Third Party Risk Management: Building a Program That Works

Many companies find it necessary to outsource some of their critical business functions to third-party vendors. Functions like payroll, accounting, cloud infrastructure, or IT management are regularly outsourced. Putting your company’s valuable data and business processes into the hands of a third party carries some risk, especially concerning the security and confidentiality of that data.

According to a recent IT survey, 61% of respondents said they experienced a data breach or other security incident caused by a third-party in 2024. Other research indicates that the average company shares confidential data and information with over 500 third-parties. In addition, only 24% of companies maintain an inventory of the third parties that they share data and processes with.

These statistics seem to indicate a real issue with the security around relationships with third parties. But what do the statistics really mean? Let’s look at some recent examples of major third-party breaches to get a better understanding.

Recent third-party breaches

On November 29, 2024, Krispy Kreme experienced a ransomware attack that disabled the company’s online payment portals. The attackers took advantage of weak cybersecurity at the third-party vendor managing Krispy Kreme’s digital infrastructure. The attack shut down online services for days, causing financial losses and a 33% drop in the value of the company's stock.

AT&T had one of the biggest attacks in April of 2024. Hackers gained access to the data of more than 70 million customers, including names, phone numbers, addresses, and account details. If you are an AT&T customer and have noticed an increase in spam calls, this might be why. AT&T paid $370,000 in Bitcoin to the hackers, and $13 Million in fines to the FCC.

UnitedHealthcare Group experienced a data breach in April of 2024 caused by a vulnerability in their third-party billing system. The breach resulted in millions of patients’ medical records being accessed, as well as disruptions to insurance claim processing for weeks. The company paid $22 million to the perpetrators. The breach occurred in large part due to the lack of multi-factor authentication on the billing system.

Keys to reducing risk with third-party providers

To have any hope of effectively managing your third-party relationships, you must have a method for grouping and classifying your business partnerships and their risks to your organization. First, you must determine how many third parties your organization deals with by conducting an inventory of every vendor, service provider, and data processor involved with your company. Then, classify each one by defined attributes such as access to data, type of data accessed, size of the organization, operational impact, number of transactions processed, and value of transactions processed. These are just a few suggestions — your organization should determine the attributes that best suit your business.

Once you have an inventory and attributes for each third party, the next step is to utilize that data to determine their overall risk level. Again, there are many methods for quantifying risk, and the method you select should be consistent with your organization.

After creating a risk rating for each third party, you should develop a program for maintaining the process. Each new third party that your organization does business with will impact your organization. Each new third party should be evaluated to understand the security and privacy practices of the new provider. Then, a determination should be made regarding the risk impact of doing business with the organization.

To continue a successful Third-Party Risk Management Program, you must ensure sufficient resources are allocated to the program. There should be representatives from procurement, legal, IT, and applicable business units to ensure critical aspects of risk are identified and mitigated.

As the old adage goes, “the devil is in the details” and this is certainly true for developing and maintaining a Third-Party Risk Management Program. But the basics are truly pretty simple: Identify, stratify, and monitor. Those are the fundamental elements of a successful program.