Vendor vulnerabilities: Understanding third-party risk management

Read Time: 5 Min
As businesses increasingly rely on third parties for essential services, strengthening vendor risk management practices has become critical to remaining resilient against cyber threats.

By Matthew Jennings, Deputy CISO and Director of Cybersecurity Operations at Huntington National Bank

Key takeaways

  1. Centralizing third-party vendor management can assist organizations in understanding which agreements exist and what data is being shared with third parties.
  2. Building a strong incident response plan that specifically addresses third-party incidents can allow organizations to swiftly react to data breaches.
  3. Establishing a third-party risk management function or dedicated team can ensure consistency across the organization and enhance protections against risk.

Imagine discovering one of your vendors has suffered a massive data breach. Suddenly, despite the cybersecurity measures you have in place to protect against threats – your company is exposed. Your confidential information is now potentially in the hands of threat actors. While this situation might not have happened to your organization yet, it is frighteningly common.

Businesses increasingly rely on third parties for essential services, from cloud storage and data processing to customer relationship management. As the number of relationships grows, the boundaries of an organization’s secure environments extend, creating new points of entry for threat actors. In 2023, reported breaches involving a third party were up 68% from the year prior.

The answer is not necessarily to eliminate all reliance on third party vendors. Instead, companies should endeavor to understand their third-party risks, strengthen risk management practices to build resiliency, and build a sustainable third-party risk management framework. This article provides an overview of third-party risk management, proactively protecting against incidents, and best practices to mitigate risk.

How third-party risk impacts businesses

Third-party risk refers to the potential disruptions, losses, and security vulnerabilities that arise from outsourcing business operations to external entities. These entities include vendors, service providers, or suppliers that have access to your data, systems, or processes.

Data responsibility represents one such third-party risk: When your company shares data with third parties, you retain responsibility for its security. If a vendor experiences a data breach that exposes a company’s data, that company must comply with government and state law, and potentially face repercussions under industry regulations.

It’s important to note that cybersecurity risk associated with third parties isn’t limited to your vendors. Secondary entities – vendors your primary vendor relies on (i.e., 4th and 5th parties) – also present risk. If one of those secondary entities suffers a security breach, it could unexpectedly introduce risk into your environment.

Building resiliency through third-party risk management

Third-party risk management begins with understanding the vendor landscape within the organization, a challenging task. Often, companies have multiple contracts with multiple vendors, sometimes even multiple contracts with the same vendor, making it difficult to truly understand what information is being released.

Though not easy, organizations should consider prioritizing a centralized vendor management system. A unified system that brings together vendor-related information and controls allows companies to see a full picture of their third-party relationships and what data is being sent to them.

Other components of a third-party risk management program include, but are not limited to:

  • Role-based access controls to limit vendor access to only required data and systems.
  • Standardized procedures for creating, approving, and managing vendor contracts.
  • Vendor assessment processes to verify health and safety of the vendor, including cybersecurity practices.
  • Continuous monitoring and reassessing existing vendor relationships.
  • Strict guidelines for vendors to dispose of data, credentials, and other sensitive information after a relationship has ended.

The role of incident response plans in third-party risk management

When cybersecurity incidents inevitably occur with a vendor, how a company responds is crucial. An incident response plan, part of a broader overall business continuity strategy, can help guide an organization’s response to third-party breaches.

The top four considerations for creating your incident response plan:

  1. Clearly define the roles, responsibilities, and procedures for handling third-party security incidents.
  2. Outline specific steps to isolate breaches and mitigate damage, focusing on quickly containing any security lapses or vulnerabilities.
  3. Involve stakeholders across the organization, including IT, executive leaders, and communication teams, in developing, approving, and practicing this plan.
  4. The cybersecurity threat landscape is constantly evolving. An organization’s incident response plan should be regularly updated to address new threats and incorporate lessons learned from past incidents.

These plans should not be static. Best practice includes conducting regular tabletop exercises with all stakeholders that simulate vendor security breaches to test responses. The Cybersecurity & Infrastructure Security Agency (CISA) offers tabletop exercise packages for a wide range of threat scenarios. After each exercise, use insights gained to refine the incident response strategies.

Best practices for mitigating third-party risk

Employee training and awareness

Employees play a critical role in maintaining cybersecurity. Last year, 68% of reported breaches involved the “human element”. Provide trainings to educate employees about risks associated with third-party vendors and their role in preventing and responding to security events.

Third-party security audits

Schedule periodic security audits to evaluate the cybersecurity measures of third-party vendors, then use the results to identify and address discrepancies or vulnerabilities.

Vulnerability management

Threat actors can exploit vulnerabilities, or security weaknesses, in networks, software, operating systems, and equipment – and they do, often. Breaches caused by vulnerability exploitation rose by 180% from 2022 to 2023§. Managing vulnerabilities is one way in which organizations could help prevent malicious access through compromised vendor software or systems.

Regulatory compliance

Ensure your company and its vendors adhere strictly to these regulations to avoid legal and reputational risks, especially if your organization is beholden to additional regulatory standards.

Dedicated third-party management team

Establishing a dedicated third-party risk management program or team can further help organizations centralize oversight of vendor, supplier, and other third-party relationships. Bringing this responsibility into one place can help enhance the effectiveness of risk management strategies and ensure compliance with security standards.

Managing risk from vendors, suppliers, and other third parties

Businesses will continue to rely on third parties to access specialized expertise, reduce costs, and enhance efficiencies. As this reliance grows, so do the risks associated with it. However, organizations can mitigate risks by holding their vendors to the same security standards they follow, building a strong incident response plan, and dedicating a team to protecting against threats.

Huntington can support you with the insights, resources, and expertise needed to develop a strong cybersecurity and fraud prevention strategy. Explore our cybersecurity and fraud resources, then contact your relationship manager to learn how Huntington can help you protect your employees and your business.

Financial & industry insights delivered to your inbox.

Subscribe to Huntington Insights

Sign up to receive emails about our latest articles, case studies, and events on topics that matter most to your business.
Subscribe

Related Content

Cybersecurity & Fraud
Read Time: 6 Min
How Evolving North Korean IT Worker Schemes Put Company Data at Risk
A known North Korean IT worker scheme has escalated to include ransomware. Understanding how this emerging cyber threat works and what to watch for can help you mitigate the threat.
November 19, 2024
Cybersecurity & Fraud
Read Time: 4 Min
Help protect against commercial credit card fraud
Understanding the latest credit card fraud tactics and mitigation strategies can help merchants remain vigilant against fraud attempts.
November 18, 2024

Verizon. 2024. “2024 Data Breach Investigations Report.” Accessed May 16, 2024.  

Verizon Data Breach Report.

§ Verizon Data Breach Report.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Lending and leasing products and services, as well as certain other banking products and services, may require credit application approval.

Third-party product, service and business names are trademarks/service marks of their respective owners.