Third-Party Risk Management

Why is cybersecurity Third-Party Risk Management of paramount importance?

The more business partners an extended enterprise has, the greater the need to think about third-party cybersecurity risk management.

Published on 24 March 2022 (Updated on 15 April 2022)

In May 2021, a study conducted by the Ponemon Institute found that 51% of companies had already been the victims of data breaches because of their subcontractors. This fact not only illustrates one of the many cybersecurity challenges for companies in 2021 but also highlights the need to put the management of third-party cybersecurity risks at the top of your priorities.

Over the past years, a lot of effort has been made in cybersecurity to try to develop better ways to manage risk. Companies that have invested in Third-Party Risk Management programs have turned out to be more resilient to the COVID-19 crisis. These organisations protect themselves at the sametime against operational risk, legal risk – regarding compliance with the General Data Protection Regulation (GDPR) – and financial risk.

What is cybersecurity Third-Party Risk Management (TPRM) about?

As the “extended enterprise” model has been meeting huge success for quite some time, the necessity of managing cybersecurity third-party risks has emerged.

The cyber security challenges of the extended enterprise model

Since the mid-1990s, the extended enterprise model has been dominant. Chrysler, the car manufacturer, was the first to adopt it. The extended company model relies on the digitisation of its processes to bring partnerships further. As a "lead firm”, it creates added value, while third-party companies provide for the skills it lacks.

These third-party vendors interact with the lead firm through new ways of sharing digital information. Computer networks, software, messaging and data exchange systems: the extended enterprise is characterised by the digitised sharing of information and processes.

This broad third-party ecosystem has the advantage of creating new growth synergies. However, this ecosystem also constitutes a favourable ground for the emergence of cyber risks as each partner represents a potential entry point for cyberattacks.

What does third-party risk mean in terms of cybersecurity?

At C-Risk, our method of risk management, vulnerability assessment and cybersecurity control is based on the FAIR™ standard, according to which, risk is an uncertain event capable of generating an asset-related loss. That loss is characterised by its probability of occurrence. Risk thus becomes “the expected frequency and magnitude of future loss”.

Information security risks are diverse and can take different forms from one company to another. However, third-party cyber risks tend to remain the same:

  • confidential data breach;
  • unavailability of services, for example in the event of a ransomware cyberattack;
  • industrial espionage;
  • smurf attack, a type of attack exploiting the vulnerabilities of subcontractors that are less protected than the lead firm;
  • fine for lack of compliance with various regulations.

Third-party cyber risk therefore falls under operational, but also financial, reputational, legal and regulatory risk.

The extended company enforces Third-Party Risk Management

Who are the cybersecurity third parties?

In legal terms, third party, or third-party company, designates a legal entity external to a business relationship. Third parties comprise many external stakeholders:

  • suppliers;
  • co-contractors and subcontractors;
  • distributors;
  • franchisees;
  • consultants and experts;
  • partners;
  • clients ;
  • insurance companies.

Obviously, the types of third parties differ from a lead firm to another. It is always necessary to go through cyber risk assessment and cybersecurity strategy review to identify those third parties. These are critical processes because they prevent the third-party ecosystem – whose purpose is to bring additional skills – from threatening either the activities or the reputation of the lead firm.

How does Third-Party Risk Management work in a corporate context?

Third-Party Risk Management (TPRM) involves designing and then executing a continuous preventive procedure. In cybersecurity, TPRM is indeed more about preventing damage than repairing it. This approach calls for management centralisation and continuous monitoring of the third-party network and IT processes.

This task may therefore require to put someone in charge of cybersecurity TPRM. This can be the risk manager, or the CIO. In any case, several divisions will have to cooperate:

  • the IT division has of course the role to bring attention on software or digital communication channels they would find to be insufficiently secure;
  • general management needs to warn the other divisions when the change of governance of a partner call for a reevaluation of their IT reliability;
  • The legal affairs division scrutinises regulatory compliance of the third parties.
Third-Party Risk Management is inherent to every partnership

Third-Party Risk Management: prevention best practices

There are various methods to set up an effective TPRM program. All of them rely on two mainstays: verification of third-party due diligence, and continuous monitoring of the risk for as long as the business partnership lasts.

C-Risk’s Third-Party Risk Analysis: the CIA model

At C-Risk, our third-party risk analysis is based on the Fair Analysis method. This method starts by determining the extent of the risk, i.e. the potential “loss event”.

You first need to determine which asset is at risk, in other words, which element of your operation would lose value or engage your liability if it happened to be compromised. Then, you also need to pinpoint the threat agent in such a scenario. This is why you should list all the suppliers your structure exchanges data with.

Finally, you also ought to estimate the consequences of that risk. According to the CIA model, those consequences can fall under three categories:

  • C, for Confidentiality: direct repercussions on regulatory compliance requirements – more specifically on GDPR;
  • I, for Integrity;
  • A, for Availability of the elements critical to value production.

The second step of this process is to estimate the expected frequency and magnitude of the potential financial loss. Ultimately, you should schedule a meeting with the most exposed partners of your supply chain to discuss their cyber risk mitigation strategies. Some third parties are more vulnerable than others, due to their:

  • activity – e.g. an online payment solution;
  • geographical parameters;
  • security clearance regarding access to your critical servers, information systems and data.

What should you do if a third-party risk turns out to be remarkably high?

First of all, here are a few fundamental requirements:

  • know your company's regulatory framework in terms of cybersecurity and data confidentiality;
  • be prepared to conduct a cyber risk assessment of your most exposed third parties;
  • continuously monitor the risk, particularly when a third party makes a change in their regulations or in their scope of action.

Now if a third-party risk were to become remarkably high, you should follow the 4T rule and select one or more of the following options:

  • Terminate the risk by putting an end to your business partnership;
  • Treat the risk by mitigating its consequences;
  • Transfer the risk to another third party, like an insurance company;
  • Tolerate the risk if the termination of the partnership is detrimental to your company.
Necessary analysis of third-party cyber risks


The current interest in Third-Party Risk Management can be explained by the increase in information security and confidentiality breach events.

Be they IT-related or not, third-party risks can have operational, reputational, legal, regulatory and financial repercussions on the lead firm.

If you conduct third-party cyber risk assessment on a regular basis, you will be able to prevent behaviours that might entail IT vulnerabilities. This is also one of the best possible means of preparation for ICO inspections.