Lesson 04intermediateKnowledge

Third Party & Vendor Risk

Your vendors are part of your attack surface. Govern them accordingly.

Overview

A vendor breach that affects your data is your problem too. TPRM is not a procurement checkbox — it is a governance programme with regulatory consequences if it fails. Answer the five questions below at the depth of someone who owns or is accountable for a TPRM programme.

Read before you answer

Third-party and vendor risk management (TPRM) is the governance discipline of identifying, assessing, and managing the risks introduced by organisations that your business depends on or shares data with. The regulatory and contractual drivers are substantial: GDPR requires organisations to ensure that data processors (third parties who process personal data on their behalf) provide sufficient guarantees of appropriate technical and organisational measures; HIPAA's Business Associate Agreement (BAA) requirements mean covered entities must have documented agreements with every vendor that handles PHI; and financial services regulators increasingly treat vendor risk as a first-order governance concern following high-profile supply chain failures. Beyond compliance, the operational reality is that a vendor who suffers a breach, an outage, or a failure of their own controls can cause direct harm to your customers, operations, and reputation.

The TPRM lifecycle has five stages: inventory (knowing what third parties you have and what data or access they hold), tiering (classifying vendors by risk level based on data sensitivity, operational dependency, and access type), assessment (evaluating each vendor's controls against your requirements, proportionate to their risk tier), contracting (embedding security, audit, and notification obligations in vendor agreements), and ongoing monitoring (verifying that controls remain effective over the life of the relationship). Tiering is the mechanism that makes the programme operationally scalable: a low-tier vendor who receives only anonymised marketing data gets a lightweight self-assessment questionnaire; a tier-1 vendor who processes your customers' health records and has access to your production environment gets a full technical assessment, SOC 2 Type II report review, and potentially an on-site audit. Applying the same level of scrutiny to every vendor is neither practical nor necessary.

Contractual controls are what convert a vendor assessment into an enforceable governance commitment. The key contractual provisions for high-risk vendors include: data processing agreements (DPAs) specifying what data can be processed, for what purpose, and under what security requirements; audit rights allowing your organisation to assess the vendor's controls on demand or on a schedule; breach notification obligations requiring the vendor to notify you within a specified timeframe (72 hours is typical for GDPR-covered data); sub-processor approval requirements preventing the vendor from passing your data to fourth parties without consent; and termination for cause provisions triggered by a material breach of security obligations. Ongoing monitoring bridges the gap between point-in-time assessments and the continuous reality of vendor relationships: it includes tracking vendor security ratings services, reviewing annual SOC 2 or ISO 27001 certification renewals, monitoring news for vendor incidents, and conducting periodic re-assessments when vendor scope changes.