How to Perform a Third-Party Risk Assessment in 2024

A Third-Party risk assessment is a critical component of a Third-Party Risk Management program. Without understanding how to properly execute these assessments, the efficiency of your TPRM program will remain limited.

This post provides a detailed six-step guide for performing third-party risk assessments in cybersecurity.

Where does a third-party risk assessment fit in the TPRM lifecycle?

Third-party risk assessments uncover potential security risks from third-party vendors and external parties. This critical requirement continues throughout the entire TPRM lifecycle, with varying applicability across its three primary stages:

1. Vendor Onboarding: A high-level third-party risk assessment is conducted at the onboarding stage, with the primary objective of determining whether a new vendor’s risk profile fits within the company’s defined third-party risk appetite.
2. Ongoing Monitoring: Once onboarded, third-party vendors undergo periodic vendor risk assessments to track regulatory compliance efforts and ensure new risks are promptly detected and managed throughout each vendor lifecycle. Critical vendors, those processing highly sensitive internal data, undergo the most detailed degree of vendor assessments during the ongoing monitoring phase.
3. Offboarding: Third-party risk assessments uncover residual supplier risks of terminating vendor relationships. They are also helpful for finding new cyber risks when renewing

Critical third-party vendors must be prioritized in risk assessment programs since their potential cybersecurity risks are more likely to be exploited in cyber attacks.

Full risk assessment vs. partial risk assessment

The scope of a third-party risk assessment depends on the level of criticality of the third-party vendor being investigated. For example, third parties requiring access to sensitive data or those integral to supporting your promised service levels to clients must undergo a higher degree of attack vector investigation.

Such third-party vendors (classified as “Critical” or “High-Risk” in a Vendor Risk Management program) require a full risk assessment, one involving security questionnaires mapping to applicable cybersecurity standards.

For all remaining third-party vendors not requiring access to sensitive regions of your IT ecosystem - those classified as “low-risk” - ongoing monitoring of automated attack surface scanning results will likely be a sufficient form of a risk assessment, also known as a partial risk assessment.

Full risk assessments apply to high-risk vendors and involve security questionnaires. Partial risk assessments apply to low-risk vendors with a degree of risk exposure that can be sufficiently tracked with automated risk scanning results.

Difference between a third-party risk assessment and a security questionnaire

A third-party risk assessment comprehensively evaluates the potential risks associated with each third-party vendor. Multiple data sources are referenced to form a complete picture of a vendor’s risk profile through a risk assessment.

A third-party risk assessment gathers risk insights across the following risk categories:

1. Operational Risk: The level of risk a third-party vendor poses to the availability of an organization’s operations.
2. Cybersecurity Risk: Any third-party risk impacting the safety and integrity of an organization’s sensitive data.
3. Compliance Risk: Vendor-related risks threatening alignment with regulatory standards.
4. Financial Risk: Risks originating from vendors that could result in financial issues. These could stem from third-party operational risks and even data breach risks, which could have significant financial consequences—an impact that could be estimated through a process known as Cyber Risk Quantification.
5. Reputational Risk: Any threats of reputational damage due to vendor behavior, such as questionable leadership decisions and data breaches.
6. Geographic Risk: Any risks associated with a vendor’s location or the location of their data servers.

Security questionnaires are a specific tool within the risk assessment process. They are used to create a gap analysis between a vendor’s security posture and any regulatory requirements or cybersecurity frameworks they need to align with.

Some popular industry standards security questionnaires could map to include:

• NIST Cyber Security Framework (NIST CSF)
• Payment Card Industry Data Security Standard (PCI DSS)
• General Data Protection Regulation (GDPR)
• Sarbanes-Oxley Act (SOX)
• Federal Information Security Management Act (FISMA)
• California Consumer Privacy Act (CCPA)

• Gramm-Leach-Bliley Act (GLBA)
• SOC 2
• ISO 27001

For more questionnaire template examples, see the list of questionnaires available on the UpGuard platform.

Third-party risk assessments are broad and comprehensive, covering multiple dimensions of risk. Security questionnaires collect information about specific security practices and regulatory compliance efforts.

6-step guide to completing third-party risk assessments

The following six-step guide will help you design the most comprehensive third-party risk assessment process.

Step 1: Identify your “critical” third-party vendors

Every third-party risk assessment process must prioritize critical third-party vendors. Ideally, these vendors should have been already flagged as critical during onboarding.

If you haven’t yet segregated your critical third-party vendors, there are two primary methods of identifying them: relationship questionnaires and superficial attack surface scanning. Both methods encompass the risk assessment process undertaken during the onboarding stage of the TPRM workflow.

Relationshp questionnarie

A relationship questionnaire gathers high-level intelligence about a vendor’s services, data security, and data handling practices.

Here’s a very simplified example of some of the information a relationship questionnaire could cover:

• Vendor Name: ______________________
• Description of Services Provided:: ______________________
• Types of Data Accessed:
  • Customer Data [ ]
  • Financial Data [ ]
  • Health Information [ ]
  • Intellectual Property [ ]
  • Operational Criticality:
  • High [ ]
  • Medium [ ]
  • Low [ ]
  • GDPR [ ]
  • HIPAA [ ]
  • PCI-DSS [ ]
  • No [ ]
  • Yes [ ]
    • If Yes, please provide details: ______________________

    Superficial attack surface scanning

    Superficial attack surface scanning, performed during due diligence and onboarding, uncovers likely security risks associated with all domains in a vendor’s attack surface.

    

    This practice is the first stage of a complete cybersecurity discipline known as Attack Surface Management.

    Watch this video for an overview of Attack Surface Management:

    

    Here’s an example 4-stage framework governing a vendor tiering strategy:

    • Access to Sensitive Data: Does the vendor have access to personal, financial, or proprietary data?
    • Business Continuity Impact: How critical is the vendor’s service to the continuity of your operations?
    • Regulatory Compliance: Is the vendor subject to stringent regulatory requirements (e.g., GDPR, HIPAA)?
    • Financial Stability: What is the financial health of the vendor?

    Here is an example of a completed vendor tiering strategy, with overviews explaining the reasons for each tiering decision.

    • Tier 1 (Critical Vendors):some text
      • Vendor A: Handles sensitive financial data, which is crucial for payment processing. Subject to PCI DSS.
      • Vendor B: Provides critical IT infrastructure services. Significant impact on business continuity.
      • Vendor C: Provides marketing services with access to non-sensitive customer data. Subject to GDPR.
      • Vendor D: Supplies office equipment. Moderate impact on operations.
      • Vendor E: Provides janitorial services. Minimal impact on business continuity and no access to sensitive data.
      • Vendor F: Supplies office stationery. Low risk and minimal impact.

      Step 3: Determine which regulations apply to each third-party vendor

      In the next step, the focus for critical vendors narrows to the regulatory risk category. Regulatory risks arise from misalignment with regulatory standards, primarily due to poor cybersecurity practices. Compliance with regulations governing your business is directly impacted by the security postures of your vendors, which is why a growing number of regulations are increasing their emphasis on Third-Party Risk Management.

      In addition to any regulations governing your business, your third-party vendors could also be required to comply with regulations in their industry. For example, a vendor handling payment processing must comply with the Payment Card Industry Data Security Standard (PCI DSS).

      Ideally, all of the primary regulations applicable to each third-party vendor will be determined in Step 1 of this process, either via relationship questionnaire submissions or compliance data collected through the Trust Exchange platform. The objective of this step is to ensure that all applicable regulations, whether stemming from the vendor’s industry or your own, are not overlooked.

      All regulations impacting a vendor will determine the set of third-party security questionnaires that must be included in their risk assessment.

      Each applicable regulation is likely to have specific cybersecurity standards that will need to be scrutinized with dedicated questionnaires. For example:

      • PCI DSS Security Questionnaire: For vendors handling payment information, this questionnaire will uncover details about data encryption, access control, and transaction monitoring.
      • GDPR Compliance Questionnaire: For vendors processing personal data of EU citizens, this questionnaire will uncover details about data handling practices, consent mechanisms, and data protection measures.
      • HIPAA Compliance Questionnaire: For healthcare vendors, this questionnaire uncovers issues relating to the protection of Patient Health Information (PHI).

      Step 4: Identify primary risks associated with each third-party vendor

      The risk exposure data gathered up to this point should be sufficient for you to determine the likely risks associated with each vendor and their degree of severity. Remember, this effort doesn’t need to be detailed; the risk assessment performed in the next step should elevate the dimension of cyber risk data to a sufficient level of detail. The purpose of this step is to estimate the likely degree of effort each risk assessment will require.

      Example of a draft third-party vendor risk exposure profile

      Vendor: ABC Corp

      1. Operational Risks:some text
         • Risk: System failure due to outdated infrastructure
         • Likelihood: Medium
         • Impact: High
         • Mitigation: Regular maintenance and upgrades
      2. Financial Risks:some text
         • Risk: Financial instability due to high debt
         • Likelihood: Low
         • Impact: Medium
         • Mitigation: Financial health monitoring
      3. Compliance Risks:some text
         • Risk: Non-compliance with GDPR
         • Likelihood: High
         • Impact: High
         • Mitigation: Regular compliance audits
      4. Data/Privacy Risks:some text
         • Risk: Data breach due to insufficient encryption
         • Likelihood: Medium
         • Impact: High
         • Mitigation: Implementation of robust encryption protocols
      5. Reputational Risks:some text
         • Risk: Negative publicity from a previous breach
         • Likelihood: Low
         • Impact: High
         • Mitigation: PR management and improved security measures
      6. Geographic Risks:some text
         • Risk: Regulatory changes in operating region
         • Likelihood: Medium
         • Impact: Medium
         • Mitigation: Regular monitoring of local regulations
      7. Supply Chain Risks:some text
         • Risk: Disruption due to subcontractor failure
         • Likelihood: Medium
         • Impact: High
         • Mitigation: Vetting and monitoring of subcontractors

      For more examples of high-level vendor risk evaluations in different risk contexts, refer to this post on Vendor Risk Management examples.

      Establishing a draft third-party risk exposure profile informs the level of focus of subsequent risk assessment activities.

      Step 5: Send third-party risk assessments

      Now, you’re ready to send the actual risk assessment. Each risk assessment will include a unique set of questionnaires, depending on the regulatory and industry standards applicable to each third-party vendor.

      For a more detailed overview of what’s included in a risk assessment, refer to this vendor risk assessment example.

      

      Watch this video for an overview of the complete risk assessment workflow.

      Step 6: Collaborate efficiently with third-party vendors to expedite assessment completion

      Inefficient vendor collaboration workflows are among the leading causes of delayed vendor risk assessment, an operational issue that could prolong your exposure to potential third-party breach risks.

      Every third-party risk management strategy should be supported by streamlined vendor collaboration workflows, ideally consolidated within your TPRM solution and not dispersed across multiple email chains.

      Streamline vendor collaboration is one of the key pillars of a foundationally scalable Third-Party Risk Management program.

      Collaboration workflows should cater to all parties involved in service provider security questionnaire completions.

      Third-party vendor collaborations are primarily required during security questionnaire completions when clarification is needed the most.

      Watch this video to learn how UpGuard solves the complex problem of vendor collaboration during questionnaire processes.