Third-party Risk Management Definition

Many modern organizations partner and do business with outside firms such as vendors, contractors, subcontractors, and more. Because these entities have varying degrees of IT and cybersecurity maturity, they introduce different levels of risk into the business supply chain. Security risk refers to the likelihood that a negative security event could occur and the impact it would have on different parts of the business. Every company has a different risk appetite — the level of security risk that leadership is willing to take to meet their business goals.  

Third-party risk management is a component of an organization’s overall risk management program, which encompasses assessing, analyzing, and prioritizing risk in order to develop and refine a strategy to mitigate the effects of risk to acceptable levels. Third-party risk management is about understanding and effectively managing all of the security risks that exist during various relationships with third parties.  

Here are a few best practices that your organization can use to promote stronger information security through third-party risk management. 

Categorize the risk of each individual third party

Each third party you engage with provides a unique service that supports your organization’s ability to conduct business and achieve the desired outcomes. First, develop an inventory of different products/services and categories of vendors or partners. This inventory should also include the type of data, sensitive or business critical, the vendor stores, processes or transmits, or has access to within your environment or a customer’s.  Next, conduct an official third-party risk assessment for each organization to determine what risks they could be introducing to your business.  

Gathering and organizing all of this information will help you get a better idea of which third parties pose the highest risk based upon the type of data and systems they can access. This can also be useful when planning for future partnerships. Keep in mind that each of these third-party organizations likely use their own third-parties that may also need to be assessed based on the risk the upstream supply chain poses to your business operations.

Establish risk-related performance metrics    

When entering into a long-term contractual relationship with another organization, you must make sure the key performance indicators (KPIs) that govern the relationship have been clearly defined. You are likely already aware of how to develop KPIs for product or service delivery — metrics related to cybersecurity and risk liability are equally important to the longevity of your business. Defining risk-related KPIs can be a complex process and should involve input from all key stakeholders in your organization. Here are a few examples of what those KPIs might include: 

  • % of systems with no open critical or high vulnerabilities  
  • Level of open or high vulnerabilities  
  • Average window of exposure for vulnerabilities  
  • Average dwell time for a threat actor  
  • Frequency of review of third-party access  

Create clear third-party agreements  

Contractual agreements must be clearly written based on your organization’s risk tolerance and the KPIs you have identified for third parties. Crucially, contracts must define any metrics, thresholds, and situations that would lead to the termination of a third-party relationship. If another organization does not take the proper actions to secure their environments  

and services after signing the contract, then you are able to protect your organization by ending your business affiliation.  

The MSP role in third-party risk management  

As MSPs continue to play a bigger role in providing cybersecurity protection for companies, it’s important to learn how you can help improve your clients’ security (and your own) through services related to third-party risk management..  

Risk assessments  

As mentioned above, risk assessments are an integral part of evaluating an organization's security posture against cybersecurity threats and identifying areas for improvement. Risk assessments should be regularly performed against your MSP business, your clients, and your vendors and partners. This helps you locate possible risks such as: 

  • Network vulnerabilities 
  • Insufficient device management 
  • Data compliance problems 
  • Internal threats 
  • And more 

A third-party risk assessment can ultimately lead to your business and the outside organization agreeing on certain remediation measures that must be taken before a relationship can be initiated.  

Incident response planning  

Because even the best laid plans can go awry, your MSP business must be prepared to respond to any security incident that could be caused by a third-party organization. As such, you should have an incident response plan that outlines your strategies and goals for mitigating the damage, KPIs for measuring effectiveness of your response, and thorough communication plans for disclosing incident information to internal and external entities. When testing your MSP business’s incident response capabilities (at least once per year, ideally once per quarter), it may be wise to include willing third parties to help act out how you would work together to contain a threat that has spread across multiple systems and environments. 

 

Did you know?

Over 80% of legal and compliance leaders say they have found third-party risks after initial onboarding and due diligence with an outside organization. 

 Gartner Report: Stay Ahead of Growing Third-Party Risk 

Additional resources

blog icon Understanding Security Risk Management and Security Risk Assessments

Does your MSP business have a robust security risk management program in place? No matter where you are in your cybersecurity journey or what your current ability to manage risk looks like, it’s helpful to have a firm grasp of what risk means as well as best practices for assessing, responding to, and monitoring risk.

Blog post >>
toolbox icon ConnectWise Cybersecurity Starter Kit

Want to get started selling cybersecurity? We’ve put together a kit to help. Download the kit today for helpful resources that will transform your business from an MSP to an MSP+ model, including educational information for your SMB customers, templates, and more. 

Kit >>
work plan icon The SMB Cybersecurity Checklist

How secure are your SMB clients? Chances are, they may not fully understand their risks and exposures. Use this 30-item checklist to start the conversation around cybersecurity, help them understand the cybersecurity landscape, and assess their security postures.

Checklist >>
reporting icon Cybersecurity in an Era of Competing Priorities: The State of SMB Cybersecurity in 2021

SMBs are not immune from cybersecurity risks—quite the contrary. Our 2021 survey of 700 SMB decision makers uncovered interesting findings about how these businesses are thinking about cybersecurity, their spending plans, and what motivates them when it comes to security. 

Report >>
vulnerable assessment icon The Security Journey Self Assessment

Wondering where you stand in your cybersecurity journey? Take this assessment to understand how advanced your cybersecurity knowledge is and to identify areas where you can expand upon your understanding of key cybersecurity concepts and precautions.

Assessment >>
blog icon How to Conduct an Effective Cybersecurity Analysis: A Guide for MSPs

Cybersecurity incidents are now impacting businesses of all sizes. Your customers are likely wondering how you can help them become more secure. From privacy program reviews to incident response plan development, here are six areas to focus on when conducting a cybersecurity analysis.

Blog post >>