How To Build a Third-Party Risk Management (TPRM) Program

Recent cyber incidents have illustrated the downstream impact to customer organizations when third-party technologies and service providers face disruptions or failures. These events serve as reminders of the vulnerabilities inherent in an organization’s reliance on external partners.

This trend highlights the important role of Third-Party Risk Management (TPRM). While TPRM doesn’t eliminate the risks that third-party relationships pose completely, when done effectively, it helps organizations understand and manage these risks in order to maintain the integrity, security, and resilience of business operations.

What is Third-Party Risk Management (TPRM)?

TPRM is more than a checklist or security questionnaire; it’s a strategic approach that brings together departments across an enterprise to ensure that the risks inherent in third-party relationships do not compromise the operational effectiveness, security, compliance, or reputation of an organization. Each risk that a vendor brings will have unique characteristics, however, there are a few universal elements that support building a resilient TPRM strategy.

5 steps an organization can take to start building a TPRM strategy:

1. Establish a TPRM Framework

Develop a formal TPRM policy that defines how third-parties are identified, and how third-party risks are assessed, monitored, and managed. Ensure that this framework is aligned with the overall business strategy and risk appetite. The goal is to understand the risks third parties pose to an organization. This is not for when an incident might occur and the organization’s data is compromised, but also where working with the third party inadvertently introduces security risks to the organization (e.g., API connections, tools integrations, remote access, data transfer, etc.)

2. Conduct Due Diligence

Before engaging with any vendor, perform due diligence that evaluates their security controls, compliance with applicable regulations, financial stability, and operational resilience. This process should be detailed and adapted to the level of risk that the vendor poses. The Cybersecurity and Infrastructure Security Agency (CISA) provides a detailed template that can be a useful reference.

3. Implement Strong Contractual Controls

Negotiate contracts that define security and compliance standards expected of vendors. Where feasible, include the right to audit and mechanisms for breach notification and remediation.

4. Plan for Incident Response

Coordinate with vendors to ensure that there are clear and tested plans in place for notifying and responding to security incidents. This collaboration is critical for quick and effective mitigation of any issues that might arise.

5. Educate and Train Your Team

Ensure that relevant personnel within the organization are aware of the risks associated with third-party engagements and are trained on the organization’s TPRM policies and procedures. This includes teams across the different departments who interact with or manage vendor relationships.

Detailed Considerations on your TPRM Build-out Strategy

As the organization starts building out the TPRM strategy, below are additional details and questions to consider.

Pinpoint and Prioritize

Begin with understanding the nature of the organization’s relationship with the vendor. Determine why each vendor is necessary and how they interact with the organization’s systems and data. This clarity is the first step in pinpointing potential security risks.

Stop and Consider

• What services are the vendor providing? Are these services critical to business operations?

• What data is being shared? Is sensitive data being shared? How is data being shared?

• How do they connect with the organization's systems? Which systems? Are these critical systems to the business? Do these systems store sensitive data?

• What impact would the business face if the vendor’s system went down? Would the impact be financial, reputational, etc.?

• How could a breach at the vendor impact the business? Would sensitive data be potentially impacted? What regulatory or financial considerations would need to be considered?

Conduct Security Due Diligence

Once the organization understands the nature of the relationship with the vendor and the potential risks involved, the next step is diving deep into the security practices of the organization’s vendors. The objective is to understand the vendor’s security policies, programs and posture. The intent behind this is to determine whether they address the identified risks and are aligned with the risk that the vendor poses to the organization.

When evaluating vendors, the risks posed can vary depending on the relationship, but key areas to review include:

Security Program Maturity

Determine if the vendor demonstrates a strong commitment to security, evidenced by training, regular updates and a clear security roadmap.

• Does the vendor have a dedicated security team?

• Does the vendor have established and documented security processes?

• Does the vendor provide training and phishing simulations to their employees?

Data Management

Ensure that the vendor has effective data management practices in place, including data encryption, storage, processing and disposal.

• How does the vendor secure data at rest and in transit?

• What data disposal measures are in place to prevent unauthorized access?

Operational Resilience

Understand the vendor’s ability to maintain critical operations during and after a disruption. This includes their incident response, business continuity and disaster recovery processes.

• What is the vendor’s history with disruptions and how have they managed them?

• Does the vendor have cyber insurance in place?

• Does the vendor have Return to Objectives (RTO) and Return Point Objectives (RPO) in place?

• Does the vendor have an Incident Response Plan and Business Continuity Plan in place? Do they test these plans (i.e., Tabletop exercises)?

Vulnerability Management

Assess that vendors have processes in place to effectively identify, evaluate, and mitigate vulnerabilities in their systems and software.

• Are vulnerability assessments and penetration tests conducted regularly?

• How comprehensive is the vendor’s vulnerability management program?

• Does the vendor have patching Service Level Agreements (SLAs) for vulnerabilities identified based on risk?

Identity and Access Management (IAM)

Do the vendor’s IAM practices adhere to the principle of least privilege and effectively manage user access and authentication?

• How does the vendor manage and secure user identities and access controls?

• What mechanisms are in place to authenticate and authorize users?

Subcontractor and Fourth Party Vendor Oversight

Assess the practices that the vendor has on their vendors and subcontractors, ensuring that they extend their security standards down the supply chain.

• Does the vendor have its own third-party risk management program in place? What does it look like?

• How does the vendor manage and monitor its subcontractors?

Regulatory Compliance

Confirm that vendors adhere to relevant legal and industry standards, especially those around data protection and privacy.

• What certifications or proof of compliance can the vendor provide?

• Are there gaps in the vendor’s compliance that could expose the organization to risks?

Contractual Safeguards

Although not always feasible, where possible, businesses should ensure that the vendor contracts include clauses that hold them accountable for complying with industry standards and regulations. This includes data protection, confidentiality, security practices, reporting incidents and the right to perform audits.

Stop and Consider

• Does the vendor contract identify who to report security failures or breaches to?

• Does the business outline when the vendor must report failures/breaches and how often updates should be provided? What information should be shared?

• Does the vendor contract include terms that hold the vendor accountable?

• Are penalties in place for non-compliance?

• Does the vendor contract include confidentiality provisions outside of an NDA?

Ongoing Monitoring

A vendor’s risk profile can change. Based on the risk that the vendor poses to a business, the business should monitor and assess the relationship with its vendors and their security posture to detect and respond to changes and potential vulnerabilities.

Stop and Consider

• How frequently does a business review its vendors’ security practices?

• Has the relationship with the vendor changed (e.g., different services being provided, data being shared, or systems connected)?

• Does the organization have tools and processes for monitoring vendor compliance in real-time?

Incident Response Alignment

Ensure the vendors’ incident response and business continuity plans align with the business’ own to facilitate a coordinated response to any security incidents.

Stop and Consider

• Are your vendors’ response plans tested and reviewed annually?

• Does the vendor have a process in place to provide its customers with timely notice of any security incidents?

• How quickly can a vendor respond to and recover from a security incident?

Start Strategizing Today!

Building a TPRM strategy is not easy, but the foundation does not require expensive tooling or complicated processes. Creating the foundation can start by taking a collaborative approach with engagement from procurement, finance, legal, security, compliance, IT and business operations to outline the framework and implementation roadmap.

This material is intended for general guidance and informational purposes only. This material is under no circumstances intended to be used or considered as specific insurance or information security advice. This material  is not to be considered an objective or independent explanation of the matters contained herein.