Cyber Third-Party Risk, Part 1: Aligning Suppliers, Strategy and Risk Appetite
Co-authored by Joanna Harding and Susanne Alfs
Board directors reading about the escalating cyber threat environment will recognise that a significant part of an organisation’s cyber exposure comes through suppliers. At the same time, few organisations can operate without deep supplier integration. Technology providers, cloud platforms, managed service providers, SaaS tools, payment processors, professional advisers and AI services all help organisations operate efficiently and serve customers, patients or members better.
This creates a tension: we want suppliers close enough to enable the business, but not so uncontrolled that their weaknesses become our own.
Too often, cyber third-party risk management, or C-TPRM, is treated primarily as a procurement task. While procurement has an important role, C-TPRM should begin with understanding business dependencies and risk appetite. This is where business-technology collaboration becomes essential for supporting an end-to end process. Treating supplier assurance as a contract-lifecycle issue is reflected in guidance from The UK National Cyber Security Centre1, but there is additional guidance in other frameworks.
In the selection process, once the right partner has been selected, often the assumption is that cyber risk has been assessed and will now be managed as well as can reasonably be expected. However, C-TPRM should be integrated into enterprise risk management. Integration allows those exposures to be assessed against risk appetite, translated into mitigation and escalated through established governance. The National Institute of Standards and Technology (NIST)2 calls for cyber supply-chain risk to be integrated into wider organisational risk management, while the NIS2 Directive3 in Europe explicitly includes supply-chain security and supplier relationships within cybersecurity risk-management measures.
The business must start by defining the need, assessing dependency and potential impact. Technology and security teams must also assess systems, access, integration and control exposure. Based on this, functional and non-functional requirements are developed which are followed throughout the procurement process, including supplier selection, contracting, monitoring and exit. Procurement and legal can ensure that requirements are translated into commercial and enforceable terms. Risk can re-assess mitigation of risks introduced by the third party upon exit from the organization.
Continuously monitoring suppliers while in active duty allows for iterative learning and adjustment of risk management. In the exit of a vendor, risk and compliance can assess whether residual exposure remains within appetite and whether regulatory obligations are being met.
Truly integrating C-TPRM into procurement and vendor contract processes, helps to reduce shortcut problem-solving and constant escalations, assigns concrete business ownership, triggers risk reviews at renewal or change of vendors or contracts, and links assurance findings to supplier relationships. It is also a critical pre-requisite for de-siloing risk information, making it accessible to all involved and for bringing visibility to the supporting technology necessary to manage third-party governance.
Boards and risk committees seeking stronger integration for management of cyber third-party risk should ask:
How do we classify our suppliers? Does the approach reflect business criticality, data access, system connectivity, regulatory relevance, AI involvement and exit difficulty?
How do we prevent by-passing the process? Which controls ensure that all relevant suppliers are correctly managed, including those created through expenses, SaaS use or local purchasing?
How is supplier risk checked against our cyber risk appetite? Is this done before onboarding and repeated when the service, contract or dependency materially changes?
Are legal protections aligned with supplier risk? Are our standard legal documents aligned with our risk-management approach, including NDAs, DPAs, T&Cs, security schedules, incident obligations, AI-use provisions, and exit rights?
How do we monitor material suppliers after onboarding? Does the executive team review control evidence, incidents and service performance?
Is the process sufficiently resourced so that it improves resilience without becoming a bottleneck?
The direction of travel is clear: organisations will continue to rely on suppliers (and perhaps grow in dependence) to innovate, scale and serve customers well. That makes C-TPRM a key strategic capability. Integrating it with enterprise risk management helps protect competitive advantage, strengthen cyber resilience and keep supplier decisions aligned with strategy and risk appetite. It also creates the foundation for meaningful assurance and board metrics, the subject of Part 2.
1 UK National Cyber Security Centre, Supply Chain Cyber Security, 2022, https://www.ncsc.gov.uk/files/Assess-supply-chain-cyber-security.pdf
2 U.S. Department of Commerce, NIST, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, 2022, https://csrc.nist.gov/pubs/sp/800/161/r1/upd1/final
3 European Parliament, The NIS 2 Directive, Final Text, 2022, https://www.nis-2-directive.com/NIS_2_Directive_Article_21.html