Third-Party Cyber Risk Management

According to the Federal Reserve’s TPRM guidance, the 5 stages of the third-party relationship lifecycle are: 1) Planning - evaluating potential risks before entering a relationship, 2) Due Diligence and Third-Party Selection - assessing vendor capabilities and security posture, 3) Contract Negotiation - establishing security terms and obligations, 4) Ongoing Monitoring - continuously tracking vendor performance and security, and 5) Termination - securely ending the relationship when needed. You’ll apply more rigorous practices throughout this lifecycle for vendors supporting critical activities.

The 3PRM (Third-Party Risk Management) process involves four key phases: identifying all third-party relationships and their risk levels, assessing vendor security controls and compliance, monitoring vendors continuously for security incidents and breaches, and controlling risks through remediation and contract enforcement. Modern 3PRM programs use cyber threat intelligence platforms to monitor dark web forums and ransomware leak sites where compromised vendor data appears. This lets you respond immediately when a vendor breach exposes your data.

A common example is when a vendor gets breached and attackers steal credentials or data belonging to the vendor’s customers. For instance, if your organization uses a cloud service provider and that provider suffers a ransomware attack, the attackers may exfiltrate your company’s sensitive data stored on their systems or credentials used to access your network. Another example is when vendors with remote access privileges get compromised through leaked credentials. Attackers can use the vendor’s legitimate access to infiltrate your systems. This is why continuous vendor monitoring is essential.

A Third-Party Risk Management (TPRM) professional is responsible for managing security risks from vendors throughout the relationship lifecycle. Key responsibilities include conducting vendor security assessments, reviewing vendor contracts for security requirements, and monitoring vendors for security incidents and data breaches. You’ll also coordinate incident response when vendor breaches occur, maintain vendor risk registers, and report third-party risk metrics to leadership. TPRM roles require knowledge of cybersecurity frameworks, risk assessment methodologies, and tools for continuous vendor monitoring including dark web intelligence platforms.

NIST addresses third-party and supply chain risk management primarily through NIST SP 800-161, which provides guidance on Cybersecurity Supply Chain Risk Management (C-SCRM). This framework helps you identify, assess, and mitigate risks throughout the supply chain, including from vendors and suppliers. NIST emphasizes integrating supply chain security into broader organizational risk management. You’ll need to develop C-SCRM strategies and policies, and conduct risk assessments for products and services. The guidance applies to all stages of technology acquisition, from supplier selection through deployment and ongoing monitoring.