Defining Risk Management: Third-Party Risk, Vendor Risk & Supply Chain Risk

By CyberGRX

The recent SolarWinds breach has reminded news organizations, businesses, and leadership teams around the world just how vulnerable we are when one of our third parties is compromised. While SolarWinds is an unfortunate event for all affected (and that number is still growing), it is a good opportunity to review the various risk management programs that exist to reduce these kinds of breaches and take stock of how your organization’s programs measure up.

First, was SolarWinds a third-party or supply chain breach? The answer is both. “Third party” is an umbrella term for all kinds of vendors, suppliers, and partners. So, a supply chain vendor like SolarWinds is a third party, just as a cloud provider or law firm are third parties.

Then what is the difference between third-party risk management and supply chain risk management? Well, there’s a lot to unpack here, and the difference often comes down to the type of third party and/or the type of risk you are evaluating.

Third-Party Risk Management (TPRM)

TPRM is the act of identifying and addressing any type of risk (e.g. financial, fraud, or cyber risk) that is associated with third-party entities. A third party is an entity that provides a product or service directly to your customers and/or an entity critical to maintaining your daily operations. Third parties can include partners, consultants, vendors, or suppliers. 

Third-Party Cyber Risk Management (TPCRM) 

TPCRM is a subset of TPRM and is the act of identifying and addressing cybersecurity-related risks that are associated with your third-party entities. SolarWinds is a third-party cyber breach because SolarWinds is a third party to all the customers who were exposed, and the exposure compromised the confidentiality, integrity, and availability of the customers’ data and systems.

Vendor Risk Management (VRM)

VRM is the act of identifying and addressing any type of risk that is associated with vendor entities. A vendor is a type of third-party entity that provides a product or service directly to you. All vendors are third parties, but not all third parties are vendors.

Supply Chain Risk Management (SCRM)

SCRM is the act of identifying and addressing supply chain-related risks. A supply chain is the flow of goods and services and may be made up of internal or external (third party) entities. Supply chain risks can include anything from cyber risks and geopolitical risks to disruption risks that can occur via man-made or natural disasters.

There are three types of supply chain attacks – compromising commercial software, compromising open source software, or embedding malware during the physical production of technology. The SolarWinds breach is also referred to as a supply chain breach because the malware that enabled the breach of SolarWinds customers was embedded in official SolarWinds software updates. All supply chain attacks are third-party attacks, but not all third-party attacks are supply chain attacks.

Reducing your chance of a third-party (or supply chain) breach

In order to reduce your chances of suffering a third-party or supply chain breach, collaborate with your critical third parties to review their cyber risk profile. Many organizations have thousands of third parties, so assessing each one is a Sisyphean task. We recommend prioritizing your third-party portfolio based on each third-party’s inherent risk – the risk they pose without taking into consideration the security controls they have in place. Then you can focus on the ones that potentially present the most inherent risk and assess whether they have the security controls in place to mitigate that risk.

There are a variety of methods to do this today, but as our third-party ecosystems continue to grow in the digital world, it’s critical that you find a scalable and repeatable approach that can keep up. We believe the best way to do this is to move away from siloed, bespoke, and static approaches, like traditional Excel-based questionnaires, and begin using a standardized data set that can be shared via a dynamic exchange.

Standardized data allows third parties to share one assessment with multiple customers, so they can spend more time securing their customers’ data and less time filling in assessments. A 2018 study found that third parties were spending an average of 14,000 hours a year filling in assessments – that’s a lot of time that could be better spent patching and addressing potential security issues like supply chain vulnerabilities.



Join 10,000+ risk professionals who subscribe to the CyberGRX Newsletter