The Scale of Third-Party Risk
Third-party risk is not a niche concern. The SolarWinds supply chain attack affected thousands of organizations through a single vendor's compromised software update. The MOVEit vulnerability was exploited across hundreds of organizations that all used the same file transfer platform. Healthcare clearinghouse breaches routinely affect dozens of covered entities that rely on a single business associate. The pattern is consistent: a single vendor compromise creates impact across every organization that trusts that vendor.
Despite this demonstrated pattern, third-party risk management at most organizations consists of an annual security questionnaire sent to vendors, completed by vendor security or sales teams, reviewed perfunctorily, and filed until the following year. This process creates documentation of a vendor security review. It does not create meaningful reduction of third-party risk.
Building a Program That Actually Reduces Risk
Tier Your Vendors by Risk
Not all vendors present equal risk. A vendor with administrative access to your production systems, access to sensitive customer data, or integration with critical infrastructure presents materially different risk than a vendor providing commodity office supplies. Applying the same review process to every vendor wastes resources on low-risk relationships while applying insufficient rigor to high-risk ones.
A tiered approach categorizes vendors based on the data they access, the systems they connect to, the criticality of the services they provide, and the regulatory implications of their failure. Tier 1 vendors receive the most rigorous ongoing assessment. Tier 2 vendors receive periodic review. Tier 3 vendors receive lightweight qualification assessment.
Move Beyond Questionnaires for High-Risk Vendors
Questionnaires have a fundamental limitation: they measure what vendors say about their security, not what their security actually is. For Tier 1 vendors, supplement questionnaire responses with independent evidence: audit reports like SOC 2 Type II or ISO 27001 certifications, penetration testing results, and contractual rights to audit that can be exercised if security concerns arise.
Address Vendor Security in Contracts
Security requirements belong in contracts, not just questionnaires. Service agreements with high-risk vendors should specify minimum security control requirements, incident notification obligations and timelines, audit rights, security review rights upon material changes, and consequences for security failures. Contracts negotiated without these provisions leave organizations with limited recourse when vendors fail to maintain adequate security.
Monitor Continuously, Not Annually
The annual questionnaire review model has another fundamental problem: a vendor that is secure in January can be compromised by March. Continuous monitoring approaches use external signals, security ratings platforms, dark web monitoring, and threat intelligence to surface indicators of vendor compromise or security degradation between formal reviews.
Concentration risk is an underappreciated dimension of third-party risk. Organizations that rely on a single vendor for a critical function have accepted both the security risk of that vendor's controls and the operational risk of that vendor's continuity. Both merit assessment.
Implementing a Tiered TPRM Program
- Inventory all vendors and categorize them based on data access, system integration, and service criticality
- Design review processes appropriate to each tier: deep due diligence for Tier 1, periodic review for Tier 2, lightweight qualification for Tier 3
- Build security requirements into standard contract templates for each vendor tier
- Implement continuous monitoring for Tier 1 vendors using external security rating signals
- Establish an ongoing vendor risk committee with representation from legal, procurement, IT, and security
- Review and update your vendor inventory at least annually and whenever significant new vendor relationships are established