Third-Party Cyber Risk and How to Mitigate It (With Free Downloadable Assessment)

Businesses today are faced with a new disheartening reality: Even if your organization’s attack surface is secure, you can still become a victim of a cyberattack through the vendors and partners you work with.

The term “third-party cyber risk” refers to the risk of data breaches, malware infections, and system disruptions stemming from service providers, vendors, customers, or business partners that have access to your organization’s networks, systems, or sensitive data, or those that provide IT products or services that your company depends on to operate. 

In 2023, At-Bay saw a 415% increase in claims frequency for indirect ransomware (a ransomware attack on a vendor or partner of the primary organization that results in damages to the organization, typically data privacy breach and/or business interruption). For small and medium-sized businesses, these incidents can be an operational headache, not to mention costly, carrying an average claim severity of $47K in 2023. 

The Far-Reaching Impact of Third-Party Cyber Risk

Recent high-profile incidents targeting MOVEit, Change Healthcare, and CDK Global have demonstrated how a ransomware attack on a single vendor can create widespread disruptions across the entire supply chain.

In each of these incidents, businesses reliant on MOVEit, Change Healthcare, and CDK Global were subject to third-party data breaches, financial losses, legal liabilities, regulatory compliance issues, and reputational damage — even though those businesses were not directly breached or attacked. This is the nature of the financial and operational risk introduced by vendors and partners.

Following are the third-party risk management (TPRM) strategies that you can leverage to minimize your organization’s attack surface and safeguard your operations, data, and reputation.

Identifying Critical Third-Party Dependencies

The first step in strengthening your security posture against third-party cyber risk is to identify your organization’s critical third-party dependencies. “Dependencies” refer to the vendors, partners, and providers that are required for a company’s operations — i.e., operations would cease if the vendor failed to deliver as agreed or suffered an outage of some kind. 

Here are the steps to identifying your organization’s critical third-party dependencies:

1. Understand Your Business’s Value Chain: Your business’s value chain is the sequence of activities required to deliver your product(s) or service(s) to your customers.
2. Identify Mission-Critical Functions Enabled by Third Parties: Go through your company’s functions one by one to determine what the potential ramifications would be if you lost the ability to complete each one. Then, determine which of these functions are enabled or performed by third-party products or services.
3. Identify Functions That Lack Easily Sourced Alternatives: Not all third-party dependencies pose equal risk. To identify high-risk dependencies, ask yourself the following questions for each mission-critical third-party function:
   1. Which of our mission-critical functions are performed or enabled by a third-party product or service?
   2. Which of those third-party vendors don’t have existing or easily sourced alternatives?

By answering these questions, you can narrow your focus to the third-party dependencies that are essential to your business operations and lack readily available substitutes. Prioritize these dependencies based on their potential impact on your business. Consider factors such as revenue loss, legal implications, and reputational damage in the event of a cyber incident or service disruption.

Evaluating Third-Party Cyber Risk

With your third-party dependencies prioritized, thoroughly evaluate the cyber risks associated with each of your vendors or partners to determine appropriate risk management strategies.

This requires proper due diligence on all critical third-party vendors, which should be repeated periodically — ideally annually — for all your business’s vendor relationships to ensure that all third parties’ security controls and practices remain adequate. To guide your due diligence efforts, ask the following 10 questions:

10 Questions to Assess Third-Party Cyber Risk

1. Does the vendor have industry-standard security controls in place? Ensure the third party’s security controls are appropriate for its industry and the level of risk it represents. This may include multi-factor authentication (MFA), data encryption, secure remote access, and regular vulnerability scanning.
2. Does the vendor appear to have contingency plans that are sufficient to make it resilient to attacks? Evaluate whether the vendor has developed and tested incident response and business continuity plans to minimize the impact of a security incident and facilitate rapid recovery.
3. Is the vendor aware of its legal and contractual cybersecurity obligations to customers? Many contracts include provisions related to data protection, breach notification, and other cybersecurity responsibilities. Ensure the vendor understands and adheres to these obligations.
4. Does the vendor have one or more industry certifications like SOC 2, HITRUST, etc.? Industry certifications, such as SOC 2 (Service Organization Control), HITRUST (Health Information Trust Alliance), and ISO 27001 (Information Security Management System), demonstrate verification of security ratings by an independent third party in writing.
5. Does your organization have a clear understanding of what data it shares with this vendor? Identify the types of data, including sensitive information like personally identifiable information (PII) or protected health information (PHI), that your organization shares with the third party.
6. Does your organization have a clear understanding of any technology integrations or access that it shares with this vendor? Ensure that you understand the extent of the vendor’s access to your organization’s systems or networks. Implement appropriate access controls (like MFA) and monitoring measures.
7. What is the impact to your organization if this vendor experiences a security failure or outage? Quantify the potential consequences of a third-party security incident or outage, including lost revenue, operational disruptions, legal implications, and reputational damage. 
8. Has your organization identified alternatives to this vendor if/when they become necessary? Explore the availability of alternative vendors or solutions that could be leveraged in the event of a security incident or prolonged outage involving the primary third party.
9. What are the legal implications to your organization and its stakeholders if this vendor experiences a security failure or outage? Understand the legal and regulatory requirements related to data protection, breach notification, and other cybersecurity obligations that could be triggered by a third-party incident. Consult legal counsel as needed to ensure compliance and mitigate potential liabilities.
10. What recourse does your organization have in the event of a security failure or outage with this vendor? Explore cyber insurance coverage, contractual indemnification clauses, or legal action that could help your organization recover from losses or damages resulting from a third-party incident. Ensure that these remedies are clearly defined and understood by all parties involved.

Controlling and Mitigating Third-Party Cyber Risk

A thorough due diligence process should eliminate the majority of third-party cyber risk by removing high-risk providers from consideration in the first place. Still, the residual risk among the remaining providers must be managed continuously and actively by your organization. Following are some recommended approaches:

Source Alternative Vendors

One of the most effective ways to control third-party cyber risk is to have alternative vendors in place for your critical dependencies. Where possible, this approach provides redundancy and reduces the impact of a single vendor’s security failure or outage.

Insource Critical Functions

In some situations, it may be more appropriate to bring certain critical functions back in house rather than relying on outsourcing to third-party vendors. This approach, known as insourcing, can provide greater control over your organization’s cybersecurity posture and reduce the risk exposure of third-party cyber incidents.

Develop Contingency and Business Continuity Plans

Even with alternative vendors or insourced functions in place, it’s crucial to have robust contingency and business continuity plans to mitigate the impact of third-party cyber incidents. These plans should outline specific steps to be taken in the event of a security breach, system outage, or other disruptions caused by a third-party vendor.

Continuous Monitoring and Management

Because TPRM requires ongoing attention, you’ll need to establish a process to continuously assess third-party risks and maintain a proactive stance against emerging cyberthreats. These are the crucial components to a comprehensive cybersecurity risk management program: 

Establish a Risk Reassessment Cadence

One of the most important aspects of ongoing risk monitoring is setting a regular cadence for reassessing your third-party cyber risks. Many organizations make the mistake of evaluating their vendors and partners only during the initial onboarding process, failing to account for changes in the vendor’s security posture or the introduction of new threats over time. An annual reassessment is generally recommended as a minimum frequency, but the optimal cadence may vary depending on the criticality of the third-party relationship and the vendor’s industry or risk profile.

Work With Cyber Advisors

Some InsurSec providers, like At-Bay, offer cyber advisory services and risk assessment tools to help policyholders identify and mitigate third-party security risks. Cybersecurity advisors’ expertise can be invaluable in interpreting risk assessment results, developing contingency plans, and implementing robust security controls within your organization and across your third-party ecosystem.

Continuous collaboration with an expert security team can help you adapt your third-party risk management program to changing circumstances and maintain a proactive stance against potential risks.

Leverage Third-Party Risk Management Tools and Services

Consider leveraging third-party risk assessment tools and services to streamline and automate various aspects of vendor risk management, including vendor risk profiling, continuous monitoring, risk scoring and reporting, and vendor risk assessment questionnaires. Make sure to interpret the results with the guidance of cybersecurity professionals — vendors’ self-reported information may not always provide a complete picture.

Protect Yourself With Cyber Insurance

One of the best protections against a potentially incapacitating third-party cyberattack is cyber insurance. The right coverage can provide financial protection against losses resulting from third-party cyber incidents on a vendor, such as data breaches, system outages, and ransomware attacks.

Work closely with your cyber insurance provider to ensure that you have the appropriate coverage for your organization’s specific needs and third-party dependencies. Some InsurSec providers offer security services as part of their insurance policies. At At-Bay, this includes cyber advisory services and active risk monitoring. 

Third-Party Risk Management: A Critical Component of Your Cybersecurity Strategy

By adopting a few straightforward practices, your businesses build a robust TPRM program. The application of vendor due diligence, dependency breaking, and contingency planning together — with the support of an expert risk management team that can lend its expertise in evolving threats and risk management — can significantly reduce the risk that you will become a victim of other companies’ security failures.

Click here for a printable third-party risk assessment checklist you can use with your team →