GRC 101: What is Third Party Risk?

Rock Climbing Belaying

Written by: Andrew Steioff

Reviewed by: Luca Pascale
Updated: October 05, 2022

Table of contents

Who has access to your company’s data?

For most companies, the answer to this question used to be fairly straightforward. Barring criminal wrongdoing, companies could be confident that their business records, customer data, and other sensitive information was reliably kept in-house.

Those days are over. Sensitive data, IT infrastructure, and more are all shared with partners and vendors or outsourced to other third parties. Everything is connected to the internet or living in the cloud—which undoubtedly makes many business processes easier and more efficient, but also creates the possibility for mishandling or abuse.

This is called Third Party Risk, also known as Vendor Risk or Supplier Risk.

Third-Party Risk : the potential risk that arises from institutions relying on outside parties to perform business services or activities on their behalf.

Third-party risk is greater than it’s ever been, and managing third party risk effectively will require a rethinking of the traditional security model. Given this new reality, organizations are faced with a growing awareness that risk and compliance challenges no longer stop at traditional organizational boundaries. Establishing the wrong business relationships—or allowing current ones to sour through poor management—can force an organization to confront reputational and existential threats.

What are some examples of third parties?

For just about any business activity you can think of, there’s a company that will take on that responsibility for another company. Some, like cleaning services or parts suppliers, are obvious and have been around for a long time. Others are newer and more difficult to discern from in-house functions. These can include staffing agencies, consultants, and service vendors.

As an industry example, hospitals and healthcare systems rely on hundreds (even thousands) of vendors every day to perform routine functions. These services can include hospitality, transportation, security, IT, transcription, laundry, patient care, and waste removal—to name but a few. In a highly regulated market such as healthcare, these relationships can pose big risks.

Even for those that have resisted outsourcing, the modern organization represents a wide web of third-party relationships and interactions that flow beyond traditional business boundaries. Complexity grows exponentially as these interconnected relationships, processes, and systems proliferate and embed themselves in the organization’s processes over time. Today, 20–50% of large organizations’ total workforce is outsourced, according to estimates (WSJ).

What are the risks that come from Third Parties?

The risks that may arise from an institution’s use of third parties are numerous and diverse. Some of the risks are related to the underlying activity itself, similar to the risks faced by an institution directly conducting the activity. Other potential risks arise from—or are heightened by—the involvement of a third party. Failure to manage these risks can expose an institution to regulatory action, financial loss, litigation, and reputational damage, and may even impair its ability to establish new, or service existing, customer relationships.

Cybercriminals routinely target suppliers and partners in order to exploit connections to larger, more valuable targets. Given the expanding partner networks, the attack surface that they can target is rapidly expanding as well—from principle systems to connected devices, supply chains, and more. In fact, third parties have become preferred vectors for cyberattacks.

While the risk landscape is constantly evolving and new threats are ever on the rise, risks typically fall into one of five categories based on impact to the principle business:

  • Financial Risk: Risk that a third party could damage financial performance. For instance, the company could fall short of revenue goals after a supplier provides a faulty component, impairing sales.
  • Reputational Risk: The risk arising from negative public opinion created by a third party. Dissatisfied customers, inappropriate interactions, poor recommendations, security breaches, and legal violations are all examples that could harm a company’s reputation and standing.
  • Regulatory/Compliance Risk: Risk that a third party will impact compliance with laws, rules, or regulations, or from noncompliance with internal policies or procedures. For example, if a supplier violates labor or environmental laws, the principle organization can still be found liable and face fines.
  • Operational Risk: Risk that a third party could cause loss from disrupted business operations. Examples include a software vendor being hacked, leaving a company with a downed system, or a supplier being impacted by a natural disaster.
  • Strategic Risk: Strategic risk is the risk arising from adverse business decisions, or the failure to implement appropriate business decisions in a manner that is consistent with the institution’s strategic goals. The use of a third party to perform critical functions can expose an institution to strategic risk.

The biggest challenge for organizations is to provide the appropriate oversight and keep these risks in check. Just as firms were often slow to move on from perimeter-based defenses and tackle threats to their mobile workforce, the majority of companies are struggling to keep track of their network of third parties and the risks they may be introducing.

Target’s Trip-up

Target can attest to the importance of network security when companies build interconnected networks with suppliers and vendors. In its high-profile third-party data breach incident, a refrigeration vendor was hacked and allowed malware to spread through the network and access POS system information. This could have been prevented through simple network segmentation, which would have then prevented the hackers from connecting their systems to the critical parts of Target’s networks. Instead, hackers were able to steal over 40 million credit cards from nearly 2,000 Target stores.

LogicGate’s Third Party Risk Management Solution

If your company employs third parties, then the responsibility falls to you and your employees to manage the risk they bring. Third party programs are complex, dispersed, multi-layered, and information-heavy. How do you go about designing and implementing your third-party risk management program for maximum effectiveness?

Proactive due diligence is a difficult undertaking, but incredibly important. Embedding a culture of compliance across the supply chain is an end goal worth achieving. One of the steps toward this will be to establish a robust and automated third-party compliance program, consisting of third-party screening and onboarding procedures, risk assessments, ongoing monitoring, and corrective or preventive actions. LogicGate’s Third Party Risk Management solution can help your company put such a program in place.

 

For more on Third Party Risk Management, check out LogicGate's Third Party Risk eBook: Driving Cross-Functional Alignment Across the Vendor Lifecycle.

Download eBook

 

 

Related Posts