The Unseen Anchor: Third Party Risk Management

The Unseen Anchor: Third Party Risk Management

| By Karmine Team | Category: Opinions

Karmine Team | 7-9 min read

Background: The Hidden Threat Multiplying in Your Supply Chain

Third-party risks are escalating in frequency and sophistication, becoming alarmingly common. Statistics show that 30% of data breaches involve third-party vendors, a figure that has reportedly doubled in a year.

Small to mid-sized vendors, with less mature security due to their own resource limitations, account for a disproportionate share, implicated in as many as 60% of data breaches. This creates a precarious situation: a mid-sized company’s risk profile is tied to its entire vendor ecosystem. Failure of one critical third party can trigger cascading operational disruptions.  

Mid-sized companies often underinvest in Third-Party Risk Management (TPRM) due to perceived resource limitations, yet these limitations make them more vulnerable to third-party induced shocks. While firms might assess their own risk as moderate, their vendors are significant breach sources. Attackers increasingly view smaller organizations as softer targets or conduits.   

This is compounded by a compliance-centric myopia, where TPRM becomes a checkbox exercise rather than a proactive, risk-driven strategy, fostering a false sense of security. Some firms also mistakenly believe they are less attractive targets than larger enterprises, a notion contradicted by evidence showing increased attacks on smaller entities. This often stems from competing priorities and insufficient awareness of the potential impact of third-party failures.  

Robust TPRM is a strategic imperative for business resilience, operational continuity, regulatory compliance, and customer trust. Approached strategically, TPRM transforms from a cost center to a value driver, safeguarding against financial penalties, reputational damage, and operational disruptions. Mid-sized companies must view TPRM as an indispensable component of their strategic framework for sustainable growth.  

An Anatomy of Neglect: Critical TPRM Failings in Mid-Sized Companies

Under-prioritized TPRM in mid-sized companies manifests in critical failings, creating significant vulnerabilities. These shortcomings, often due to resource constraints or lack of expertise, cumulatively weaken an organization’s security.

The landscape of third-party risk is marked by escalating external threats and stricter regulations. Mid-sized companies face a greater likelihood of incidents and more demanding compliance, increasing the “cost of inaction”.

1 – The Regulatory Gauntlet: Navigating Mounting Pressures

Regulators worldwide are intensifying scrutiny of supply chain and third-party risks in response to growing cyber threats. The TPRM market is projected for significant growth due to these pressures. Mid-sized companies, especially in regulated industries or handling sensitive data, must treat these demands seriously. The trend is towards holding organizations accountable for their vendors’ actions, necessitating proactive risk management.  

This “regulatory squeeze” impacts mid-sized firms. While some regulations target large enterprises, mid-sized firms are caught as supply chain components, compelled to adhere to higher standards via contractual flow-down. Proactive alignment with robust standards can be a competitive advantage.

Regulatory expectations are shifting beyond incident prevention to ensuring operational resilience during and after incidents, including third-party ones. RBI in particular has been quietly but very firmly targeting TPRM failures with significant penalties. Table below highlights some of their recent actions.

TPRM governance needs to critically mature from pre-contract due diligence to continuous monitoring, collaborative incident response planning, and resilience testing.

2 – The Governance Void: Who Really Owns Third-Party Risk?

Effective TPRM requires clear governance, but responsibility is often fragmented across procurement, IT, legal, and business units. This decentralization leads to inconsistent processes, duplicated efforts, and no holistic view of third-party risk. While organizations are moving towards centralized TPRM, many still use fragmented approaches.

Without clear governance, accountability is diffuse, making it hard to enforce TPRM policies, manage risks, and align TPRM with ERM objectives and risk appetite. In mid-sized companies, this deficit can be more pronounced, allowing critical risks to be overlooked.  

3 – Templated and Tick-Box Due Diligence: A False Sense of Security

Reliance on generic questionnaires for due diligence is common in resource-constrained mid-sized firms. These “one-size-fits-all” templates, aimed at efficiency, often miss industry-specific nuances or true risk exposure, leading to a superficial understanding of vendor security and a false sense of security.

This creates significant blind spots, especially for “medium-high risk” vendors who may be inadequately assessed, leading to undiscovered vulnerabilities. Prioritizing the appearance of due diligence over substantive effectiveness creates an “illusion of control”.

4 – The Onboarding Squeeze: When Speed Overrides Scrutiny

Pressure to rapidly onboard vendors often undermines TPRM. Business units, driven by operational needs, urge expedited onboarding, which can take weeks or months if done thoroughly. This tension frequently leads to rushed security assessments and cut corners in due diligence, with vendors sometimes integrated before assessments are complete.

This “operational misalignment” means risk exposure expands faster than the capacity to manage it, embedding risks from the start. The desire to “get the deal done” can overshadow prudent risk management, leading to risky standard operating procedures.

5 – Stale Assessments in a Dynamic World: The Peril of Outdated Risk Pictures

A recent survey indicated that over 70% of organizations have critically under-invested in supplier risk assessments. Third-party risk is dynamic; a secure vendor can quickly become a liability due to new vulnerabilities, changes in their supply chain (nth-party risks), financial instability, or new threat vectors. Yet, many organizations rely on point-in-time assessments (e.g., annually), assuming ongoing coverage.

These outdated methodologies fail to keep pace with modern vendor ecosystems. Consequently, organizations operate with an inaccurate understanding of their third-party risk exposure, vulnerable to emerging threats not identified previously. This “set it and forget it” mentality is a critical failure.  

6 – Incident Response Paralysis: Slow Reactions to Third-Party Breaches

Effective response to a third-party incident is paramount, but many companies lack structured frameworks for rapid identification, triage, and response. A sluggish response amplifies damage, leading to extended downtime, increased data loss, greater financial repercussions, and severe reputational harm.

The July 2024 CrowdStrike incident, causing global IT outages, exemplifies how a single third-party failure can paralyze operations. Ffor mid-sized companies lacking dedicated incident response teams, such paralysis can be existential

7 – Accountability Black Holes: Outsourced vulnerabilities

Outsourcing a function doesn’t outsource accountability for associated risks. Mid-sized companies often struggle to enforce remediation on larger vendors or lack resources for persistent follow-up.  

Contractual safeguards outlining security expectations and consequences for non-compliance may be weak or unenforced. This accountability vacuum leads to an accumulation of unmitigated known risks, leaving organizations persistently exposed.

Real-World Casualties: Unabated third-party failures

The escalating statistics are mirrored by high-profile incidents where TPRM failures have led to severe consequences, underscoring the global nature of this threat. Recent events have highlighted the diverse ways third-party vulnerabilities can cripple operations and expose sensitive data across various regions and sectors. These real-world examples offer critical lessons for mid-sized companies regarding the imperative for robust vendor oversight.

In the United States, Progress Software’s MOVEit Transfer platform became 2023’s “super-spreader” event. A zero-day flaw let the Cl0p gang automate data-exfiltration from the servers of more than 2,500 organisations, exposing at least 66 million personal records and triggering months of breach notifications and class-action suits.

In 2024, at Citigroup, USA, a legacy system error resulted in an $81 trillion transfer mishap, highlighting the risks associated with outdated IT infrastructure. This exposed vulnerabilities in operational processes and the need for modernization to prevent such large-scale errors.

India saw collateral damage through Infosys McCamish Systems. Attackers infiltrated the insurer-services subsidiary in late 2023 via its eDiscovery provider, ultimately accessing up to 6.5 million policyholder records. The parent firm has already earmarked US $17.5 million to settle US class actions, illustrating how offshore service centres and their subcontractors can propagate liabilities across jurisdictions.

Toyota confirmed in August 2024 that 240 GB of sensitive data posted on a hacking forum was siphoned not from its own network but from a U.S. dealership-partner, again blurring the boundary between “their” breach and “our” accountability.

For mid-sized firms, the lessons are clear: rigorous due diligence, continuous monitoring of all vendors and software, understanding shared responsibilities with platforms, and having agile incident response plans that explicitly account for third-party scenarios are no longer optional but essential for survival.

Building a Resilient Shield: Transforming TPRM into a Strategic Capability

Mid-sized companies must transition from reactive TPRM to a proactive, resilient, and strategically integrated capability. This requires a holistic approach (people, process, technology, strategy), aiming for continuous improvement towards a “good enough” state proportionate to their risk profile and resources, then iteratively enhancing it.

1 – The Strategic Shift: Integrating TPRM with Enterprise Goals

  • Aligning TPRM with ERM and Business Objectives: TPRM should be integral to the ERM framework, managing third-party risks in context of business objectives, strategic priorities, and risk appetite. Strategically aligned TPRM supports business goals by preventing incidents, ensuring operational continuity, protecting reputation, and maintaining customer trust.
  • Leveraging Frameworks: Established frameworks such as NIST CSF 2.0’s “Govern” function, ISO 27001:2022, COSO ERM Framework provide a strong pathway along with maturity elements to be considered as the organization progresses further.
  • Measuring TPRM Effectiveness and Demonstrating Value: 
  1. Measure TPRM effectiveness and demonstrate value using Key Performance Indicators (KPIs) such as percentage of vendors assessed by risk tier, due diligence time, number/severity of third-party incidents, remediation rates, compliance metrics.
  2. Regularly report to management/board on TPRM status, risks, and performance is crucial.
  3. Tie metrics to tangible business impacts to frame TPRM as an investment. Robust TPRM can catalyze broader risk management maturity.  

2 – The People Power: Cultivating a Risk-Aware Culture and Expertise

  • Executive Sponsorship and Clear Ownership: Strong executive sponsorship is essential to elevate TPRM to a strategic priority, secure resources, enforce policies, and embed TPRM in company culture.
  • Building Accountability: Clear ownership is paramount, even without a dedicated TPRM team. A designated individual or small cross-functional group should coordinate TPRM, reporting to a senior executive. A cross-functional TPRM committee (even informal) with stakeholders could be effective.
  • Training and Cross-Departmental Collaboration: Ongoing training and awareness programs cultivate a risk-aware culture for all staff on security protocols, data privacy, and reporting third-party risks.

3 – The Process Blueprint: Embedding Best Practices Across the TPRM Lifecycle

  • Comprehensive Lifecycle Approach: 
  1. The TPRM lifecycle includes: Planning & Vendor Identification; Due Diligence & Selection; Contracting & Onboarding; Risk Assessment & Control Implementation; Ongoing Monitoring; and Termination & Offboarding.
  2. A foundational step is a comprehensive, centralized, regularly updated vendor inventory detailing services, data access, criticality, and internal owner.
  3. Risk-based tiering (critical, high, medium, low) based on data access, system criticality, regulatory impact, and financial exposure is crucial for resource-constrained firms, dictating due diligence levels.
  • Risk-Based Due Diligence and Continuous Monitoring: 
  1. Due diligence, conducted before onboarding and tailored to risk tier must include security questionnaires, validating certifications, assessing financial stability, and evaluating security posture.
  2. TPRM must move to continuous monitoring to maintain an up-to-date vendor risk profile by tracking changes and emerging threats.
  3. For mid-sized firms, this might mean more frequent reviews for high-risk vendors and leveraging public information or security rating services, avoiding “stale assessments”.
  • Robust Contracting and SLA Management: 
  1. Embed clear, enforceable security requirements (data protection, security controls, breach notification timelines, audit rights, subcontractor responsibilities, liability) with legal counsel.
  2. Service Level Agreements (SLAs) defining performance and security commitments should be clearly articulated and monitored.
  • Agile Incident Response Plan for Third-Party Events:
  1. Integrate third-party scenarios into overall incident response and business continuity plans.
  2. Establish clear protocols for communication, coordination, and remediation with vendors during incidents.
  3. Regularly test these plans, possibly with critical vendors. Simple playbooks for common third-party failures are a pragmatic start.

4 – The Technology Enabler: Leveraging Tools for Efficiency and Insight

  • There is strong business case today for investment in dedicated end to end third party lifecycle management platforms. They help automate manual tasks: distributing questionnaires, conducting due diligence, integrating risk assessments, streamlining onboarding, centralizing vendor data, enabling continuous monitoring, and providing risk dashboards.
  • Ideally, TPRM tech should integrate with GRC systems for a unified risk view and streamlined reporting. Mid-sized companies should seek scalable, cost-effective, cloud-based solutions. Basic automation offers substantial gains.
  • AI can further enhance efficiency by automating data collection, analyzing contract language, performing predictive analytics, monitoring vendors in real-time, and streamlining compliance. End to end life cycle platforms such as https://clife.ai/ enable organisations to holistically centralise & manage third party risks and enable seamless AI driven decision making.

Systematically addressing these areas can help mid-sized companies transform TPRM into a strategic capability.

Conclusion: Moving Beyond Compliance to Competitive Advantage

Under-prioritizing TPRM is no longer viable for mid-sized companies. Escalating cyber threats, interconnected ecosystems, rising third-party breaches, and regulatory pressure make robust TPRM a fundamental necessity. For resource-constrained mid-sized firms facing severe impacts from third-party failures, neglecting TPRM is indefensible.  

Mature TPRM protects revenue by preventing breaches, enhances resilience by mitigating dependencies, builds customer trust by safeguarding data, and can offer a competitive advantage. Mid-sized companies with mature TPRM become more attractive partners.  

This transformation requires leadership commitment and integration into the organizational culture. Leaders should Allocate Resources, Foster Risk Awareness and demand accountability

The path to robust TPRM has challenges, but inaction’s risks are greater. By adopting a focused, risk-based, continuously improving approach, mid-sized companies can shield themselves from threats, unlock growth, and solidify their position as trusted, resilient players. Their future viability may depend on it.

References: