Cybersecurity In-Depth

The Edge

Any Advice for Assessing Third-Party Risk?

Here are five tips about what not to do when assessing the cyber-risk introduced by a third-party supplier.

Question: What are some important points to consider when looking to improve my third-party risk assessment function?

Josh Goldfarb, independent consultant: Most businesses work closely with and rely on third parties, suppliers, and vendors to help them accomplish their business objectives — but while third parties can provide many benefits to a business, they can also introduce risk.

So it’s important to holistically assess your third-party risk regularly. You should begin by prioritizing your risks and tailoring your third-party risk assessments accordingly. 

Here are a few things you should not do: 

  • Don't be afraid to have multiple questionnaires: Assign risk assessment questionnaires to each party based upon the size, type, criticality, and data sensitivity for each vendor.
  • Don't trust the answers you get: Leverage technology to verify and validate responses and to check that required controls are actually in place.
  • Don't end the process at the assessment phase: Build a work program for each vendor to bring them in line with your expectations.
  • Don't forget to measure: Each assessment should result in a tangible risk score that you can use to assess your exposure across individual vendors, various different segments of the supply chain, and the supply chain as a whole.
  • Don't stagnate: Remember to continually review your third-party risk assessment function amid evolving priorities, identify weak spots, and work to strengthen and improve them.

What do you advise? Let us know in the Comments section, below.

Do you have questions you'd like answered? Send them to [email protected].