Blog of cyber
As a business, you rely on numerous suppliers and partners to carry out your activities. While outsourcing can be a source of agility and performance, it can also expose you to risks and lead to data loss or business interruption.
And the consequences can be far-reaching, affecting your finances, regulatory compliance, and reputation. Ultimately, 73% of French companies have experienced at least one business interruption due to a third party.
That is why many organizations are committed to a third-party risk management approach. Third Party Risk Management (TPRM) involves deploying processes to identify, measure, and monitor potential risks from a third party.
This is a major challenge that affects the entire production and supply chain, as well as all of a company's departments (HR, accounting, purchasing, etc.).
Faced with constant regulatory pressure (GDPR, DORA, NIS 2), structuring this approach is becoming essential. How should you go about it? What tools should you adopt?
Third Party Risk Management (TPRM) encompasses the processes and methods used to “identify, assess, manage, monitor, and report risks associated with third parties such as suppliers, distributors, agents, partners, or other third parties” (Gartner definition). It includes cybersecurity risks as well as regulatory and legal compliance, procurement, supplier management, and information systems. In other words, it concerns all teams and activities that work closely or remotely with third parties.
The objective is both to protect the company from disruptions related to its third parties and to anticipate risks in order to ensure business continuity.
A company relies on many third parties in all areas of its business (suppliers, subcontractors, technology partners, etc.). Despite the attention paid to financial health and internal processes, choosing a third party is always a risk. In a global context disrupted by wars and economic fluctuations, Third Party Risk Management must enable companies to identify the risks associated with the partners they rely on.
• Technological risks
Cyberattacks are on the rise and affect all sectors of activity: industry, healthcare, government, etc. In 2024, the French National Cybersecurity Agency (ANSSI) reported a 15% increase in security incidents in companies compared to 2023. These attacks can shut down a business for several hours or even days.
A vulnerability in a SaaS tool, poorly secured access, or human error can become a gateway for cybercriminals. Third Party Cyber Risk Management (TPCRM) involves identifying these failures or areas of weakness from a technological and cybersecurity perspective and adapting/correcting practices.
• Financial risks
In a turbulent global environment, financial strength is being scrutinized by purchasing departments. A supplier that is at risk of going out of business or that cannot guarantee delivery of its product or service can quickly become a problem.
It is also important to identify the risks of corruption or questionable practices and to verify that the company is being managed responsibly (compliance with regulations, CSR approach, etc.). The role of the Third Party Provider is to monitor suppliers in order to detect any risks or failures.
• Geopolitical risks
According to the International SOS study, 75% of decision-makers surveyed cite political and social unrest as a priority risk for their business and staff over the next 12 months. Geopolitical tensions have a direct impact on supplier management. Sanctions, transport problems, ineligibility based on geographical location, and regulatory instability all weaken a third party's business. This is why it is necessary to monitor these parameters through Third Party Risk Management.
The level of criticality can vary depending on the supplier. Some are directly involved in your information system. Others handle sensitive data. Finally, some may be at the heart of your business processes.
• IT and hosting providers (Cloud, SaaS, etc.)
They do everything possible to limit the risk of attacks and ensure business continuity (BCP, DRP, etc.). However, they may host sensitive, confidential, and personal data, sometimes outside the European Union. Their infrastructure (data centers) may also be subject to breaches or fires (example of the OVH data center in Strasbourg in 2021).
• IT providers (digital services companies, publishers, integrators)
They intervene directly in your information system. In the event of compromised access, the risk of attacks weakens the entire IT infrastructure. According to a study by Positive Technologies, 93% of tests carried out on corporate computer networks resulted in access to the local network.
• HR, accounting, or law firms
They handle confidential, personal, and strategic data (salaries, contracts, tax data). Outsourcing these activities poses a risk of data leaks and handling errors.
• Subcontractors in the logistics or industrial chain
A third-party logistics or production center may experience an incident. This can block the entire chain and directly impact your business continuity.
All of these players have internal processes in place to ensure operational resilience. Some are more rigorous than others, so it is up to you to judge the effort required to monitor those presenting the highest risks. In any case, regardless of your size, you are affected by these risks to a greater or lesser extent. It is the role of Third Party Risk Management to support this analysis and identify priorities for action.
Gartner predicts that 45% of global companies will have suffered an attack on their software supply chains by 2025. This figure represents a sharp increase of 300% compared to 2021.
One of the most striking examples is that of SolarWinds. This company provides network and infrastructure monitoring solutions. The attack on their system affected more than 30,000 private and public organizations. It was the release of a bad update that allowed hackers to gain access.
More recently, MOVEit, a file transfer solution, experienced a massive hack affecting more than 2,500 of its customers. Initially, an unknown vulnerability allowed SQL queries to be launched and transferred data to be accessed.
These two examples demonstrate the vulnerability that poorly managed third-party risks can represent for companies. And the consequences can sometimes be colossal for a business.
Beyond the legal implications, third-party failures can jeopardize a company's business. Recent attacks on hospitals such as those in Corbeil-Essonnes and Cannes severely disrupted patient care and treatment for several days.
In both cases, the stolen data was used to demand ransom. Ransomware attacks are becoming commonplace. In 2024, 86% of French companies were affected. Of these, 92% actually paid the ransom.
Finally, these successful attacks have a significant impact on the reputation of the company, which is deemed to be insecure or unreliable.
French and European regulations encourage companies to control their Third Party Risk Management. • the General Data Protection Regulation (GDPR): verify the conditions for the collection, processing, storage, and retrieval of data used, in particular by subcontractors. • DORA (Digital Operational Resilience Act): requires financial players to assess and monitor the risks of their service providers with a view to operational resilience. • ISO 27001: implement, maintain, and improve the Information Security Management System (ISMS) through rules on the availability, integrity, protection, and confidentiality of information. • New European NIS 2 Directive: strengthens cybersecurity in sensitive sectors within the European Union (energy, transport, health, water, digital companies, etc.).
In this context, CISOs have become very attentive to the security and compliance of third-party technology providers. Cybersecurity is a major factor in the selection of an IT supplier. Data access, identification protocols, and hosting are now essential criteria. Third-party risk management (TPRM) is therefore evolving towards Third Party Cyber Risk Management (TPCRM). CISO, compliance, and RSSI teams identify potential points of failure, measure potential risks, and implement continuous monitoring when selecting an IT service provider.
Faced with cyber threats, companies no longer have a choice but to address the cyber risk management of their third parties. To do this, they must first be aware of their vulnerabilities. This necessarily involves a comprehensive inventory of their third parties and the classification of risks, regardless of their role in the value chain. This approach must be considered on an ongoing basis, both to adopt proactive monitoring and to strengthen the system.
Third-party risk management is therefore becoming a priority for CIOs and CISOs. They must assess security flaws and risks and define an action plan to correct them. Continuous monitoring enables these risks to be anticipated as part of a digital operational resilience approach.
Many companies are launching Third Party Risk Management programs. This approach, which is very often based on self-assessment, involves mobilizing IT teams at all levels of the business. It is time-consuming and relies heavily on self-reported information.
To improve efficiency, Third Party Cyber Risk Management integrates AI-based technological solutions to automate and optimize each step of the TPRM process.
This is the very purpose of Board of Cyber: to support companies and organizations in the continuous improvement of their cyber performance and that of their suppliers. Our SaaS Trust HQ and Security Rating solutions automate cyber governance to help CISOs identify, assess, and correct third-party risks. Ultimately, we provide cyber management tools for IT security and reliability to limit cybersecurity risks associated with third parties. More than 100 organizations already rely on our technologies to manage their third-party risks.
Third-party risk management is now essential. The regulatory and legal environment requires companies to implement third-party risk management strategies. Reducing vulnerabilities, anticipating failures, and ensuring compliance guide CIOs and CISOs in managing their cyber performance. Because it affects all parts of the company, TPRM should not be a one-off exercise. Continuous assessment and monitoring of third parties is key for organizations that want to gain peace of mind and make a difference. Adopting a proactive approach and deploying the right TPRM tools are essential to protect against third-party risks, particularly those related to cyberattacks.
What is Third Party Risk Management (TPRM)? TPRM is a process for identifying, assessing, and managing risks associated with external service providers, suppliers, and partners. It aims to protect the company from failures and incidents suffered by third parties and to limit their impact on its own business.
Why is it important to manage third-party risks? Companies are increasingly facing the risk of attacks or incidents on their infrastructure. These failures can have a direct impact on the operations of the company that relies on the third party and cause disruptions to its own business.
What types of risks does TPRM cover? TPRM mainly covers the following risks: • cyber (data leaks, attacks via the supply chain), • legal (regulatory non-compliance), • operational (supplier failure), • reputational (loss of trust following damage).
What is the regulatory framework for TPRM? Various European and US regulations require companies and organizations to protect themselves against risks through compliance (GDPR, DORA, ISO 27001).
What steps should be taken to structure a TPRM program? A TPRM program is based on: • supplier mapping, • initial and ongoing risk assessment, • due diligence questionnaires, • contracts with security/compliance clauses, • regular monitoring and audits.
