Blindspot Third-Party Risk Management - What CISOs and CROs Need to Know

Third-Party Risk Management (TPRM) has become critical as supply chain attacks surge by 431% since 2021. The 2024 CrowdStrike incident demonstrated how a single software update can cause over $5 billion in damages across thousands of organizations worldwide. Meanwhile, BlueVoyant's research reveals 81% of organizations reported negative impacts from supply chain breaches in the past year, highlighting the urgent need for robust TPRM strategies.

Third Party and Supply Chain Risks are (to) often Overlooked

Recent reports paint a concerning picture of TPRM readiness across Europe. In the UK, 95% of C-level executives responsible for supply chain cybersecurity reported being negatively impacted by breaches within their supply chain, significantly higher than the global average of 81%. Nearly two-thirds of UK respondents admitted that third-party cybersecurity risk management is either not a priority or only somewhat of a priority.

In the Philippines, 84% of organizations reported an average of 3.13 supply chain breaches impacting operations in 2024, with 32% having no way to detect cybersecurity incidents within their supply chains. The manufacturing sector emerges as particularly vulnerable, with cyber risk scores 11.7% below the global average.

The regulatory landscape is evolving rapidly to address these concerns. The EU's NIS2 Directive and DORA Regulation now mandate rigorous third-party risk management. DORA specifically requires financial entities to conduct thorough assessments of ICT third-party providers, while NIS2 expands cybersecurity requirements across critical sectors, requiring organizations to review contracts with ICT suppliers and implement regular audits.

Adopting Third Party Risk Management Strategies

The primary objectives of TPRM are to identify, analyze, and mitigate risks associated with third parties throughout their lifecycle. Effective TPRM enables organizations to maintain visibility across their supply chain, ensure regulatory compliance, protect sensitive data, and maintain business continuity despite third-party incidents. As supply chains grow more complex and interdependent, MSSPs bring value through continuous oversight and assessment.

Key Pillars of TPRM Best Practices:

1. Comprehensive Vendor Assessment

   Implement rigorous pre-onboarding assessments and ongoing monitoring of all vendors. Organizations should classify vendors based on criticality and data access.

   
   

2. Continuous Monitoring and Visibility

   Deploy solutions for real-time monitoring of third-party security postures. Continuous monitoring enables early detection of vulnerabilities and threats, replacing traditional annual or biannual assessments with dynamic oversight.

   
   

3. Standardized Risk Assessment Framework

   Adopt consistent methodologies for evaluating third-party risks. Standardization helps overcome the challenge of varied questionnaires and controls, enabling more efficient risk management across different vendor relationships.

   
   

4. Collaborative Remediation Process

   Engage directly with vendors throughout the remediation process. The percentage of organizations actively working with suppliers on remediation increased from 19% to 36% in 2024, showing positive industry movement.

   
   

5. Executive Reporting and Governance

   Establish regular reporting to senior leadership on third-party risks. Despite its importance, only 19% of organizations regularly report TPRM metrics to executives, down from 44% in 2023.

   
   

6. Consider AI-Enhanced Assessment Capabilities

   Leverage AI tools to accelerate vendor risk assessments. Solutions like Bitsight's "Instant Insights" can analyze complex documents like SOC 2 reports in seconds, dramatically reducing manual review time.

   
   

Challenges in Third Party Risk Management Adoption

CISOs face significant hurdles when implementing robust TPRM programs. One major challenge is the sheer scale of modern supply chains - 80% of organizations with 1,000-5,000 employees engage with between 501-10,000 third-party suppliers. This volume makes comprehensive monitoring extremely difficult, especially when most organizations only assess critical suppliers biannually.

Resource constraints present another obstacle. Despite 86% of organizations reporting increased TPRM budgets, many security teams lack the specialized expertise needed to effectively manage third-party risks. This is particularly evident in the healthcare sector, where 36% of organizations report having no means to detect threats in third parties.

Communication barriers between security teams and boards further complicate TPRM adoption. The UK's National Cyber Security Centre found that many CISOs struggle to effectively communicate technical risks to board members, leading to uncertainty about accountability for cyber risk. This communication gap often results in insufficient executive support for TPRM initiatives.

Additionally, the fragmented cybersecurity market offers multiple solution directions with limited capabilities to unify these for comprehensive risk management. Cybersecurity decisions are frequently based on disjointed data points from various cyber scores, local assessments, and questionnaires, without sufficient end-to-end risk perspectives.

Conclusion

A robust TPRM program delivers significant benefits across industries. For manufacturing, which faces the highest vulnerability with risk scores 11.7% below average, effective TPRM can prevent operational disruptions and protect intellectual property. In financial services, TPRM helps meet DORA compliance requirements while safeguarding against financial losses. Healthcare organizations can protect patient data and maintain critical services. Maritime companies can secure increasingly digitalized operations. By implementing comprehensive TPRM, organizations across all sectors can reduce breach likelihood, maintain regulatory compliance, protect reputation, and ensure business continuity.