Cyber Risk Through
Third Party Relationships
Every cybersecurity risk that your organization faces, is likely present in companies or individuals it works with. Increasingly, breaches happen because of vulnerabilities present in the network of Third-Party Relationships (TPRs) you have.
- Ensure your company has a policy for Third Party Risk Management (TPRM) with clearly defined controls that apply to TPRs.
- Maintain a central repository for TPRs and analyze the cybersecurity risks they pose and subsequently, apply appropriate controls to each party, with reference to TPRM or best practices you are familiar with.
- Third parties are not just ‘vendors’. Any supplier, IT service provider, associate, affiliate, or consultant is also part of the same set of third-party relationships. Controls in your organization’s information security policies should apply to all.
- Apply controls across the relationship. The importance of cybersecurity controls is normally overlooked, especially during and in the terminal phases of the relationship.
- Require your third parties to inform you of their security practices and in particular, any breaches, especially in relation to data concerning your customers or organization.
When cyber attacks occur in your supply chain of TPRs and if the data compromised concerns your business or its customers, your organization is likely to suffer impact too and may even be held liable.
As a result, watch out for the parties you are interacting with within the course of business and be mindful of cyber risk in this sphere.