Skip to main content
main content, press tab to continue
Article | Managing Risk

Third party IT vendor risk: How to understand, quantify and mitigate it

By Jason Lelio , Justin Paglio and Trixia Apiado | October 22, 2024

Could you be exposed to cyber risk via third party vendors? Get a handle on identifying and managing third party cyber risk before the damage is done.
Corporate Risk Tools and Technology||Enterprise Risk Management Consulting|Risk and Analytics|Risk Management Consulting
Artificial Intelligence

Third party IT vendors can introduce significant vulnerabilities to your operations. But without a robust and comprehensive risk management approach, you may not know about the financial value or the impact of your cyber risk exposures until it’s too late.

Some IT vendors may present having robust cyber defenses to their supply chain partners, but in reality, their defenses in place may still prove inadequate, leaving your business exposed. The CrowdStrike incident showed how even minor incidents involving a third party, in this case, a misconfigured file causing system issues, can lead to significant disruptions.

To manage third party IT risks and prevent potentially severe financial losses from cyberattacks, you need to be proactive, disciplined and continually watchful. And, if you don’t have a third party cyber risk management plan, then it’s time you established one.

In this insight, we provide some key steps to understand, quantify and mitigate cyber risks from third party vendors and offer best practice perspectives on developing a robust third party cyber risk management strategy.

How to develop a third party cyber risk management program

When it comes to managing third party risks, your first step will be to establish a clear inventory of your third party vendors, especially software vendors. This visibility is crucial for managing your risks effectively.

Next, evaluate the capabilities and exposures of these vendors. This can be challenging, as it requires you to be able to understand not only your vendors but also their third party relationships, but it’s essential if you want to avoid sleepwalking into unknown risk.

Consider best practice moves such as implementing ‘least privilege policies,’ granting third parties only the necessary access they need to access your IT systems for specific periods and purposes. You should also have a process for checking if any third party software you use is patched and up to date.

Monitoring and acting on cyber threat intelligence is also essential, including identifying and blocking high and unidentified traffic. For example, if a threat actor changes its server to avoid detection, you need to be able to track and block the new server as well. You need both your business, your partners and your partners' partners to have robust and continual monitoring in place; intelligence-driven security is often part of the best defense mechanisms.

Preparing to optimize your third party IT risk management

Certain events induced by cyber incidents introduced by third parties might not be covered by your insurance policies, meaning you need to understand the wording of your policy and how this interacts with your risk management approach.

Understanding the financial impact of potential cyber threats is a crucial step as you develop your overall cyber risk management and insurance strategy. This process should include assessing how your value chain is linked to third party vendors and identifying which revenue streams could be impacted. By quantifying these risks, you can start to make informed decisions about balancing what you invest in internal risk management and what you spend on insurance.

Is it more cost-efficient to divert resources to enhancing your controls to offset third party vendor risk – which could potentially reduce the need for insurance or lower your premiums – or transferring the risks to insurance markets? You won’t know until you’re able to identify and quantify the risks.

Top ten ways to quantify cyber risk

Each industry and organization will face different types and levels of exposure through third party vendors, but there are some key steps any business could take to quantify the risks:

  1. 01

    Understand the full scope of potential threats

    by analyzing various scenarios that could potentially harm your organization financially, considering all angles of threats and risks, including those introduced by third parties.

  2. 02

    Use analytics to predict and quantify financial impacts from cyber incidents

    including those related to third parties, to forecast the severity of potential scenarios and their financial implications.

  3. 03

    Break down projected losses into discrete cost categories

    to understand the specific areas where financial strains are most likely to occur.

  4. 04

    Leverage robust data on real-time cyber incidents globally

    to ensure your risk assessments are up-to-date and reflect the current threat landscape.

  5. 05

    Project severity across confidence intervals

    to understand the range of potential outcomes, from more likely outcomes to worst-case scenarios.

  6. 06

    Identify revenue streams

    reliant on key third party vendor systems to quantify the potential revenue exposures and reduce the net loss from a cyber event.

  7. 07

    Use revenue exposures

    to quantify the lost margins through exposure to third party vendors.

  8. 08

    Identify potential revenue mitigation opportunities

    through alternative systems or manual workarounds.

  9. 09

    Gain a deeper understanding of additional expenses

    by quantifying potential mitigation costs and extra expenses associated with a third party cyber event.

  10. 10

    Understand all potential recovery options

    including liable third parties and insurance policies and any loss adjustment clauses, to ensure maximum recovery of damages.

Managing third party vendor risks

There are a wide range of ways you can reduce cyber vulnerabilities through third party vendors. These include incorporating data security ratings and clauses in your contracts, using AI to analyze communication patterns and detect anomalies, segregating business networks, especially in regions with stringent data laws, and preventing unauthorized access to sensitive information.

Establishing incident response protocols and business continuity plans is also vital. Even if you catch a third party issue early or fend off a cyber threat, these risks could still manifest in the future. Having robust incident response protocols ensures you’ll be able to act quickly and effectively when something happens to trigger your plans.

If you want to learn more about cost-effective cyber risk management strategies, sign up now to join our Outsmarting Uncertainty webinar: How to analyze cybersecurity and cut the financial impacts

For a smarter way to understand and manage your cyber risks and make your cyber resilience spend work harder, get in touch with our specialists.

Disclaimer

Willis Towers Watson offers insurance-related services through its appropriately licensed and authorised companies in each country in which Willis Towers Watson operates. For further authorisation and regulatory details about our Willis Towers Watson legal entities, operating in your country, please refer to our Willis Towers Watson website. It is a regulatory requirement for us to consider our local licensing requirements.

Authors


Head of Forensic Accounting and Complex Claims, North America

Jason Lelio on LinkedIn


Senior Director - Forensic Accounting and Complex Claims

Justin Paglio on LinkedIn


Senior Associate, Cyber Risk Consulting
email Email

Contacts


Director - Head of Cyber Risk Consulting
email Email

Director – West Region and Cyber
Forensic Accounting and Complex Claims
email Email

Contact us