top of page
Search

Third-Party Security Risk Management

  • Writer: Ben de la Salle
    Ben de la Salle
  • 7 days ago
  • 3 min read

Third-party risk is a strategic business issue. Organisations are becoming increasingly dependent on external partners, vendors, and cloud services, heightening the potential for disruption, data loss, and regulatory impacts.


Recent high-profile breaches have shown that even the most robust internal controls can be undermined by a vulnerable supplier.


So, what can businesses learn from these events, and how can you strengthen your approach to third-party risk management in today’s evolving landscape?


The Third-Party Risk Landscape in 2025

The third-party risk environment has changed dramatically:

  • Complex, interconnected supply chains: Organisations often rely on dozens, if not hundreds, of external vendors, each introducing their own risks.

  • Evolving regulations: Frameworks like DORA and UK Operational Resilience demand robust, ongoing supply chain oversight.

  • Heightened accountability: Senior leaders and boards are now held responsible for supplier failures, with reputational and financial consequences.

  • Real-time threats: Ransomware, data breaches, and service outages frequently originate via third parties, making proactive monitoring and response essential.


Case Study: Ascension, May 2025


In May 2025, Ascension, one of the largest non-profit health systems in the US, experienced multiple data breaches directly linked to third-party vendors. Sensitive patient data was exposed and critical operations were disrupted, all because vulnerabilities in vendor systems went undetected until it was too late. The incident resulted in regulatory scrutiny and reputational damage, highlighting how even well-resourced organisations can be compromised through their supply chain. (Source)


Key lessons:

  • Even trusted, established vendors can introduce risk if controls and monitoring aren’t ongoing.

  • Real-time oversight and regular reassessment of supplier security are essential—not just a one-off tick-box exercise.

  • Incident response plans must specifically address third-party breach scenarios, including clear communication channels and contractual obligations.



How to Strengthen Your Third-Party Risk Management

  • Robust due diligence: Go beyond basic questionnaires, verify security controls, certifications, and incident history.

  • Continuous monitoring: Use automated tools to track vendor compliance, vulnerabilities, and changes in risk profile.

  • Integrated response planning: Ensure your incident response and business continuity plans address third-party failures.

  • Regular reviews: Schedule periodic reassessment of critical suppliers, including tabletop exercises and scenario planning.

  • Collaborative culture: Foster open communication with vendors, security is a shared responsibility.


Checklist: Is Your Third-Party Risk Management Fit for 2025?

  • Do you maintain an up-to-date inventory of all third-party vendors?

  • Do you categorise your third-parties by the risk they present to your business?

  • Are you conducting thorough due diligence before onboarding new suppliers?

  • Is your monitoring of vendor risk continuous and automated?

  • Do your contracts include clear security and incident response obligations?

  • Are third-party risks integrated into your wider GRC and resilience programmes?

  • Have you tested your incident response with third-party scenarios?

  • Are you regularly reviewing and updating your supplier risk assessments and associated due diligence?


If you’ve answered “no” to any of these, it’s time to review your approach.


ICA Consultancy's Guardian GRC360 service logo

How ICA Consultancy Supports Clients

At ICA Consultancy, we help clients turn third-party risk into a strategic advantage. Our Guardian GRC360° service provides:

  • End-to-end third-party risk management, from onboarding to ongoing oversight

  • Automated monitoring and reporting using industry-leading platforms

  • Integration with broader GRC, resilience, and compliance programmes

  • Practical advice and support from experienced practitioners, not just tick-box assessments


Our approach helps organisations reduce risk, satisfy regulatory requirements, and build trust with clients and partners.


Conclusion

Third-party risk management may seem daunting, but with the right strategy, it doesn’t have to be a vulnerability. By learning from recent incidents and adopting a proactive, integrated approach, your organisation can stay resilient, compliant, and ahead of the curve.


Ready to strengthen your third-party risk management?

Get in touch with ICA Consultancy for a tailored risk assessment or to learn more about how Guardian GRC360° can help safeguard your business.

Comments

Commenting on this post isn't available anymore. Contact the site owner for more info.
bottom of page