Getty Images/iStockphoto
How to address third-party risk to ensure business resiliency
Identifying third-party risks, determining risk controls and treating third-parties as allies are some of the ways to address the risks associated with third-party transactions and business engagements
Businesses today operate in an uncertain world with a wide range of risks beyond just cyber security, especially geopolitical and financial. Yet, security and risk management leaders in Australia are expected to ensure the integrity of mission-critical operations without exception, at all times.
Just like death and taxes, it’s inevitable that some of the third parties that organisations engage with will experience some form of risk or incident. It’s never been more critical for security and risk leaders to address emerging third-party risks and establish effective controls to build a resilient third-party ecosystem and avoid business disruption.
The problem is that it can be very difficult to identify risks just by looking at the surface. What lies underneath? An independent assessment helps – but the risks organisations should be worried about are based on their dependence on the third-party – and their risk appetite. This is largely determined by the countries, laws and regulations they operate in, as well as industry norms.
By 2025, Gartner predicts 60% of organisations will use cyber security risk as a significant determinant in conducting third-party transactions and business engagements. Many cyber security programs, however, take a one-size-fits-all approach to third-party risk assessment, resulting in an ineffective, tiresome process that typically leads to risk acceptance, not risk mitigation.
This quickly leads to frustration because the prevailing assessment process is flawed, and there’s no guarantee that a detailed assessment will protect organisations from the risk of a third-party cyber security breach.
The Australian Securities & Investments Commission has called for greater organisational vigilance to combat cyber threats, highlighting an ‘alarming’ gap in the oversight of cyber security risk throughout the organisation’s supply chain. This was after finding 44% of organisations weren’t managing third-party or supply chain risks.
To tackle this gap, organisations will increasingly be under legal or regulatory obligations. Critical infrastructure organisations, for example, will be required to meet cyber security risk management obligations by 18 August this year, including identifying and minimising supply chain hazards under Australia’s Security of Critical Infrastructure Act 2018 (the SOCI Act). There’s also the Australian Prudential Regulation Authority's new prudential standard CPS 230, which is due to come into force for the Australian financial services industry on 1 July 2025.
These regulations help organisations determine the acceptable tolerance levels for a disruption to the business in terms of time, data loss and minimum service levels. This guides organisations in understanding what controls they need, what should be in their contracts and what is needed in business continuity plans.
Identify the risks that matter
There are many third-party risks impacting IT departments today, from corruption, data privacy, sustainability, financial and geographic, to operational/continuity, performance, regulatory compliance, cyber and vendor strategy.
Currently, the three most topical risks are cyber security and data privacy due to the consequences and liability associated with breaches, and operational continuity with ransomware attacks increasing in frequency.
The key challenge here is that security leaders are seldom, if ever, responsible for all these risk domains, which is why they need to engage the business and relevant stakeholders. This involves mapping business risk owners to each risk domain, so responsibility doesn’t lie solely with security teams.
By working closely with other third-party risk functions to redirect responsibility for non-cyber security third-party considerations, organisations realise an 18% improvement in effectiveness, according to a 2023 Gartner survey.
Determine risk controls
Effective risk management needs to focus on controls that will mitigate risk in the supply chain ecosystem. There will be different controls for different types of third parties – for example, SaaS (software-as-a-service) vendors with access to corporate data will require a different set of controls in comparison to an on-site services provider or hardware vendor.
Organisations will need to implement some of these controls themselves, while other controls will be the responsibility of the third party. Some controls might be mutual, such as a contingency plan with a third party, which can result in a 43% improvement in risk management effectiveness, according to Gartner research.
Once any mutual contingency plans are in place, focus on strengthening them for third-party engagements that pose the highest cyber security risk. Create third-party-specific incident playbooks, conduct tabletop exercises and define a clear offboarding strategy involving timely revocation of access and destruction of data.
Treat third parties as allies
Think of critical third parties as allies, so the engagement strategy must be shifted from policing to partnering. This will ensure the enterprise’s most valuable assets – material data, networks and business processes – that third parties come in contact with are continuously safeguarded.
Building mutually beneficial relationships promotes greater transparency, facilitates the implementation of controls by third parties and improves collaboration in the event of cybersecurity incidents.
In a hyperconnected environment, third-party supplier risk is also the organisation’s risk. It’s important to help them mature, so they can safeguard the enterprise better.
It’s also important to monitor internal information and, if necessary, implement additional controls to protect the organisation’s environment in response to your observations.
Luke Ellery is vice-president analyst at Gartner