organisation identifies, assesses, and responds to third party risks. You should also clearly define roles to ensure responsibilities are understood, and that individuals are accountable. The risk framework should be thoroughly described here, detailing how to categorise third parties based on their risk level, as well as the organisation’s risk appetite and tolerance.
Clear processes and procedures should also be defined here for the onboarding, monitoring, and offboarding of third parties to ensure consistency and fairness.
Establish Clear Communication and Expectations
Clear and direct communication of expectations and requirements are critical before entering into the contract. As we discussed earlier, agreeing these early on helps ensure that an appropriate level of security is maintained and cyber security becomes a shared responsibility with clear accountability on each party. Regular communication can help catch risks early on, mitigating potential impacts.
Furthermore, supplier and stakeholder details must be recorded and regularly updated. If supplier and business details are incorrect, it makes other key components and best practices harder. Current stakeholder details are needed to correctly send assessments to them, initiate response plans with them, and leverage process automation capabilities of tools.
Implement Regular Assessments and Audits
Post-contract, you must make sure that the third parties you work with are maintaining their security controls and compliance by assessing them at least annually. Outputs from the assessments in the due diligence process should be tracked to ensure remediation efforts are applied and effective. Then, as conditions in controls and environments change regularly, you should conduct re-assessments to ensure no new vulnerabilities emerge.
Should new vulnerabilities be discovered, findings should be formally documented and, where required, remediation plans agreed with the third party with clear timelines, otherwise the risk of using them may become greater than the reward.
Create a Response Plan for Cyber Incidents
Lastly, as everyone understands, incidents occur no matter how robust the security framework. A thorough, well-tested response plan facilitates a co-ordinated incident response and minimises impacts. Response plans must include means for alerting key stakeholders, who have been identified in advance, so that the organisation can respond quickly. Breach notification agreements support this by obligating that third parties notify the organisation within an agreed time frame upon discovering and confirming a security incident. The quicker the response team are initiated, the quicker the time to recover.
What Tools and Technologies Can Help with Third Party Risk?
Utilising tools that are available today can make third party risk efforts more efficient and scalable as your organisation grows.
TPRM Software
There are many TPRM products, or Vendor Management Systems (VMS), that support the evaluation, quantification and management of supplier risks. These can streamline the process by automating tasks and providing generated insights. Common useful capabilities of TPRM products include:
Risk management capabilities
Storing and filtering suppliers by risk scores
Providing real-time reports and dashboards customisable to required metrics
Vendor onboarding and management
Contract management
Some specific products have many more individual features than the ones stated above. Dashboards can be particularly useful in providing real-time reporting; helping teams to monitor changes in their suppliers’ risk posture, as well as support clear communication to senior executives.
Managing risk assessments through products may be beneficial as it can provide clear and enhanced data visualisation of risks, enable efficient collaboration on risk efforts, support identification of early indicators for future risks, and promote risk awareness throughout the business. For many organisations, these products can be separate to VMS products. However, managing both processes through the same software provides greater consistency and integration between processes.
Cyber Security Training and Education Platforms
Many organisations are using training and education platforms to raise employee awareness on cyber security. This training can also be a part of the third party onboarding process so that external suppliers are reminded of the expectations on them with regards to cyber security and data protection.
Further to this, these platforms can be used to host training focused on educating internal employees on TPRM processes and equipping them with the knowledge to effectively manage the relationship and associated risks. This ensures a consistent approach and can instruct on the specific policies and procedures to be followed.
How Can Companies Stay Up to Date?
Staying on top of TPRM is crucial with increasing regulatory pressure and the evolving threat landscape, but doing so can be overwhelming when you don’t know the best place to start. The following points identify some key areas to consider when trying to stay up-to-date with TPRM.
Regularly Review and Update Policies and Procedures
Annual, or biannual, policy reviews are already considered best practice. But, specific focus should be given to ensure that they align to current business requirements and threats. Updating policies means continued compliance with regulatory requirements as well as tailored updates to meet new business requirements or risks. Around third parties, this can involve updating the TPRM policy and processes by refining risk assessment methodologies and providing governance for new monitoring tools and techniques.
Stay Informed about Industry Standards and Regulations
Many standards are readily available for organisations to leverage when building out their TPRM framework. NIST SP 800-161 Rev. 1 is the framework for Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations and provides clear controls and practices for this exact purpose. Frameworks like these are updated when external factors make it necessary, so staying informed about these is important. Other standards can provide useful guidance to an extent but aligning to recognised frameworks is best.
Organisations should also keep up-to-date with regulations applicable to their industry. Monitoring and understanding these can serve as guidance on best practices to build your own TPRM programme.
Utilise External Resources and Expertise
TPRM efforts could be strengthened by boosting your team with external resources that have the experience to join and work with internal teams; driving forward tasks like vendor audits (for just one example). Seeking support from external experts can also provide instant insights into best practices and common market trends or provide interpreted regulatory requirements specific to your organisation without needing to spend time reviewing very lengthy standards and regulations.
Blogs
