Blog of cyber
TPRM (Third-Party Risk Management) is part of a proactive approach to monitoring and controlling risks associated with supplier failure. In a context where companies and government agencies rely heavily on external partners (IT service providers, SaaS publishers, HR firms, etc.), third-party assessment is essential.
TPRM refers to all practices aimed at identifying, assessing, and managing risks associated with suppliers, subcontractors, or external partners. Its scope extends to cybersecurity, compliance (legal and regulatory), financial, and technological risks.
Cyber risks are the main focus. In France alone, the ANSSI (National Agency for Information System Security) handled more than 4,300 security incidents in 2024, an increase of 15% compared to 2023. A breach at a third party can compromise the security, compliance or reputation of a brand and bring its business to a standstill.
Adopt a cyber posture: faced with a multitude of cyberattacks, both private and public companies must take a proactive approach to cybersecurity. This necessarily involves better assessment of their third parties and the associated risks. Ensure operational resilience: this involves measuring the company's dependence on its third parties, the risks associated with a potential failure, and the impact on the business (production chain, technological risks, etc.). Ensuring compliance: new cybersecurity and data protection rules require companies to be particularly vigilant. Regulations such as the General Data Protection Regulation ( ) are becoming stricter and require organizations to increase the number of internal audits and controls to remain compliant.
For all these reasons, defining and deploying a TPRM approach is essential. This approach requires a methodology and monitoring and control tools.
The first step in a TPRM program is to identify all third parties involved in the company's business. These may include suppliers, subcontractors, technology partners, or service providers. This mapping is not limited to the technological domain. The inventory includes human resources, finance, legal, production and supply chains, and, of course, information systems management.
Third-party risk management focuses on analyzing dependencies in order to understand: • the flow of data between the company and the third party; • the services or processes impacted in the event of an incident; • any interdependencies between several suppliers. • Supplier management tools enable the centralization of contractual, technical, and legal information that can be used in the TPRM.
There are different types of third-party risks: • Cyber risks: assess cybersecurity risk. The company can consult incident history, IT security audit reports, and documents certifying compliance with standards (ISO 27001, NIS2, DORA, etc.) as well as protocols in the event of a confirmed attack. • Data risks: analyze the type and sensitivity of the data that passes between the third party and the company. Particular attention may be paid to exchange protocols, data integrity and confidentiality, and compliance with GDPR requirements. • Reputational risks: measure the impact of a supplier's failure on the company's reputation. This involves measuring the extent of an attack on the company's image, especially among its customers. Reputational risk , can also relate to ethical practices, media exposure, or alleged links to political parties. • Operational risks: identifying critical dependencies on the company's business. For some third parties, the cessation of their activities can also disrupt the entire production chain. For these suppliers, a business continuity or recovery plan must be defined and activated. • This assessment can be based on questionnaires, audits, or cyber rating platforms. It must also be accompanied by constant monitoring of third parties.
Not all suppliers present the same level of risk. The TPRM program should enable third parties to be segmented according to their level of criticality: • Critical: suppliers with a direct impact on production or security • Important: essential but non-vital business services • Moderate: support or assistance partners • Low: service providers without access to strategic resources • This classification then determines the level of control to be applied.
A TPRM strategy is based on the control and monitoring of various third parties. This approach involves preventive measures depending on the level of criticality defined for each supplier. The aim is to ensure that the supplier does not move to a higher level of criticality, which would require a more rigorous assessment and classification of that third party. To this end, various measures can be put in place: • Security controls: these involve checking authentication protocols, access management, and the protection of data circulating with the supplier. • Contractual clauses: SLAs must be verified, as well as remediation plans or notification procedures in the event of an incident. Contractual controls also involve assessing the third party's audit conditions. • Regulatory commitments: risk assessment requires verification of the third party's compliance with the GDPR, as well as checking data hosting conditions and the presence of certifications and qualifications. This control process within the TPRM must result in the formalization of requirements in a bilateral contract. If the scope of intervention needs to change, the contractual framework can then be revised.
A TPRM program is not set in stone. It must evolve with the context, threats, and incidents. Continuous monitoring ensures real-time management of the supplier relationship and better anticipation of failures. Regular audits, on-site or remote, allow you to keep a constant eye on your third parties. Audit reports identify areas for improvement and enable you to work with the supplier to correct any identified risks. The TPRM approach involves taking a proactive stance by anticipating vulnerabilities or attacks. Automated alert systems can prevent changes in a supplier's situation, such as a drop in rating or an increase in criticality. These monitoring systems enable daily monitoring of the most at-risk third parties and the deployment of remediation plans to correct non-compliance issues.
Third-party risk management is based on a structured approach and requires the deployment of technological tools to automate, streamline, and secure third-party management processes.
The first challenge is to identify hundreds of suppliers. This involves compiling a list of all third parties across all internal departments (HR, marketing, production, IT, etc.). The real challenge is to go from 10 to thousands of suppliers being monitored without multiplying the number of questionnaires or duplicating work.
Spreadsheets can be used to collect all this information, but they pose a real risk and waste time (missing information, multiple manipulations, emailing, etc.).
Continuous, non-intrusive analysis of the organization's assets facilitates this inventory. It provides a comprehensive view of the company's cyber maturity. Using dashboards, CISOs identify areas for improvement among their third parties. From the contract phase onwards, a supplier due diligence process ensures proactive control of suppliers. Finally, cyber performance measurement tools enable the approach to be shared across all companies or business units within a large group or investment fund.
Companies rely on continuous rating tools. These platforms aggregate public data or data from cyber surveillance infrastructures: • Presence of open or misconfigured ports • Expired SSL certificates • Known unpatched vulnerabilities • History of attacks, leaks, or compromises These platforms assign an overall score, assessing an organization's cyber performance. The score allows companies to monitor the risks to which they are exposed in real time and correct vulnerabilities. This external monitoring enhances visibility into suppliers' security posture and alerts you in the event of any deviations.
In a TPRM approach, vulnerability detection must be proactive. Real-time alerts can be set up to notify you of any critical changes in a third party's situation. CISOs can then identify the vulnerability and initiate protocols and corrections. It is also important to be notified immediately of any public incidents, attacks, or known data breaches. A supplier's assessment also covers their cybersecurity compliance gap. Monitoring platforms enable you to track regulatory changes and identify their impact on third parties. The ultimate goal is to anticipate changes in cyber posture throughout the year without waiting for the annual IT security audit.
TPRM tools consolidate data through dashboards: • Overall compliance level by supplier type • Tracking of up-to-date or missing evidence • Alerts awaiting action • Remediation plans in progress • Prioritization of actions according to criticality This gives teams a clear view to arbitrate, document, and report identified third-party risks to management. These reports are automated, generated on demand, and available to all departments within the company, including the purchasing department.
A TPRM approach requires certain minimum prerequisites: • A dedicated team to monitor and manage third-party risks • Automated monitoring and reporting tools • The implementation of procedures and documentation to improve internal practices
Many CISOs are embarking on third-party risk management strategies but are struggling to equip themselves with effective, dedicated tools due to a lack of budget. Time spent performing manual tasks rather than managing risks in real time. The use of digital cybersecurity solutions enables you to: • Automate data collection, trigger controls throughout the year, and generate one-off reports • better anticipate third-party vulnerabilities and reduce the risk of attacks; • strengthen the company's IT protection and cyber posture; • improve knowledge of suppliers and refine the choice of service providers on which the company relies.
Board of Cyber supports organizations in assessing and improving their cyber posture. Leveraging artificial intelligence and automation, our SaaS solutions simplify supplier tracking and monitoring. At each stage of the TPRM, Board of Cyber provides the right solutions to manage third-party risk.
Our Trust HQ solution includes a supplier audit module. It enables you to map third parties and create questionnaires to be sent to service providers, all within a SecNumCloud environment. This allows CISOs to standardize their assessments, regardless of the number and type of suppliers, and to communicate with their third parties. This audit is accompanied by mandatory evidence submission so that the company can verify the accuracy of the information provided.
Trust HQ also manages cybersecurity governance. Created by CISOs, it centralizes all cyber rules and practices, thereby avoiding the circulation of Excel files. As a truly practical management tool, Trust HQ ensures compliance with the PSSI and regulations such as DORA, NIS2, GDPR, etc. In the event of a discrepancy, the tool proposes a corrective action plan.
In addition, our Security Rating solution helps CISOs be more effective in identifying, rating, and evaluating suppliers across the company and its subsidiaries. Security Rating analyzes the organization's assets without being intrusive and measures the supplier's cyber maturity. Continuous rating allows you to keep a daily eye on the cyber posture of companies through a score from 0 to 1000. As true monitoring tools, the dashboards provide real-time updates on rating changes and trigger alerts in the event of a critical issue. For technical teams, Security Rating offers fine-grained management of third-party risks and triggers remediation actions.**
