What is a Third-Party Risk Assessment?

Most modern organizations can only exist by utilizing third-party providers. A third-party provider is any vendor providing or receiving services outside the organization’s normal network infrastructure. A vendor can be a supplier, service provider, or even the software that you are using to run your business.  

Third-Party vendors have been an invaluable tool in maximizing profit  for growing companies, but they also come with risk. So, how do you best assess your systems’ vulnerabilities when sending or receiving confidential data through a third-party provider?

What is Third-Party risk?

Third-party risk refers to the threats and vulnerabilities created by gaps in outside vendors’ cybersecurity postures that open doors for malicious actors to invade their network – and yours! 

Every outside vendor that holds your data brings additional cybersecurity risks. These risks could leave sensitive information open to unauthorized access if  a comprehensive cybersecurity program is not in place.  

A crushing illustration is the 2020 Solarwinds hack. Solarwinds is an example of a third-party software product used by various organizations.  There were multiple preventable system failures that gave the attackers access to thousands of partnered networks. 18,000 Solarwinds customers downloaded malware disguised as a software update, enabling malicious malware code to infiltrate and spread to their customers’ systems.      

Something as seemingly innocuous as a breach on an electronic parts and plastics supplier brought Toyota Motors to a screeching halt when they had to suspend production in 14 of their major Japanese plants.. 

But it is the healthcare industry that has become one of the cyber attacker’s most common victims.  In 2022, the healthcare industry accounted for almost 35% of all cybersecurity incidents. In 2023 more than 39 million individuals were impacted by a healthcare sector cyber attack. Managed Care of North America, MCNA suffered a major data breach between February and March of this year.  An unauthorized party was able to access and remove copies of patients personal information and now 8.9 million people have their most personal information compromised.

Whether you are working with a third-party vendor, are the vendor, or both, a third-party vendor’s cyber security team and security processes should be scrutinized to avoid facing either side of an audit.  

What is a Third-Party risk assessment?

As you can see, third-parties can expose any organization to an enormous amount of risk. The only way to protect your business and its assets is by mitigating exposure to potential threats through a comprehensive third-party risk assessment. 

A third-party risk assessment gives you an in-depth examination of external vendors, identifying possible security risks and how best to avoid potential pitfalls.

By determining potential cyber threats, organizations can make important decisions as to whether you should  fix  or terminate your third party partnerships. 

Why invest in a Third-Party risk assessment?

It is no secret how devastating a successful cyber attack can be. In 2022 about 70% of businesses experienced a ransomware incident. In the third quarter of 2022, nearly 15 million data records were breached. It costs businesses, regardless of size, on average, $200,000 when a security breach occurs. While preventing all security threats may not be possible, investing resources into threat identification and monitoring practices to better protect your business is vital.

Periodic third-party risk assessments are always a good business practice, but there are times when they are non-negotiable. Important markers that should always trigger an organization’s cybersecurity assessment are as follows: 

• You share sensitive or confidential information (e.g., personal identifiable information (PII) of your customers) with a vendor or outsourced service provider.  In this circumstance, an assessment evaluates an outside entity’s capabilities, such as infrastructure, data security measures, and compliance practices. It ensures that an outside vendor’s continuity plans align with your company’s data protection and privacy requirements.
• Your customers may perform outside assessments on you as a third party because you hold their sensitive data.  A proactive assessment by you will speed a path to revenue, since you’ll be prepared for any incoming third party risk assessments.  When unprepared, this can hold up – or even lose – lucrative contracts.
• You are undergoing a financial event such as a merger or acquisition.  Assessing a target company’s cyber capabilities is critical during the due diligence phase.  A famous miss here was Yahoo’s $350M reduction in valuation after a cyber incident.  You want to know about these issues before purchase.  

Proactive cybersecurity, will save any organization far more revenue and time than if forced to respond to a breach that has already occurred. If an ounce of prevention is worth a pound of cure, then in the case of Solar winds, that “ounce” would have equaled $26 million dollars. This was a far more catastrophic loss to Solar Winds and its customers than any front end revenues put toward avoiding such a disaster. 

How is a Third-Party risk assessment performed?

The time spent on a typical third-party risk assessment will depend on the number of third-party vendors, the amount of information shared or received with vendors, and the degree of data protection and mapping already in place. 

An analyst will start with the most critical third parties – those that hold your most sensitive and confidential data. 

The analyst will identify these critical third parties and then determine areas of risk around data transfer and data protection. This could involve reaching out directly to these third parties and having them fill out a questionnaire.  The discovered risks are entered into a risk register and the risk is treated according to business priorities.  

A robust, on-going, third-party risk management program has the following elements: 

• Assessing risk for individual vendors according to their importance to your organization. Here vendors can be placed in categories based on threat levels.
• Classifying partnerships according to their access to your systems, networks, and data.
• Reviewing service level agreements (SLAs) to ensure third-party vendors perform their hired tasks – and you are conforming to any agreed-upon contractual third-party protection for your customers.
• Determining compliance requirements for your organization to clearly outline what regulations and standards you and external partners must satisfy.
• Assessing select third-party vendors according to their answers and independent review. This may include an on-site visit.
• Providing continuous monitoring for changes in their environment as well as yours.

Your Third-Party risk assessment next steps

If you haven’t run a third-party risk assessment in the last year – or ever – the time to act is now.  

Here are some things to prepare for an upcoming third-party risk assessment:

• Review and classify your entire vendor list, based on the sensitive of the data you share with them
• Create a data map for all sensitive data flows, including across third party vendors
• Create a risk register if you don’t have one already
• Work with legal to review your current contractual obligations as a third party to your customers 

Looking for more guidance on how to move your cybersecurity program forward with a comprehensive third-party risk assessment? Cyber Defense Group can help.

We are shifting the cybersecurity consulting paradigm to address the needs of mid-market for cloud-native or cloud-reliant companies experiencing rapid growth.

Founded in 2016 by global security expert Lou Rabon, our nimble team draws on decades of experience and diverse technical expertise, delivering a full spectrum of information security and implementation advisory services on a fixed-cost basis. Our results-driven approach will help meet your immediate needs and prepare you to navigate what’s ahead. 

Get in touch with our experts and see what results are possible for your organization.