Third-Party Risk

Third-party risk is the risk your organisation takes on when it depends on external suppliers, partners and service providers. A security breach at a supplier can affect your data, systems and customers just as severely as a breach within your own organisation.

Back to Dictionary

What is third-party risk?

Modern organisations depend on a network of suppliers, cloud services, data processors and partners. Each of these relationships creates a potential risk. If your hosting provider is hit by a cyber attack, your data is at risk. If your payroll provider goes bankrupt, salary payments stop.

Third-party risk is not a theoretical concern. Some of the most high-profile security breaches in recent years were caused by compromised suppliers. The SolarWinds attack in 2020 affected thousands of organisations through a single supplier's software update.

The crucial point is that you cannot outsource your responsibility. Even if you entrust data to a data processor, as a data controller you remain responsible for ensuring the data is adequately protected. Third-party risk management is therefore a central element of your compliance framework.

Types of third-party risk

Third-party risk can take several forms:

Security risk: The supplier has inadequate security measures that could lead to data breaches, unauthorised access or malware distribution.
Compliance risk: The supplier does not comply with relevant regulations such as GDPR, and you risk being held jointly responsible.
Operational risk: The supplier experiences downtime, bankruptcy or service degradation that affects your operations.
Concentration risk: You are too dependent on a single supplier or a single geographical area, making you vulnerable to isolated incidents.
Fourth-party risk: Your suppliers have their own subcontractors, and a problem with them can propagate to you.

Effective risk management requires you to address all these dimensions, not just the most obvious one.

Regulatory requirements

GDPR Article 28 requires you to use only data processors that provide sufficient guarantees. You must have a data processing agreement in place and must oversee the processing. Due diligence before entering into a contract is a practical requirement.

NIS2 requires essential and important entities to take supply chain security into account. You must assess your suppliers' security practices and ensure they meet your requirements.

DORA sets the most detailed requirements for financial undertakings. You must have a policy for ICT third-party management, carry out risk assessments of critical suppliers, ensure contractual minimum terms and have exit strategies in place.

ISO 27001 addresses supplier security in Annex A with controls for information security in supplier relationships, including requirements for assessment, monitoring and review of supplier services.

Third-party risk management in practice

Start by mapping all your third parties. Who has access to your data or systems? Who provides critical services? Many organisations are surprised by how many third-party relationships they have.

Classify suppliers by risk level. A cloud provider hosting your customer data is more critical than a supplier of office supplies. Adjust the level of controls according to the classification.

Carry out due diligence before entering into contracts. Assess the supplier's security measures, certifications (do they have an ISMS?), financial stability and regulatory compliance.

Ensure strong contracts. Data processing agreements, SLAs, audit rights and exit clauses are key to managing risk contractually. Without the right to audit your supplier, you have limited visibility.

Monitor on an ongoing basis. Critical suppliers should be assessed annually, and you should have processes in place for responding when a supplier experiences a security breach or a material change in risk level.

Document everything in your supplier register or your record of processing activities. During inspections, you must be able to show that you have assessed and are monitoring your third parties systematically.

Frequently Asked Questions about Third-Party Risk

What is third-party risk?

Third-party risk is the risk that arises when your organisation depends on external parties such as suppliers, cloud services, data processors or partners. If a supplier is hit by a security breach, it can directly affect your organisation and your data.

Who is responsible for third-party risk?

You are. Under GDPR, as a data controller you are responsible for your data processors' processing of personal data. Under NIS2 and DORA, you have a duty to manage risks in your supply chain. Responsibility cannot be outsourced along with the task.

How do you assess third-party risk?

Through due diligence: assess the supplier's security measures, certifications, financial stability and regulatory compliance. Classify suppliers by risk level and adjust the level of controls accordingly.

How often should you assess your suppliers' risks?

Critical suppliers should be assessed annually and whenever there are significant changes. Other suppliers can be assessed at longer intervals depending on the risk level. DORA requires ongoing monitoring of ICT third-party providers.