Third Party Risk Management

Key Control Areas

• Third Party Classification and Risk Tiering (RA-03, PM-09, SR-02): Classify all third parties by data sensitivity (PII, financial, health, IP), system criticality (business-critical, important, standard), access type (network, data, physical, none), and substitutability (single source, limited market, commodity). Assign risk tiers: Tier 1 (critical — access to sensitive data or critical systems, hard to replace), Tier 2 (significant — access to internal systems or moderate data), Tier 3 (standard — limited access, easily replaceable), Tier 4 (minimal — no data access, commodity services). Each tier maps to a proportionate assessment depth and monitoring frequency. Maintain a complete third party inventory with owner, tier, contract expiry, and last assessment date.
• Due Diligence and Security Assessment (SA-04, SA-09, SR-05, SR-06): Tier 1 requires: SOC 2 Type II report (or ISO 27001 certificate with statement of applicability), annual penetration test results (application and infrastructure), evidence of vulnerability management programme, incident response plan, business continuity/disaster recovery test results, cyber insurance certificate of currency, and completed security questionnaire (SIG Lite or CAIQ). Tier 2 requires: SOC 2 Type II or ISO 27001 certificate, penetration test summary, and security questionnaire. Tier 3 requires: Self-attestation questionnaire and evidence of basic security controls. Tier 4 requires: Confirmation of standard terms only. Assess before onboarding and at intervals proportionate to tier (Tier 1 annually, Tier 2 every 18 months, Tier 3 every 2 years).
• Contract Security Requirements (SA-04, SA-09, PS-07): Embed security obligations in all vendor contracts proportionate to tier. Minimum clauses: data processing agreement (if personal data), security incident notification timeline (72 hours maximum for Tier 1, aligned with GDPR Article 33), right to audit (Tier 1 and 2), data return/destruction on termination, sub-processor notification and approval requirements, compliance with specified standards (SOC 2, ISO 27001, PCI DSS as applicable), insurance minimums, and liability allocation for security breaches. Use a standard security schedule that attaches to the commercial agreement rather than negotiating security terms ad-hoc per vendor.
• Continuous Monitoring and Reassessment (CA-07, RA-05, SR-06): Point-in-time assessment is necessary but insufficient. Implement continuous monitoring proportionate to tier: Tier 1 — real-time security rating monitoring (BitSight, SecurityScorecard, RiskRecon), SOC 2 Type II report refresh annually, automated alerts on rating changes, quarterly review meetings. Tier 2 — security rating monitoring, annual attestation refresh. Tier 3 — biennial questionnaire refresh. Monitor for: public breach disclosures, significant rating drops, regulatory actions, financial distress indicators, leadership changes in security function. Trigger reassessment when monitoring signals degrade below threshold.
• Fourth Party and Sub-Processor Risk (SR-03, SR-05, SA-09): Your vendor's vendors are your risk. Require Tier 1 vendors to disclose material sub-processors and notify before changes. Assess concentration risk — multiple critical vendors depending on the same cloud provider or infrastructure service creates correlated failure risk. Map critical fourth party dependencies: cloud hosting provider, identity provider, CDN, payment processor, key management service. Require contractual flow-down of security obligations to sub-processors. For SaaS vendors, assess whether they maintain SOC 2 coverage over their own sub-processor management.
• Incident Response and Notification (IR-06, IR-08, SA-09): Define incident notification requirements per tier. Tier 1: notification within 24 hours of confirmed incident affecting your data or services, with root cause analysis within 72 hours and remediation plan within 7 days. Tier 2: notification within 48 hours, RCA within 5 business days. Maintain pre-agreed incident communication channels and contacts (not just a generic support email). Include your third party incident playbook in your own IR plan — who to contact, escalation path, communication to your customers, regulatory notification obligations. Test third party incident scenarios in tabletop exercises.
• Access Management and Data Controls (AC-03, AC-06, SC-08, SC-28): Third party access to your systems must follow least privilege. Dedicated accounts (never shared credentials), MFA required, just-in-time access for maintenance windows, VPN or zero trust network access for remote connections. Segregate third party network access from internal employee access. Monitor and log all third party access with alerts on anomalous patterns. For data sharing: encrypt in transit (TLS 1.2+) and at rest, use dedicated secure transfer mechanisms (not email), apply data loss prevention controls, and maintain data flow inventories showing what data goes where.
• Cyber Insurance Verification (PM-09, SA-04): Require Tier 1 and Tier 2 vendors to maintain cyber insurance with coverage proportionate to the relationship risk. Verify: policy type (cyber liability, errors and omissions, professional indemnity), coverage limits (minimum aligned to potential exposure), policy currency (certificate of insurance annually), coverage scope (data breach response, business interruption, regulatory defence, third party liability). Note that cyber insurance is not a control — it is a risk transfer mechanism. It does not prevent incidents but ensures the vendor can fund response and remediation. A vendor without cyber insurance who suffers a major breach may not survive to fulfil their remediation obligations.
• Exit Planning and Data Return (CP-02, SA-04, SA-09): Plan exit before you need it. For Tier 1 vendors: document data return/destruction procedures, establish maximum data return timeline (30 days), verify data destruction certification, maintain alternative vendor shortlist, document migration runbook including data format and API compatibility. Test data portability before it becomes critical — extract a sample dataset and verify it imports to an alternative platform. For SaaS dependencies: ensure data export in standard formats (CSV, JSON, API), not proprietary. Contract should specify that the vendor will provide reasonable transition assistance at standard rates for a defined period after termination.
• TPRM Programme Governance (PM-09, PM-14, PL-02): Assign TPRM programme ownership — typically procurement or vendor management with security providing assessment and monitoring. Maintain TPRM policy defining tier criteria, assessment requirements per tier, exception process, and escalation path. Report TPRM metrics to leadership: total vendors by tier, percentage assessed within policy, overdue assessments, average vendor security rating trend, open remediation items, vendors with expired certifications. Conduct annual programme review including: tier classification accuracy, assessment process efficiency, monitoring effectiveness, and lessons from any third party incidents.

When to Use

Any organisation using cloud services, SaaS platforms, or outsourced IT services. Regulated industries with explicit supply chain risk requirements (financial services under DORA/PRA SS2/21, healthcare under HIPAA, government under FISMA). Organisations processing personal data under GDPR (data processor obligations). Organisations that have experienced a third party security incident. Any entity whose customers ask for SOC 2 Type II reports or completed security questionnaires.

When NOT to Use

Organisations with no external vendor dependencies (extremely rare). Very small teams where all services are built and operated internally with no cloud or SaaS usage.

Typical Challenges

Assessment fatigue — Tier 1 due diligence on every vendor regardless of risk. Questionnaire theatre — vendors provide policy documents that do not reflect operational reality. Point-in-time assessment treated as continuous assurance. Fourth party risk invisible because vendors will not disclose their sub-processors. Exit planning deferred because it implies the relationship will fail. TPRM team understaffed relative to vendor population (500+ vendors, 2-person team). Vendors resisting right-to-audit clauses. SOC 2 Type I presented as equivalent to Type II. Cyber insurance verification not part of standard onboarding. Shadow IT creating unmanaged third party relationships.

Threat Resistance

Addresses supply chain compromise by requiring security assessment before vendor onboarding and continuous monitoring during the relationship. Reduces fourth party concentration risk through sub-processor disclosure and dependency mapping. Ensures incident response capability through contractual notification obligations and tested playbooks. Provides financial resilience through cyber insurance verification. Enables clean exit through pre-planned data return and migration procedures.

Assumptions

The organisation uses external vendors, cloud services, and third party software. A procurement or vendor management function exists. The organisation has data classification and system criticality definitions. Regulatory requirements mandate supply chain risk management (financial services, healthcare, government, critical infrastructure).

Developing Areas

• Continuous third-party monitoring is displacing point-in-time assessment as the primary assurance mechanism, but the methodology is immature. External security rating services (BitSight, SecurityScorecard) provide observable signals but measure only internet-facing posture -- they cannot assess internal controls, incident response capability, or data handling practices. The gap between what continuous monitoring can see (exposed services, certificate hygiene, DNS configuration) and what matters (access controls, encryption, backup integrity) means ratings are directional indicators, not definitive risk measures.
• Nth-party (sub-contractor) risk visibility is the most significant blind spot in TPRM programmes. DORA and PRA SS2/21 mandate sub-processor visibility for critical ICT services, but practical enforcement is limited. Most Tier 1 vendors resist disclosing their full sub-processor chain, and the concentration risk from multiple critical vendors depending on the same cloud provider (AWS, Azure, GCP) or infrastructure service remains difficult to map and nearly impossible to mitigate without architectural diversity that increases cost and complexity.
• AI-assisted vendor risk assessment is emerging as a response to the scale problem -- hundreds of vendors requiring assessment with limited analyst capacity. LLM-powered tools can parse SOC 2 reports, extract control findings, compare against organisational requirements, and generate risk summaries, reducing initial assessment time by an estimated 60-70%. However, the accuracy of automated assessment is unvalidated at scale, and the risk of hallucinated compliance findings in AI-generated assessments creates a new category of assessment error.
• Software supply chain transparency through vendor-provided SBOMs is a regulatory requirement in progress (EU Cyber Resilience Act, US Executive Order 14028) but practical adoption is minimal. Fewer than 10% of commercial software vendors provide machine-readable SBOMs with their products, and those that do often deliver incomplete or inaccurate bills of materials. The tooling to consume, validate, and act on vendor SBOMs -- matching components to known vulnerabilities, detecting licence conflicts, verifying provenance -- is available but not integrated into standard TPRM workflows.
• Concentration risk measurement is gaining regulatory attention but lacks standardised methodology. Regulators want to know what happens if a major cloud provider or critical SaaS platform suffers a prolonged outage, but measuring concentration requires mapping dependency chains across hundreds of vendors, identifying single points of failure, and modelling correlated failure scenarios. No commercial TPRM platform provides automated concentration risk analysis, leaving organisations to build ad-hoc dependency maps that are outdated within months.