Why Expertise Is a Top Consideration When Considering a GRC Partner
GRC is an ever-evolving practice; place value in a vendor with extensive knowledge of the GRC landscape, one…
Every login to every digital tool your organization uses, and every manufacturer you rely on for materials. Every email or direct message sent to a contractor or consultant. Every credential left forgotten and unrevoked once your business with those entities has concluded. Every single connection point between your organization and a third-party service provider or vendor represents an opportunity for risk and bad actors to enter your organization.
Those connections have only grown in number and complexity in our digital-first landscape. That’s why organizations that commit to staying on top of third-party risk assessment have a competitive advantage when it comes to data security.
No two vendors are the same, and each carries different levels of risk. So where to begin? This article provides a comprehensive game plan for building an effective program to assess and mitigate third-party risk.
What is third-party risk?
Third-party risk refers to any risk that enters your organization because of your relationships with contractors, consultants, service providers, or other types of vendors that your organization works with in the course of routine business operations.
That public relations agency with early access to sensitive information about big announcements? That’s third-party risk. The provider of your cloud-based security solution? The one with access to significant portions of your network? Definitely third-party risk. Even the company you contract with to clean your offices each night can introduce third-party risk to your organization.
Let’s explore some specific types of third-party risk.
Types of third-party risk
Cybersecurity risk
This type of third-party risk is probably the most visible in most organizations. It’s the risk that a threat actor will manage to work their way into your systems via a third-party’s access to your network or as a result of improper employee use of a cloud-based software platform.
Though technology has allowed organizations to push innovation and productivity to previously unseen levels, it has also introduced significant amounts of risk. Retail giant Target, for instance, was famously victimized by a data breach that originated with their HVAC contractor's access to their point-of-sale system, illustrating the consequences of how a simple oversight can cause a big problem.
Data privacy risk
Aside from the talent in its workforce, data is arguably the most valuable asset a company possesses these days, and the volume of data created each day is growing exponentially. Much of this data is personally identifiable information, intellectual property data, financial data, or critical infrastructure information — both types of data that can cause big problems if it falls into the wrong hands.
Supply chain risk
Every organization relies on supply chains at some point, and any point at which they break down can cause headaches — or worse — up and downstream. Supply chain risk is the risk that one or more of your suppliers will become compromised, leading to a cyber incident, or disrupted, leading to delays and lost revenue.
The infamous NotPetya cyberattack and the outbreak of the COVID-19 pandemic are great examples of supply chain risk events that materialized and crippled worldwide shipping, a crucial component of most supply chains.
Reputation and ESG risk
Any partnership with a third-party contractor, consultant, vendor, or personality carries the risk that one or both of you will become embroiled in a controversy, fall victim to a major cyberattack, or experience some other event that tarnishes each of your brand’s reputations by association.
Last year’s dispute between apparel giant Adidas and Kanye West is an example of this type of risk. Though Adidas’s partnership with West’s Yeezy apparel brand was initiated prior to a series of highly controversial public statements by the rapper, the company swiftly terminated the deal to distance itself from him amid the fallout from his actions. Afterward, the company faced lost revenue and a lawsuit by investors.
On the flip side, this type of risk can occasionally lead to strategic advantage. Following Colin Kaepernick’s public protest of systemic racism during NFL games, Nike — no stranger to taking stands and courting controversy — initiated a marketing partnership with the former quarterback. The result? A boom in sales.
Regulatory risk
This is the risk that third parties you work with will fail to comply with regulatory requirements, causing negative consequences for your organization. If one of your contractors is violating labor or environmental laws, you could easily find yourself in regulators’ crosshairs and financially on the hook when the penalties start to roll in.
Operational risk
While you might be testing the effectiveness of your processes, controls, and policies regularly to ensure they’re working, you need to be sure that the third parties you work with are meeting the same standards. An operational failure at one of your vendors can easily spill over into an operational failure for your organization.
Financial risk
When you execute a contract with a vendor, the expectation is that you’ll get the services or goods that you paid for, right? That may not be the case if your chosen contractor is in poor financial health: It could go out of business and leave you high and dry, interrupting your operations, and damaging your revenue. Plus, you likely sent a lot of sensitive information and data to that company.
That’s what happened to Silicon Valley Bank in March 2023. Numerous startups and venture funds trusted SVB to keep their deposits safe, but poor risk management and bad investments by the bank ended up seeing it fail, leaving all of those customers wondering if they’d be able to get their money out and make payroll the following week.
Why is managing third-party risk important?
Any of the above scenarios has the potential to cause anything from a minor headache to catastrophic, irreparable damage to your organization. Failing to adequately manage third-party risk essentially means you’re flying blind, giving contractors and vendors access to your organization and its assets without considering the various risks associated with them — and that can carry serious consequences, financial or otherwise.
Here are a few recent examples of third-party risk causing major problems for organizations:
- Identity management platform Okta experienced a data breach that saw hackers obtain access to its source code repositories in 2022. The attack originated with a third-party support contractor.
- The networks of numerous enterprises and government agencies were compromised when hackers were able to insert malicious code into SolarWinds’ popular Orion software.
- Threat actors stole OAuth user tokens from two third-party integrators and used them to obtain copies of private repositories from GitHub.
In each of those scenarios, the victims suffered significant financial and reputational damage.
How do you assess third-party risk?
We’ve established all of the very important reasons why every organization needs to stay on top of third-party risk. Now let’s get into how to go about doing that.
The process of evaluating third-party risk so that it can be mitigated is known as third-party risk assessment. When properly designed and executed, these assessments are designed to make sure your organization has a pulse on the security posture, health, and compliance practices of each and every vendor it works with.
Take stock of which vendor risks your organization faces
The first step in carrying out a vendor risk assessment is to figure out which risks your organization is exposed to through its vendor ecosystem.
A good way to go about doing this is to make a list of all the different adverse events that your organization could potentially face based on stakeholder and subject matter expert interviews, data analyses, review of external media, and other sources of information. This list is known as a risk register.
You should also use risk quantification methods to tie each of those risks to the potential impact it could have on your organization, financial or otherwise.
With your risk register in hand, begin categorizing each risk based on the types of third-party risk detailed above or others that are relevant to your organization.
Build risk profiles for each vendor
Next, you’ll want to begin mapping each of your risks to each of your vendors to develop risk profiles. These profiles will paint a picture of all the different types of risk a single vendor could introduce to your organization, and allow you to group vendors together based on similarities in their risk profiles.
Pro tip: It can be helpful to visualize your vendor risk profiles, so you can see where they connect to each part of your organization, and to each other.
Categorize your vendors based on their risk levels
Since some risks are much more of a threat to your business than others, it makes sense to bucket your vendors into tiers based on the potential total severity of the risks associated with them.
That catering company that delivers boxed lunches to your office’s front desk for an executive meeting and then leaves? It’s probably safe to place them in your “low” risk bucket. But the cybersecurity contractor with access to almost every corner of your network? That one belongs in the “high” or “critical” risk bucket.
Putting this work in will help you focus your third-party and vendor risk assessment and mitigation efforts on the relationships that have the highest potential to cause problems first.
Screen vendors to assess their security
Now that you know which risks are associated with which vendors and you’ve determined which of those vendors carry the most risk, it’s time to evaluate their security practices to make sure they’re adhering to the appropriate processes and standards to keep the data and assets you allow them to access secure.
You’ll want to quiz each of your existing vendors on their security practices and make them prove that they’re compliant with any risk management and security frameworks you deem necessary, including SOC 2, NIST, SIG Lite, ISO 27001, and others, and examine their financial health to make sure they’re stable and will be a reliable partner.
A caveat: It’s often easier to obtain this type of information from large, public companies than smaller, privately-held organizations. You’ll need to work more closely with those vendors to obtain equivalent information that offers the level of assurance you require.
You’ll also want to look at things like the vendor’s geographic location and reputation. Are they located in a volatile country or region where conflicts or unrest could potentially disrupt their operations — and, by association, your own operations — or are they based out of a country that’s targeted by international sanctions, like Russia or North Korea? Check out any media coverage of a prospective vendor, too. Have they ever been at the center of a big controversy? Are they the target of a major lawsuit?
Because some vendors carry less risk than others, it’s a good idea to develop a number of different third-party risk assessment questionnaires. That way, you can send shorter, simpler questionnaires to less risky partners to streamline their assessment and speed things up, while vendors that carry critical risk will receive much more intricate and comprehensive questionnaires. That said, the more comprehensive you are, the less risk will make it into your organization overall.
Ultimately, once you’ve assessed each of your third parties and vendors, you’ve got a big decision to make: How game-changing is the technology or service the vendor is offering, and are you willing to assume the risk that comes along with it for the benefits? Remember, no vendor is perfect. If you do decide to work with a particular vendor despite the risks, be sure that you’ve put appropriate controls and processes in place to mitigate them.
Once you’ve assessed your existing third-party relationships, you can adapt these questionnaires for use in new vendor onboarding. You can also repurpose them for vendor offboarding, an equally important part of the vendor lifecycle, since that’s when you’ll revoke the privileged access a third party has to your system.
Address third-party risk
If you do decide to move forward with a vendor following your assessment, you’ll need to decide how to handle each of the risks they’ll bring along with them. You can:
- Avoid the risk: If you’re having second thoughts about moving forward, you can always avoid the risk by choosing not to do business with the third party in question.
- Accept the risk: Not much more to say here. Keep an eye on the risk and carry on.
- Mitigate the risk: Implement new controls or update existing ones to mitigate the risk.
- Transfer the risk: Shift the responsibility for the risk to a third party (meta, we know!), typically an insurer.
Design a program for ongoing assessment
Third-party risk assessment is never a “one-and-done” activity. Every organization’s security posture and risk and compliance landscapes are constantly changing, and it’s crucial that your organization has a system in place for re-assessing each vendor relationship on a regular basis. You should also design key performance and risk indicators to gauge the success of your third-party risk management and mitigation program, so you’ll know what’s working and what needs to be improved.
Use modern GRC technology to automate third-party risk assessment
Many organizations rely on a patchwork of spreadsheets and other disjointed documentation to keep track of their third-party risk assessments and vendor risk, but that’s a very difficult system to scale. And with the sheer number of vendor relationships most modern organizations have, scale is the name of the game.
A modern GRC platform, like LogicGate Risk Cloud®, can help here. These systems allow you to connect, centralize, and automate all of your third-party risk management controls, audits, and due diligence in one place. That allows you to automate repetitive tasks, reduce human error, and speed up vendor onboarding.
Designing third-party risk assessment questionnaires
So, what goes into a third-party risk assessment questionnaire? Every question about every risk, policy, process, and control that the vendor may have or be subject to, to the extent necessary by the risk category they fall into.
Here are some of the most important things you’ll want to make sure you ask about:
IT and cybersecurity
Here, you’ll want to make sure you’re asking the right questions to determine whether a vendor is aligned with your organization on cybersecurity standards, controls, training programs, and framework compliance. You’ll also want to ensure that the software tools that they’re using to run their own day-to-day operations are secure. The risks associated with those relationships are known as fourth-party risk. Yeah, this can get pretty exponential.
Some questions to ask:
- Who are the vendor’s auditors?
- Which control frameworks are they using?
- What does their vulnerability scanning look like, and how often do they do it?
When assessing third-party cybersecurity risk or if your organization is being assessed for cybersecurity risk by a potential customer, it can be helpful to create a software bill of materials, or SBOM.
What is a software bill of materials (SBOM)?
An SBOM is a nested list of all of the different software components that underlie your own product or the one you’re about to implement for your organization, so that you or your potential client can quickly assess any security risks associated with them. Having a SBOM prepared or asking your vendors to provide them can speed up the third-party risk assessment process.
Source: National Telecommunications and Information Administration
Financial
For public companies, much of this information can be gleaned from mandatory filings like 10Qs and 10Ks. When it comes to private companies, it may come down to asking them to show you bank statements or balance sheets.
Legal and regulatory compliance
Ask to see copies of any audits, internal or external, to make sure the vendor is fully compliant with all applicable legal and regulatory requirements.
If you’re being assessed: It’s a good idea to compile as much of this information as possible into a prepared “trust package” that can be handed off to the client at the start of the third-party risk assessment process. Any more specific questions can be answered afterward.
Automate and streamline third-party risk assessments
Managing third party risk is a marathon, not a sprint. You can make sure your organization keeps pace by following the above framework and powering it all with the right GRC technology.LogicGate Risk Cloud’s Third-Party Risk Management Solution can help you efficiently assess third-party risks, implement strategies to improve your risk posture, and onboard vendors faster. Schedule a demo today.
SOC 1®, SOC 2® and SOC 3® are registered trademarks of the American Institute of Certified Public Accountants in the United States. The AICPA Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is copyrighted by the Association of International Certified Professional Accountants. All rights reserved.