The moment your organization starts working with a third party, it exposes itself to risk. The key is to understand the type of risk posed by every third-party relationship and put the appropriate safeguards in place.
When it comes to third-party risk management (TPRM), organizations typically look at cybersecurity or InfoSec risks. However, there are many more risks that come when working with third parties.
This article — the second in our series on building a TPRM program — looks at all the types of risks a third party can pose to your organization. We also spoke with six InfoSec and third-party risk leaders from OneTrust and Fortune Global 500 companies about the third-party risk domains to be aware of, and risks that go beyond third parties.
Download our InfoSec's guide to Third-Party Risk Management, which covers all the steps in setting up a TPRM program, from planning to monitoring and reporting.
Third-party risks are potential risks taken on when an organization engages an external party to provide products or services on their behalf. External parties can include contractors, partners, service providers, suppliers, vendors, or other third parties.
While an organization has its own security standards, there’s no guarantee that third parties have the same measures in place. With every third party that has access to internal company systems or sensitive data, there’s an increase in the organization’s exposure to potential risks and threats.
“Third-party risk is not just the risk of sharing data or integrating various systems. Those are very important risks to be aware of, but there's also compliance and payment risks, the core financial health of the vendor — all of these other risks that are not just part of security,” says Ruo Xie, VP of Source to Pay at OneTrust.
As the use of third parties continues to increase, so do the types of risks they pose to organizations. The exact type of risk exposure differs for every organization, depending on what third-party service is being rendered.
For example, say your organization engages a third party to provide online customer support services. If the third party doesn’t maintain up-to-date business continuity or recovery plans, it will be unable to provide the contracted services in cases of data breaches, cyberattacks, outages, natural disasters, or other unexpected circumstances. All these, in turn, become types of third-party risks for your organization — namely, operational, financial, and reputational.
Here are seven common third-party risks to be aware of:
Cybersecurity or InfoSec risk
Cybersecurity or InfoSec risks arise when an organization’s data can be breached, compromised, exposed, or lost due to deficiencies in a third party’s security controls. This is more likely to occur when service providers have access to an organization’s internal systems or sensitive data, which highlights the importance of conducting third-party due diligence and continuous monitoring.
Operational risk is created when a third party fails to deliver the expected product or service, causing a disruption in the organization’s routine operations. Regardless of the reason for failure (i.e., cyberattacks, natural disasters, human error), this risk should be addressed in the contract or service-level agreement (SLA). An organization may also opt to have a backup vendor as part of its own business continuity plan.
Financial risk occurs when a third party’s financial health negatively impacts your own organization’s finances. For example, if a third party lacks funding or resources, it may start to deliver subpar services and products. This leads to disappointed customers and lost sales. Other forms of financial risks include incurred fines and compensation or remediation costs. To mitigate this risk, identify the third parties that have the most impact on your financial performance and audit their operations on a regular basis.
Compliance and legal risk
Compliance and legal risks are posed to organizations that have to comply with governing regulations (i.e., GDPR, HIPAA), but engage with third parties that may not adhere to the same standards. If there’s a failure to prove regulatory compliance, or worse, an actual cyberattack or data breach occurs, the organization is responsible for any violations. Before entering a third-party relationship, ask for relevant certifications and include compliance requirements in your contract.
Strategic risk is present when a third party prevents an organization from meeting its strategic objectives. While it depends on the specific objective, this risk can usually be mitigated through better alignment and communication with the third party. Start the engagement by establishing the objectives of both parties, as well as the key metrics that will be used to track performance.
Geopolitical risk is the risk a vendor poses based on their location or the location where the service is conducted. This is becoming an increasing risk, as countries continue to evolve their legal and regulatory standards and it can be near-impossible to predict another country’s economic or political stability. To mitigate geopolitical risk as much as possible, take stock of the number of regulations relevant to the specific third party. Also consider the area’s historical and macro factors — have there been recent political shifts, supply chain disruptions, and the like?
Reputational risk comes when actions taken by a third party can potentially damage your organization's reputation. It may be a publicized data breach, lawsuit, or negative public opinion about company practices — in most cases, customers will associate any news about third parties with your organization. While you can’t foresee every possible risk to your reputation, conducting thorough third-party assessments and due diligence can help protect your organization’s reputation.
"There’s also ethical risk, which may not be the CISO’s main concern in the beginning but is something to keep in mind. A venture capitalist or partner, for example, may require you to only do business with ethical companies,” says Jose Costa, Sr. Director of GRC Labs at OneTrust. “And of course, there’s the risk of breaching your customer’s trust, which may be the most important one because it’s very hard to fix.”
Not only do you assume risks from your third parties, there are also similar risks from their third parties (referred to as fourth parties or subcontractors) that can disrupt your organization.
“You have to think all the way up and down the chain. You could have the 500 partners you do business with, but then they could have thousands on top of that they do business with,” says Mullen. “That's where the whole supply chain attack comes in.”
A recent survey reveals that the financial impact of third-party or subcontractor risk incidents has at least doubled over the last five years. Despite that, only 20% of organizations effectively monitor their subcontractors. This is due to several factors: Organizations lack information about their subcontractors and associated risks, they lack resources, they assume their third parties are already monitoring subcontractors.
This gap in the third-party ecosystem presents a significant opportunity. By increasing visibility across the entire supply chain, an organization can better understand and manage critical subcontractor risks.
“At the end of the day, you have to understand that even if it's a third party that does something wrong, it’s your data. You're the one who’s ultimately responsible and will be in the media answering questions,” says Costa.
Reduce risk, build trust, and enhance business resilience by unifying third-party management across privacy, security, ethics, and ESG. Book a demo today.