Beginner’s Guide to Third-Party Risk Management

Troy Fine

by Troy Fine

July 31, 2022
Third-Party-Risk-Management-1
Third-party risk management brings your external risks under control and lets you address security, financial, legal, and compliance risks.

Every API, contractor, and supplier adds to your company’s third-party risk. One code exploit or stolen password can expose your company to data theft, litigation, and regulatory sanctions. 

Third-party risk management (TPRM) helps bring your third-party risk under control to improve security and compliance. In this guide, we will help you understand what TPRM entails, its benefits, and best practices.

What is Third-party Risk Management?

Third-party risk management is the process of identifying and mitigating the risks created when working with outside organizations. An increasingly connected world creates IT security risks that could result in data loss or system outages. Growing reliance on third parties for business functions creates a financial risk should a third party’s actions disrupt your business operations. The actions of a third party can also create legal risks for your company. 

TPRM provides the framework, policies, and procedures you need to evaluate third parties and proactively control the risks they create.

Why Does It Matter? 

Third-party risk is nothing new, of course. 

A supplier that fails to deliver can disrupt a manufacturing line, security services can leave doors unlocked—what has changed is the breadth and depth of third-party relationships. 

Outsourcing has extended beyond basic services to include core business functions. Applications that once ran on company-owned systems are now delivered with X-as-a-Service models. Corporate networks are increasingly accessed by suppliers, vendors, and customers. Combined, these trends expand your exposure to IT security, financial, and legal risks.

Third parties become, in effect, part of your IT infrastructure. Their security weaknesses become your security weaknesses. Whether or not a third party can access protected data, their security breach can let hackers bridge into your systems. TPRM gives you the visibility into third-party security practices you need to develop effective controls.

Exposure to financial risks expands with every new third party you onboard. A service provider can disrupt your operations even if its security breach never touches your networks. TPRM lets you develop proactive measures to prevent or mitigate financial risks.

The legal consequences of third-party relationships can be considerable. An outside firm that mishandles your customers’ personal data makes your company the target of civil litigation. Implementing a TPRM framework identifies these legal risks and helps you develop controls and contingencies.

TPRM and Regulatory Compliance

Regulatory frameworks in many industries have evolved from pure enforcement into systems based on risk reduction. These new regimes expect companies to develop policies and systems that prevent or mitigate risks. Regulators still react to violations, but today’s proactive frameworks systematically integrate risk reduction into compliance. Here are a couple of them: 

HIPAA

US healthcare organizations are subject to the Health Insurance Portability and Accountability Act (HIPAA) which established protections for patients’ personally identifiable information. 

However, HIPAA regulations do not stop at a hospital’s doors. Any business associates with access to patient information must also be HIPAA-compliant. This includes independent laboratories, medical records processors, and other third parties. Healthcare organizations must apply risk analysis and management processes to their internal systems and third-party relationships.

GDPR

Unlike HIPAA, the European Union’s General Data Protection Regulation (GDPR) applies more broadly. Any company that collects and processes personal information must consider the risks this data processing creates for EU citizens. 

GDPR defines a controller as the organization that decides what personal information to collect and how to process that information. Controllers may outsource that processing to third parties, referred to as processors, which may contract with a fourth-party sub-processor.

GDPR expects a risk assessment to include risks created by their processors and sub-Processors. This assessment should guide the development of appropriate technical and organizational security measures.

TPRM lets you develop compliant risk management processes for these and other regulatory frameworks.

The TPRM Process

Third-party risk management should be part of your company’s overall risk management strategy. Review and revise your existing risk policies with third-party exposure in mind. Be sure to consider how third parties can impact regulatory and other compliance requirements.

Next, conduct an audit of your company’s third-party relationships. This audit should extend beyond your formal purchasing contracts. Third-party relationships also exist in open-source dependencies, workgroup-level relationships, and shadow IT. Use this audit to understand the risks these outside relationships create.

Finally, draft company-wide TPRM policies supplemented with policies for specific business units. At this point, your organization can begin evaluating each third party’s risk profile and take the actions necessary to mitigate their risks.

Evaluating Third Parties

Bringing your existing third-party relationships into compliance with your TPRM policies requires a case-by-case evaluation and remediation plan. Third parties in a position to do the most damage should get the greatest scrutiny. Companies that pose a lesser risk may not need as much attention, but every outside relationship needs to be considered.

Self-reported security questionnaires help you understand how a potential third party manages its own risks. Security ratings, penetration testing, and onsite evaluations can provide more objective assessments of the third party’s security and risk management processes.

Based on this due diligence, you can define the remediation steps needed to bring each outside relationship into compliance. These steps could be the third party’s responsibility, or they may involve refinements within your TPRM process. Update your third-party contracts with service level agreements that specify how each company must maintain compliance.

The TPRM Lifecycle 

Once your existing third parties are in compliance, your organization’s risk management can settle into regular operations. A typical TPRM lifecycle follows these stages:

1. Evaluation, Remediation, and Onboarding

Risk evaluation becomes part of the due diligence process whenever you consider a new third-party relationship. Like you did with your existing third parties, you will use various techniques to assess the new company’s ability to manage risk. Any issues must be remediated before bringing the new third party on board with contracts that specify compliance expectations.

2. Monitoring, Maintenance, and Review

Periodically re-evaluating third parties confirms the state of their security and risk management processes. Annual reviews may be sufficient for low-risk third parties. Those with access to critical systems and information, however, may require more frequent risk evaluations.

However, risk management cannot be a sequence of discrete events. TPRM is a continuous process. Evaluating a new third party before selection will not capture every risk this relationship could create. Changes within the third party’s organization or an evolution in your relationship can introduce new risks before the next review.

Most compliance leaders responding to a recent Gartner study uncovered risks only after bringing third parties on board. Almost a third of those new risks materially impacted the business, yet those risks could only be discovered later in the TPRM lifecycle.

Continuous monitoring of third-party compliance is essential. Automated monitoring systems can flag emerging risks. With early notice, you and the third party have a chance to remediate the risk before it becomes a significant event.

3. Offboarding and Termination

Business relationships inevitably end. When they do, you need processes to ensure risk does not linger after contract termination. Handing over the keys—digital and physical—is an obvious step. System integrations must be severed.

Third-party user accounts must be removed from your access control systems. ID cards must be returned and access codes changed.

However, simply cutting off the third party may not be enough. You must pay more attention to third-party relationships with a high level of integration in your business. If an outside company processed customer information, for example, you must ensure that it destroys all digital records and either destroys or returns any physical records.

Things to Keep In Mind

If you have never assessed your company’s use of third parties, implementing TPRM can be daunting. Third parties get brought into the organization at all levels—and not always through formal contracting processes. Your internal audit will uncover more third-party relationships than you expect. Here are some best practices that can help streamline your TPRM implementation:

Don’t Adopt TPRM All at Once

Focus on the business unit or department that is exposed to the greatest risk. Audit that group’s third-party relationships. Then, prioritize the high-risk third parties before bringing medium and low-risk third parties into TPRM compliance. From there, you can expand TPRM further into the organization.

Let Risk Shape Your TPRM Policies

Avoid making blanket TPRM policies. Penetration testing, for example, will not be appropriate for every external relationship. Use your audits to classify types of third parties based on the risks they could create. Adjust the evaluation process to reflect those inherent risks. Certain remediation actions may be urgent for high-risk third parties but non-essential for low-risk third parties.

Your company’s many third-party relationships can pose significant information security, financial, and legal risks. Implementing automated continuous compliance monitoring will allow your team to focus on other areas like third-party risk management. Schedule a demo to learn more.

The Drata Newsletter

Trusted is Drata’s newsletter focused on the world of compliance, security, data privacy, and everything in between.

Secured

The Drata Community

Screen Shot 2022-07-13 at 9.45 1
Resources for you
How to Conduct a Business Impact Analysis

How to Conduct a Business Impact Analysis

Drata Series C Blog Hero Image

Announcing Drata’s Series C

Blog-Featured-Images-28

What Are Containers? + Why Should You Use Them

Troy Fine
Troy Fine
Director of Risk & Compliance