Choose your topics

What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Third-Party Risk Management, GRC

It’s Not You, it’s Them: The Importance of Third Party Risk Management

It’s Not You, it’s Them: The Importance of Third Party Risk Management
Written by

Alex Hollis

Published on

30 Oct 2019

It’s Not You, it’s Them: The Importance of Third Party Risk Management


Alex Hollis, GRC Practice Director at SureCloud, explains the importance of measuring and mitigating the risks third-parties can pose to your business

As GRC Economist & Pundit Michael Rasmussen commented in his guest blog, the modern organization doesn’t operate alone. Beyond its own staff, a business’ offering can be delivered by an interconnected network of suppliers, vendors, outsourcers, service providers, contractors, subcontractors, consultants, and more.

These third parties can offer a strategic advantage and business value, helping organizations to offer cutting-edge services and focus on their own area of specialization. But they can also present a number of third party risks that may have a knock-on effect on business, causing issues ranging from temporary service disruptions to complete shut-down.

Despite the risk of disruption, the practice of measuring and managing third party risks present is in its infancy. Recent research we conducted found that 82% were not confident or unsure if they have identified all the third party risks their organization is exposed to.

It’s essential to establish an effective third-party risk management procedure, not least because of the requirements under regulations such as GDPR, PCI DSS, and ISO certification.

But what could go wrong? Is it worth the amount of time, money and resource needed to manage your third parties effectively? How seriously can third parties really affect your business? I have drawn up three examples of common types of risk that your vendors and suppliers could pose to your business, to illustrate the importance of managing third-party risk…

Reputational third-party risk:

In a recent survey by Deloitte, over 26% of respondents said that they had faced reputational damage as a result of an incident affecting one of their suppliers. As far as your customers are concerned, the service they receive is delivered by you. Therefore, if a third-party supplier’s operations are interrupted as the result of an incident, there’s a significant risk that the services you provide could be disrupted until your supplier resolves the problem, or you find an alternative supplier. After a disruption, has affected the service you provide customers will be less likely to trust, use, or recommend your brand.

Legal and Regulatory third party risk:

 Certain suppliers will need access to your organization’s data in order to provide what you’ve asked of them. If your suppliers are trustworthy and their infrastructure is well protected, this may never be an issue. But how do you ensure that your partners are maintaining a robust security posture?  A breach at a third-party supplier could impact you directly; or if they store sensitive customer data that you’ve shared with them, could put you at risk of breaching GDPR, PCI DSS, ISO/IEC 27001 or a number of other regulations governing data security.

Financial risk:

 Since multiple issues could arise from financial issues such as a lack of cash flow, financial fraud or reporting errors, it pays to understand the financial risks your third parties might present.

If your suppliers aren’t financially viable, they may be forced to close their doors, and the service that you provide customers may be disrupted. Additionally, just as third-party data breaches can cause reputational damage, they can also cause financial damage from fines or loss of business.

Measuring the performance of third-party risk management:

In Deloitte’s survey, 87% of respondents said they had experienced an incident with a third party that disrupted operations. Given the third party risks that suppliers can pose to your business’ reputation, finances, and legal/regulatory stance, organizations need to address third-party risk management.

While you may feel like the risks your suppliers may present are outside of your direct control, it is possible to manage and reduce the impact they may have.

Look out for the second part to this third-party risk management blog where we will be focusing on building an effective strategy for third-party risk management and how to measure good practice in third-party risk management. See you then!