Own your risks: Third-party risk management

In today’s hyperconnected business ecosystem, organizations are using more third parties to help produce and deliver goods and services – yet most don’t account for the corresponding rise in complexity and risks. Systems are interconnected, access to data has broadened, and vendors often lack critical security controls.

As the use of third-party vendors increases, so does the need to manage the potential risks these business partners can bring. In a Securelink-Ponemon Institute study, 51% of surveyed organizations had experienced a data breach caused by a third party. The consequences can be crippling; in the U.S., costs associated with a data breach that originates with a third party are high and rising. The average cost of a U.S. data breach soared to $9.48 million in a 2023 report from IBM Security and Ponemon Institute, the highest of any country.

CohnReznick’s Cybersecurity, Technology Risk, and Privacy practice works with organizations to develop strong Third-Party Risk Management (TPRM) programs that include an understanding of third-party technology risks and their connection to companies’ business processes. Our TPRM specialists have in-depth knowledge of regulatory requirements and evolving response of regulators. We also work with an array of solution providers to help create TPRM programs that address your specific needs for technologies and processes.

How TPRM helps manage supplier risks

An effective TPRM program puts vendor risks front and center and helps organizations gain visibility into and an understanding of the overall IT and security environment – technologies, processes, and people skills – of the third parties in their ecosystem. Each entity – vendors (and their suppliers), supply chain companies, contractors, subcontractors, and members – represents an individual point of risk, and a breach of one can spread to others, and to customers.

Thus, each of the external parties that perform services or activities for your organization should be able to demonstrate cybersecurity, data privacy, and technology risk management capabilities that are commensurate with your own. Lacking that, financial, reputational, operational, and regulatory risks become more likely.  

A well-designed TPRM program can help organizations:

• Identify critical suppliers
• Assess dependencies
• Classify and prioritize risks
• Conduct thorough due diligence of third parties
• Implement contractual protection requirements such as data protection policies, encryption, access controls, breach notifications, and periodic assessments of third-party risks
• Develop criteria for notification of customers, donors, third parties, and law enforcement when a security incident and/or data breach occurs
• Conduct ongoing employee training on third-party risks

The benefits of TPRM

A strong TPRM program helps organizations gain greater insight into the risks and an understanding of the responsibility they have for protecting their assets across their business ecosystem. Other valuable benefits can include:

• Reduced occurrence and cost of data breaches
• Fewer operational failures
• Enhanced compliance with regulatory mandates
• Improved security of remote-work programs

CohnReznick TPRM Services

• Third-party risk assessments and risk rating: We perform a risk assessment of new or existing vendors and assign a risk rating to each vendor to help companies develop policies and procedures and optimize the level of due diligence needed for each vendor based on its risk profile.
• Vendor due diligence: We perform due diligence on the cybersecurity practices of third parties and follow up with each vendor to be sure they are addressing identified gaps, or provide them with a roadmap to doing so.
• Governance and program design: Our team helps develop the policies, procedures, and oversight requirements for the entire TPRM program.
• Establish and implement a TPRM program: We help set up how vendor management works within the organization, including the role of procurement, making sure the systems requirements of each business unit are well defined, and the vendor management program manages the process. 
• Regulatory compliance: Some regulatory bodies explicitly require organizations to have a third-party risk management program in place. We assess company TPRM programs and make recommendations to identify and close gaps with their compliance requirements.
• Outsourcing: We provide businesses with outsourced or managed services for enterprise-wide security programs focused on applicable risks and protecting the most critical data and systems.