Skip to main content
Security Scorecard

Third-Party Risk Management Framework: How to Select the Right One

Posted on December 22nd, 2021

Third-party technology providers can confer huge strategic advantages to a business. It allows each organization to focus on their highest value activities, but there’s a downside; new cyber security risks come with each partnership. Third-party risk is now an integral part of business ecosystems. A solid risk management framework is required to manage risk and keep you and your customers safe.

Know your threats

According to EY, 36% of organizations suffered a breach caused by a third party in the last year, yet 56% of organizations are relying on agreements with third parties to govern parties with fourth parties, and according to Ponemon, 63% of organizations rely on the reputation of third parties to determine their risk.

Neither is a reliable way to judge the risk a third party poses to your organization’s cybersecurity.

Establishing a risk assessment framework is the first critical step an organization can take in order to decrease risk and increase security. The risk assessment should not only be a part of an organization’s internal process but should also include supply chain and third parties.

Third parties consist of an organization’s vendors, suppliers, business channels, marketing partners, and so on. The choice of a third-party risk management framework should be based on the companies’ structures and risk profiles because no two companies are the same.

You are liable for third parties’ failures

The US Federal Office of the Comptroller of the Currency puts it succinctly in its guidance for banks and savings associations:

“[An organization] should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.”

As the FFIEC notes in its Supervision of Technology Service Providers guidance, using partners in your business processes “does not diminish the responsibility of […] management to ensure that the activities are conducted in a safe and sound manner […] just as if the institution were to perform the activities in-house.”

In other words, a proper third-party risk management framework is not a ‘nice to have’. It’s required to limit liability. And liability is a real issue, especially now as many organizations are still struggling to respond to the pandemic. According to Deloitte’s latest third-party risk management survey, more than half of organizations faced one or more third-party risk — even those who did felt their TPRM program was strong before the pandemic. Of those attacks, 13% were incidents that severely compromised financial performance and profitability, impaired customer service or seriously breached regulation.

Best practices for third-party risk management frameworks

The most popular risk management frameworks are the NIST and the ISO frameworks, both of which can be used in tandem and encourage organizations to assess risks and implement controls based on their needs.

There are several best practices for any risk management framework:

  • Take inventory of all third parties the organization has a relationship with.
  • Catalog cyber security risks that third parties can expose the organization to.
  • Assess and segment third parties by risk and focus on all activities defined as critical activities.
  • Develop rule-based diligence testing to stay focused on third parties with the most critical cyber security risk.
  • Establish a decision-making group to own the governance and framework.
  • Review critical activities to set a benchmark for the third-party risk management framework.
  • Define three lines of defense including business owners, third-party oversight, and an internal audit team.

A solid third-party risk management framework protects an organization's clients, employees, and the strength of their operations. Properly managing cyber security risks can reduce costs allowing an organization to operate at a greater efficiency with quality third-party partnerships that can radically change an organization for the better.

Third-party risk management frameworks provide standards across the organization, streamlining and focusing on third parties posing the greatest risks. Ultimately this saves money, whether by reducing and eliminating fines and liabilities or by protecting reputation and brand perception.

How can SecurityScorecard help?

At an administrative level, managing third-party relationships can become a cumbersome task. As a result, many organizations have opted to use intelligent tools that leverage existing data on cyber security risk in order to implement their third-party IT risk management processes.

SecurityScorecard’s Security Ratings help identify and prioritize third-party cyber risks. Trusted by the world’s leading brands, SecurityScorecard can help you strengthen your risk management framework, reduce risks and increase compliance.

Return to Blog
Join us in making the world a safer place.