Do you remember the SolarWinds supply chain attack in 2020? SolarWinds provides system management and monitoring tools and was compromised by attackers who inject malicious code into an update of its Orion software. It triggered a much larger supply chain incident that affected over 18,000 organizations including government agencies and Fortune 500 companies (including Microsoft, AT&T, and MasterCard), unknowingly installing the back door allowing attackers access to sensitive networks. It is believed that the attackers had access for at least eight to nine months before being detected and cost SolarWinds $18+ million to investigate and remediate the incident.
There are several types of third-party risk including cybersecurity risk, compliance and regulatory risk, operational risk, financial risk, and reputational risk. A vendor failure can lead to critical operational disruptions, financial losses, regulatory penalties, and reputational damage.
Image from Bigstock
What are some of the common challenges? Many organizations do not have insight into the vendor’s security controls, or traditional point-in-time assessments such as security questionnaires become outdated quickly and do not reflect ongoing risks. As the number of vendors increases, so does the third-party risk. Some large organizations work with thousands of vendors, which makes it difficult to track risk effectively.
What are some best practices for managing third-party risks?
1. Develop a Third-Party Risk Management (TPRM) framework that establishes a structured approach aligned with industry standards such as NIST, ISO 27001, and laws like the Health Insurance Portability and Accountability Act (HIPAA) or General Data Protection Regulation (GDPR).
2. Pre-Contract Due Diligence – conduct thorough security and compliance reviews before onboarding any vendors.
3. Contractual Safeguards – enforce clear security expectations, incident reporting obligations, and data protection requirements in vendor contracts.
4. Risk-Based Vendor Categories – classify vendors based on their level of access to sensitive data and/or critical business operations.
5. Continuous Monitoring – leverage automated tools to monitor vendors’ security in real time.
6. Incident Response – ensure that vendors are included in your cybersecurity response plans to facilitate rapid action if/when an incident occurs.
Third-party risk management isn’t just an IT concern so build a culture of risk awareness. Foster an organization-wide mindset that third-party risk is everyone’s responsibility and not just a “compliance checkbox.” Third-party risk impacts IT, security, legal, procurement, and compliance teams requiring cross-functional coordination. For example, leadership should prioritize security and compliance in their procurement decisions.
Image from Bigstock
Third-party risks aren’t going away so having a TPRM is a business imperative and not just optional. And with things such as supply chain attacks, AI-driven threats, and other high-profile breaches, these vendors can become the weakest link and create new third-party risk challenges.
What can the future of third-party risk management look like? More organizations may adopt zero-trust security models to limit vendor access. Other organizations may shift from annual vendor reviews to real-time risk tracking using AI. Organizations that invest in secure vendor relationships, and robust governance with real-time risk intelligence will be better positioned. So, assess your third-party vendors, strengthen your controls, and make third-party risk management a priority and competitive advantage!
For more information about making third-party risk a priority, follow me on LinkedIn!
