Vendor risk management (third-party risk)

Your security is only as strong as your vendors' security. Here is why third-party risk keeps growing, and how to manage it before a partner's weakness becomes yours.

Two specialists reviewing a vendor security assessment on a laptop.

Written by

Raptoric Security Program & Risk

LinkedInX / TwitterCopy link

A company can invest heavily in its own security, but if a vendor has access to its data or systems, the vendor's weakness becomes the company's weakness. More and more attacks do not hit the target directly. They come through the chain: through a software provider, an outsourced IT firm, an accountant, or any partner with access. That is why vendor risk management, also called third-party risk, is now a necessary part of security. This post explains why, and how to manage it.

This is part of our security program overview. We run vendor risk management through governance, risk, and compliance.

Why vendor risk keeps growing

A modern company relies on dozens of external services: cloud, software, outsourced IT, payment systems, marketing tools. Each one can have access to data or systems. Attackers have noticed. Instead of attacking a well-defended target directly, they attack a less-defended vendor and come in through it. One compromised provider can hit all of its clients at once.

What vendor risk management covers

The goal is to make the risk that enters through partners known and controlled, not invisible.

01
Inventory your vendors
Know who has access to your data and systems, and how critical each one is.
02
Assess the risk
Rate each vendor's security in proportion to how important they are to you.
03
Fix it in the contract
Agree on security obligations, incident reporting, and the right to verify.
04
Limit access
Give each vendor only the access they actually need, and no more.
05
Monitor over time
Vendor risk is not a one-off. Review it regularly.

Assessment in proportion to importance

Not every vendor needs the same attention. A provider that processes your personal data or has access to critical systems calls for a thorough assessment and clear contractual obligations. A vendor with no access to sensitive data needs less. Effort should be directed in proportion to how much a vendor's failure would hurt, which follows from your risk assessment.

The link to compliance

Supply-chain risk management is an explicit regulatory requirement. NIS2 requires in-scope entities to manage the security of their suppliers, and DORA sets detailed requirements on the risk of third-party ICT service providers for the financial sector. This is no longer optional. It also fits the broader discipline of risk management.

How Raptoric helps

We help inventory and assess your vendors, set security obligations in contracts, and monitor the risk over time, through governance, risk, and compliance. Book a scoping call.

Frequently asked questions

What is vendor risk?

It is the risk that enters a company through partners that have access to its data or systems. If a vendor has weak security, its weakness becomes yours, especially if an attacker comes in through it.

Should we assess all vendors equally?

No. Effort should be proportional to importance: a vendor with access to sensitive data or critical systems calls for a thorough assessment, while those without such access need less. The priority follows from your risk assessment.

Why do security clauses in the contract matter?

Because a contract with no security terms leaves you with no leverage if the vendor suffers an incident. Without an agreed reporting obligation, you will not learn in time that your data has been compromised. These terms are worth agreeing before a problem arises.

Do regulations require vendor risk management?

Yes. NIS2 requires managing the security of suppliers, and DORA sets detailed requirements on the risk of third-party ICT service providers for the financial sector. Supply-chain risk management is no longer optional.

Sources

1ENISA. ENISA Threat Landscape. European Union Agency for Cybersecurity, 2024. Link
2ISO/IEC. ISO/IEC 27001:2022 — Annex A (supplier relationships). International Organization for Standardization, 2022. Link

Want this tested on your own systems?

Our team will scope it with you on a 30-minute call.

Book a scoping call

Keep reading

All insights →

01Security Program & Risk

The NIST AI Risk Management Framework (AI RMF) explained

Read →11 min read

02Security Program & Risk

AI governance: framework, documentation, and how to start

Read →11 min read

03Security Program & Risk

The EU AI Act explained: risk tiers, obligations, and timeline

Read →12 min read