AI Summarize

Share

With increasing cyberattacks and data breaches, as well as stricter privacy laws, organisations are increasingly implementing measures to protect themselves and their data. One necessary step is called third-party risk management (TPRM), which helps to protect your business against risks from partners, vendors, contractors, and other third parties that you work with.

If your business works with one or more third parties, you should have a TPRM program in place. In particular, if you have to comply with the General Data Protection Regulation (GDPR), California Privacy Rights Act (CPRA) or the Personal Information Protection and Electronic Documents Act (PIPEDA), among other laws, you will have legal obligations to mitigate third party risk. You will also have obligations to check the compliance of any third parties you work with.

This article will cover what TPRM is, what some of the potential risks from third parties are, why TPRM is important, how to implement a program and some of the key principles you should follow.

Let's begin.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



What is Third-Party Risk Management?

Third-party risk management (TPRM) is the process of dealing with risks such as data breaches or cybersecurity issues, coming from "third parties". Third parties include service providers, contractors, business associates, suppliers, agencies, affiliates and any other organisation that connects with your organisation or business.

For example, a third party could be a customer service organisation that you work with. Or, it could be a bank or lending institution, domain host, a tool that you use, or a contractor that you hire.

Risk management for risks coming from third parties involves carefully checking vendors and companies you work with, assessing third party security and risk levels, as well as continually monitoring the risk. You also need to consider what your obligations are under the law.

We'll look at those topics in more detail later in this article.

What Are Third-Party Risks?

There are a number of different risk types that you need to consider when managing third party risk. Some possible risks that come from third parties include:

  • Legal risk: These are risks that could affect your compliance, regulatory and legal obligations. Third parties can put your business at risk if it can be shown that you didn't assess their security or privacy measures appropriately, and a breach or loss occurs.
  • Reputational risk: There is a risk to your reputation if you work with a third party that turns out to be unreliable or causes loss. Poor data security from a third party could lead to a data security breach of your customer data, which looks bad for your business and your trustworthiness. 
  • Cybersecurity risk: Every additional third party that you work with and share data with, increases your cybersecurity risk. There are ways to mitigate this, and a TPRM program is one of them.
  • Privacy risk: There are risks to the personal data and privacy of your customers and users, every time you share their data. If you work with third parties that process customer data, you need to consider the privacy risk.
  • Financial risk: If a major breach or loss occurs, your business could suffer financial losses. If you work with unreliable partners or third parties that cause loss, other partners may also think of you poorly and might not want to work with you.
  • Operational risk: Without proper risk management processes, your onboarding and procurement processes can become slow and inefficient. The failures of third parties can cause operational problems for your business, if security and privacy is not taken seriously, and incidents need to be responded to. This slows your business down and causes disruptions.

Now let's take a look at why managing these risks matters so much.

Why is Third-Party Risk Management Important?

Third-party risk management is important because even if you implement cybersecurity protections, access controls, operational processes, firewalls, encryption, education of staff, and privacy practices, third parties can still create data losses, exposures, or breaches.

Managing these risks with a well-considered risk management program matters because:

  • The more the"attack surface" (possible entry points or vulnerabilities) for a breach is increased, the more access points there are to data. When you are dealing with third parties, each additional party adds more attack surface.
  • It's very difficult to work without any third parties
  • It's hard to get a full picture of the security situation of any third party, as you cannot completely see into their processes

This makes risk management and assessment so important.

In addition, many laws and regulations, including the GDPR, CCPA, and PIPEDA, require that you protect the privacy and security of the data of your customers.

Here's a comparative table showing requirements across GDPR, CPRA, and PIPEDA:

Law Must Assess Vendors? Written Contract Required? Must Monitor Compliance?
GDPR Yes Yes, see Art. 28 Yes
CPRA Yes Yes, see Section 1798.100(d)) Yes (audits/monitoring)
PIPEDA Yes Yes, see 4.1.3) Yes (organizational controls)

Let's take a look at each of those laws in more detail.

What the GDPR Requires for TPRM

The General Data Protection Regulation (GDPR) is an EU law that protects the personal data of EU residents. If you are, or could be processing the data of EU residents, you'll need to comply with the GDPR. Personal data includes things like name, email address, IP address, purchasing data, bank information, and more.

GDPR Article 24 states that you have to "implement appropriate technical and organisational measures" to protect personal data that you collect, process or transfer for processing.

To do this, you also have to consider the "nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons". You can see this in Article 24 below:

Screenshot of Article 24 of the General Data Protection Regulation (GDPR)

This means that you, the "data controller" (i.e. the business collecting or processing personal data) are responsible for protecting users' personal data.

Article 28 also states that if someone else is processing data you have collected, you should only work with processors who have also provided "sufficient guarantees to implement appropriate technical and organisational measures" themselves. You can see this in the text below:

Excerpt from GDPR Article 28 detailing security protection requirements for third-party data processors

This means part of your risk assessment needs to examine the technical and organisational measures of any other processors you work with.

Recital 76, which supports Article 24, also states that "Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk". You can see this in the text below:

Snapshot from GDPR Recital 76, explaining the need for objective risk assessment

Conducting an objective assessment of risk means also assessing the risks that third parties pose to your data.

Recital 78 expands on this, stating that "In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default".

You can see this in the text of Recital 78 below:

Excerpt from GDPR Recital 78, emphasizing the need for data protection by design and default

Having an appropriate organisational TPRM process is an excellent way to comply with this regulation and to show that data protection is built into the structure of how your business treats data processing.

Your TPRM Responsibilities under CPRA or CCPA

The California Privacy Rights Act (CPRA) and California Consumer Privacy Act (CCPA) are two privacy laws that govern the personal information of California residents.

The CCPA, in section 1798.100.(e), states that businesses collecting personal information "shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information" in accordance with section 1798.81.5 of the California code. You can see this below:

Photo of CCPA section 1798.100(e) which underlines the need for businesses to implement reasonable security measures

Section 1798.100. (d) also requires, if you sell or share personal information with "a third party or that discloses it to a service provider or contractor for a business purpose", that you have to "enter into an agreement with the third party, service provider, or contractor" to protect the privacy rights of the individual.

You can see this in the image below.

Text screenshot from CCPA section 1798.100(d) emphasising the need for businesses to have an agreement in place with third parties handling personal data

Section 1798.81.5 (c) of the California Code also requires "nonaffiliated" third parties (i.e. third parties not subject to the CCPA themselves) to "require by contract that the third party implement and maintain reasonable security procedures and practices", as shown below:

Excerpt from Section 1798.81.5(c) of the California Code requiring third parties to implement reasonable security procedures and practices

In the definition of "Contractor" under the CCPA, part of the contract must require that the business (i.e. you) can monitor the contractor's compliance, through "manual reviews and automated scans and regular assessments, audits, or other technical and operational testing." You can see this requirement in the image here:

Screenshot of section from CCPA defining Contractor and their compliance requirements

As your agreements with contractors should require that they implement security procedures and practices, this is part of the compliance that you should monitor through reviews and audits.

TPRM and Canada's PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a data protection law applying to organisations in Canada that collect or process personal information. If you are based in Canada, you'll need to comply with PIPEDA.

PIPEDA also requires you to protect the personal information that is under your control. This continues to apply in circumstances where you may transfer that data to a third party.

PIPEDA requires you to comply with a number of principles, and implement measures to ensure your compliance.

For example, under Principle 1, Accountability, section 4.1.3, you are responsible for personal information in your possession, including information you transfer to third parties. The full text of 4.1.3 is produced here:

Part of PIPEDA Principle 1, Accountability, section 4.1.3, highlighting the responsibility organizations have over personal information

You can see that contractual or "other means" should be used to make sure a comparable level of protection is applied by third parties.

You can also see under section 4.1.4, you are required to implement policies and practices to give effect to the PIPEDA principles.

Excerpt from PIPEDA section 4.1.4, underlining the necessity of implementing policies and practices to ensure data protection

This includes implementing procedures to protect personal information.

In section 4.7.3 below you can see that the methods of protection should include physical measures, organisational measures, and technological measures.

Snippet from PIPEDA section 4.7.3 detailing the methods of data protection

A TPRM program is a part of your "organisational measures" to protect personal data.

Now let's take a look at what a TPRM program involves.

What Should a Third-Party Risk Management Program Involve?

A TPRM program should feed into your overall risk management strategy. Third-party risk management has a number of best practices and principles that can help to guide you.

A good third party risk management program should include these steps:

  • Planning
  • Getting buy-in and engagement from your staff and partners
  • Risk assessment and due diligence
  • Integrating your TPRM program
  • Carrying out continuous monitoring and auditing

Let's take a look at each of those in more detail.

Planning

First, good planning needs to take place to make sure that your TPRM program is suited to your needs.

Think about what personal data is collected and processed by your business. Consider the sensitivity and extent of this personal data, and the risks of breach.

Also consider which third parties you could work with, or are already working with. Look at what data is shared with them, and for what purposes.

Establish a clear risk-level assessment that considers which types of information or processing are lower risk, and which types are higher risk.

With good planning you can set up a clear TPRM program that helps your business to manage risk with your partners and contractors.

Getting Buy-in and Engagement from Staff and Partners

One of the most important principles behind your TPRM program is that everyone needs to be on board with the measures you will take.

This includes the different teams within your business, including the management level. You also need your employees to know what steps they need to take for your TPRM program, and how they can maintain compliance.

One important team you need to coordinate well with is your privacy team. Third party risks can have a big impact on the safety, security and privacy of your data, including corporate data as well as the personal information of your users or customers.

You also need to make sure that your TPRM is aligned with privacy laws you need to comply with. Working together can help you do this.

In addition, you need to be able to work with your vendors, contractors, and other third parties, to find out information about their processes. Some of this information may be not accessible to outsiders, so they need to be on board with your risk management approach.

Risk Assessment and Due Diligence

When you start actually conducting the risk assessment process, you need to consider a number of factors.

  • For example, think about whether the third party you are working with has access to personal data, which types of data, and how sensitive this data is.
  • Also think about whether they have a plan or process in place to protect personal data, as well as a process for responding to breaches or incidents.
  • Compare the contractor or third party with industry standards, and assess their security approach based on common practice, given the sensitivity, type, and amount of data they are dealing with.
  • Then, consider whether to approve or deny the contractor or vendor for work with you.

Integrating Your TPRM Program

Your TPRM program needs to be well-integrated into all parts of your business.

This includes, most specifically, your internal and external risk assessment teams, your auditing team, your privacy and legal teams, and your procurement team.

Your procurement team needs to use this TPRM program when assessing possible vendors or contractors that you might work with. The privacy and legal team needs to also consider whether your TPRM program is sufficient for meeting your compliance obligations.

Continuous Monitoring and Auditing

Once your TPRM program is established, you should continue to monitor your program's performance, and consider whether it needs to change in any way.

You also need to continuously monitor and audit any third parties that you work with, as their security approaches, access to data, or risk levels can change.

What Are the Benefits of Third-Party Risk Management?

There are a number of benefits when carrying out this TRPM. First, it reduces your risk of legal compliance issues, as well as risks to your reputation, organisation, and your user or customer privacy.

When you have a good TPRM program, this shows your customers and partners that you are a reliable, organised business, who has a process in place to manage risk. This shows that you are trustworthy and transparent as well.

It also gives you a clear, standardised process for dealing with third parties, and makes sure that your risk assessment processes go smoothly.

Third-Party Risk Management Compliance Checklist

One approach you can take is to set up a TPRM compliance checklist, to help ensure you maintain compliance and good practices. A checklist is a structured approach to checking your third-party vendors and contractors.

This checklist should include:

  • Identify vulnerabilities: Think about what services you provide, what data you collect, and what information third parties have access to.
  • Make a list of all current third parties: Find out all of the current third parties you are using, and any that you plan to use.
  • Create a vendor questionnaire for all new vendors: When onboarding, make sure that you have a questionnaire to check all new vendors and determine their risk.
  • Organise third parties based on risk: Determine which parties have access to what data, and how sensitive this data is. Consider what is low, medium, or high risk considering the context of your business. Give each third party a risk score.
  • Conduct due diligence: Find out information on service-level agreements, contracts with vendors, security policies, finance reports, data transfer agreements, and any other data-sharing agreements you have in place with each third party.
  • Contract updates: If your contracts are missing key clauses, add information on breach notification timelines, disclosures (about breaches), data localisation rules, rights to conduct audits, and warranties of compliance with relevant laws and regulations.
  • Assess the security controls of each third party: Find out information from third parties about their security practices, access controls, privacy controls, and incident response plans.
  • Check regulatory compliance: Have discussions with vendors about regulatory compliance, and check what processes they have in place to comply.
  • Onsite and system checks: Check both system controls and audit logs, and make an onsite analysis of vendor security, privacy, and incident response plans. Make sure you will continue to have access to the necessary information and systems.
  • Collaborative response: If an incident occurs, make sure that your third-parties are included in your response plans. Make sure everyone is clear on what their obligations are.
  • Continuous monitoring: Create a continuous monitoring plan to check vendor and third-party compliance, as things may change over time.
  • Third-party offboarding: If you close a contract with a third-party, make sure you have a process in place to remove their access to data. Third parties should also confirm data deletion if they have any data stored.

Real-World Examples

One notable case in which third-party risk management cost a business significantly, is the 2017 Target case.

Target paid a $18.5 million USD settlement, after customer credentials were stolen through a third-party contractor. The contractor was an HVAC vendor, and Target customer credit and debit information was accessed through a billing system managed by the HVAC company.

Another example is the German Regulator, the Federal Commissioner for Data Protection and Freedom of Information, which fined the telecommunications company 1&1 Telecom GmbH €9.55 million.

This was after the company's customer service hotline was misused to access extensive personal data of customers, after only providing the date of birth and name of the customer. This was seen to be a breach of the GDPR and a failure to take "appropriate technical and organisational measures".

Summary

Third-party risk management is an important part of managing a business or organisation, particularly if your business is growing and working with many third parties. An interconnected business with different vendors, contractors, and services is common, but security and risk management processes all too often fall through the cracks.

Be sure to set up a robust and methodical third party risk management program, with buy-in from your employees, using accurate information and a well-planned process, key risk assessment measures, and integration with your procurement teams. Then, set up continuous monitoring to make sure everything keeps working as it should.

With a good third-party risk management program, you can protect your business and users from harm, maintain your business reputation, and head off any compliance, financial, and other risks.

Consider performing a third-party risk audit today to identify gaps in your compliance and protect your business before regulators or customers come knocking.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy