Addressing Third-Party Risk in Periods of (Rapid) Change

Addressing Third-Party Risk in Periods of (Rapid) Change

Your extended risk ecosystem supports your overall goals, but as the organization evolves, the risk due to third-party partnerships typically increases. Progressive Risk teams evaluate the impact these changes exert on their risk profile, and specifically, on the third-party risk management program.


As the world becomes more interconnected through technology adoption, organizations are relying on a dramatically increasing number of third parties. Accounting and payroll, manufacturing, supply chains, HR/benefits and a variety of other third parties all have access to sensitive data, whether it’s personnel (and personal) information, research and development data, sales data, etc. This extended ecosystem supports your overall goals, but as the organization evolves the risk due to these partnerships almost always increases. Progressive Risk teams evaluate the impact these changes exert on their risk profile, and specifically, on the third-party risk management program.


As your organization grows and changes, your third parties are also affected. Changes could be as minimal as switching benefits providers or as drastic as an entire workforce beginning to operate remotely, as we’re seeing with the COVID pandemic.


When developing a third-party risk management (TPRM) program, you’re classifying based on the information they have access to, how they access it and how they handle it. This review helps determine the risks related to the partnership. You’re also putting in place a communication strategy to manage risk effectively. Contracts should include clauses regarding audits, including frequency. Reviews and audits should comprise an iterative process validating that the checks and controls you put in place are meeting all applicable regulations and legal obligations, such as GDPR, CCPA, HIPAA, etc.


Regardless of your risk management program’s maturity level, it’s essential to understand the changes to your risk profile when changes take place. A clear understanding of your organization’s most important information is critical to maintaining a strong risk posture, and an evaluation of your program and contracts may suggest updates to those contracts, or perhaps even to the third parties themselves.


Consider the current pandemic, for example. If you’re like a lot of organizations many of your employees began working remotely (in some cases, up to 100%). Your third parties were, or are, navigating the same process. An operational review may make clear the sense of investing in, and requiring the use of new technologies such as multi-factor authentication (MFA), not only for your own employees but for employees of third parties connecting to your infrastructure to gather, analyze and act on data.


To help optimize your risk profile during periods of (rapid) change:


  • Evaluate the impact of change on your risk program. Understand new data flows and re-assess risk based on new operational modes.
  • Ensure you’re continuing to meet meet compliance requirements.
  • Readdress third-party classifications and evaluate contractual obligations.
  • Develop or update triage processes.
  • Enact auditing procedures for third parties, beginning with those that are highly classified.


All risks can be amplified by the complexity of vendor relationships and the difficulty of integrating them into your environment. As you add partners, networks, and systems, your level of general cyber risk gets compounded. Faced with ongoing changes, third parties may or may not understand how they’re handling the day-to-day information sharing and whether or not they’re meeting their obligations. It’s important to assess their ability to manage your data.


To learn more about how third-party relationships can adversely affect your risk posture during periods of change and how to minimize that risk, we invite you to join Dustin Owens, Optiv’s VP and GM of Risk Management, at Virtual OptivCon on September 17. “Managing Third Party Risk in Turbulent Times” promises to be illuminating.

Brian Golumbeck
Executive Director, Risk Transformation Risk and Compliance Advisory Services | Optiv
Brian Golumbeck is a Practice Director within Optiv Risk Management and Transformation Advisory Services Practice. He has a history of leading challenging projects and building dynamic high impact teams. Mr. Golumbeck’s 25+ years working in Information Technology, include 20+ years as an information security professional. Brian is a Certified Information Systems Security Professional (CISSP), Certified in Risk and Information Systems Controls (CRISC), Certified Information Security Manager (CISM), Certificate of Cloud Security Knowledge (CCSK), EXIN/ITSMf ITIL Foundations, and Lean Six Sigma – Greenbelt.