Own your risks: Third-party risk management

    In today’s hyperconnected business ecosystem, organizations are using more third parties to help produce and deliver goods and services – yet most don’t account for the corresponding rise in complexity and risks. Systems are interconnected, access to data has broadened, and vendors often lack critical security controls.

    As the use of third-party vendors increases, so does the need to manage the potential risks these business partners can bring. In a Securelink-Ponemon Institute study, 51% of surveyed organizations had experienced a data breach caused by a third party. The consequences can be crippling; in the U.S., costs associated with a data breach that originates with a third party are high and rising. The average cost of a U.S. data breach soared to $9.05 million in a 2021 report from IBM Security and Ponemon Institute, the highest of any country.

    CohnReznick’s Cybersecurity, Technology Risk, and Privacy practice works with organizations to develop strong Third-Party Risk Management (TPRM) programs that include an understanding of third-party technology risks and their connection to companies’ business processes. Our TPRM specialists have in-depth knowledge of regulatory requirements and evolving response of regulators. We also work with an array of solution providers to help create TPRM programs that address your specific needs for technologies and processes.

    How TPRM helps manage supplier risks

    An effective TPRM program puts vendor risks front and center and helps organizations gain visibility into and an understanding of the overall IT and security environment technologies, processes, and people skillsof the third parties in their ecosystem. Each entity vendors (and their suppliers), supply chain companies, contractors, subcontractors, and members represents an individual point of risk, and a breach of one can spread to others, and to customers.

    Thus, each of the external parties that perform services or activities for your organization should be able to demonstrate cybersecurity, data privacy, and technology risk management capabilities that are commensurate with your own. Lacking that, financial, reputational, operational, and regulatory risks become more likely.  

    A well-designed TPRM program can help organizations:

    • Identify critical suppliers
    • Assess dependencies
    • Classify and prioritize risks
    • Conduct thorough due diligence of third parties
    • Implement contractual protection requirements such as data protection policies, encryption, access controls, breach notifications, and periodic assessments of third-party risks
    • Develop criteria for notification of customers, donors, third parties, and law enforcement when a security incident and/or data breach occurs
    • Conduct ongoing employee training on third-party risks

    The benefits of TPRM

    A strong TPRM program helps organizations gain greater insight into the risks and an understanding of the responsibility they have for protecting their assets across their business ecosystem. Other valuable benefits can include:

    • Reduced occurrence and cost of data breaches
    • Fewer operational failures
    • Enhanced compliance with regulatory mandates
    • Improved security of remote-work programs

    CohnReznick TPRM Services

    • Third-party risk assessments and risk rating: We perform a risk assessment of new or existing vendors and assign a risk rating to each vendor to help companies develop policies and procedures and optimize the level of due diligence needed for each vendor based on its risk profile.
    • Vendor due diligence: We perform due diligence on the cybersecurity practices of third parties and follow up with each vendor to be sure they are addressing identified gaps, or provide them with a roadmap to doing so.
    • Governance and program design: Our team helps develop the policies, procedures, and oversight requirements for the entire TPRM program.
    • Establish and implement a TPRM program: We help set up how vendor management works within the organization, including the role of procurement, making sure the systems requirements of each business unit are well defined, and the vendor management program manages the process. 
    • Regulatory compliance: Some regulatory bodies explicitly require organizations to have a third-party risk management program in place. We assess company TPRM programs and make recommendations to identify and close gaps with their compliance requirements.
    • Outsourcing: We provide businesses with outsourced or managed services for enterprise-wide security programs focused on applicable risks and protecting the most critical data and systems.

    The CohnReznick difference

    At CohnReznick, our goal is to help you establish a clear vision of third-party risk management that addresses specific risks and supports your individual business strategy. Our threat management teams have deep experience across industries to help organizations develop and implement comprehensive third-party risk assessments and programs.


    Bhavesh Vadhani, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy


    Thomas McDermott, Director, Cybersecurity, Privacy, and Technology Risk


    Daryouche Behboudi, Managing Director, Cybersecurity, Privacy, and Technology Risk



    Get in touch with our specialists

    View All Specialists
    Bhavesh Vadhani

    Bhavesh Vadhani

    CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
    Thomas McDermott

    Thomas McDermott

    CISA, CRISC, CGEIT, Principal, CohnReznick Advisory
    Behboudi Daryouche

    Daryouche Behboudi

    Advisory Managing Director

    Looking for the full list of our dedicated professionals here at CohnReznick?



    Let’s start a conversation about your company’s strategic goals and vision for the future.

    Please fill all required fields*

    Please verify your information and check to see if all require fields have been filled in.

    Please select job function
    Please select job level
    Please select country
    Please select state
    Please select industry
    Please select topic

    Managed Services & Outsourcing

    speedometer dashboard

    The C-Suite Dashboard Keep Your Business Moving Forward

    This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. Neither CohnReznick LLP or its personnel provide legal advice to third parties. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees, and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.