There Are Parties and Then There Are Third Party’s

Raise your hand if you’ve ever received an email or letter in the mail from a business who communicated “they have been breached, and your information was exposed.” This is known as second-party risk and odds are most of us have experienced this. 

 On the other side of that business, are third-party relationships. Those are direct with vendors and suppliers they use to provide their products and services. Beyond that are the indirect fourth and fifth-party relationships associated to the third-party vendors and suppliers. If you are unlucky like me, you may have also received letters from businesses, informing you that their third-party was breached and your information was compromised. In either case there is not much recourse we have other than to no longer use the business, which can have a detrimental effect. 

Unfortunately, in today’s digital world business are using more third-party’s than ever before. In the 2025 Verizon Data Breach Investigation Report, they stated 30% of breaches were linked to third-party involvement. That was double from 2024. Risks that were once largely based on geography, resource constraints, or business continuity, have progressed into risks of privacy and data processing, regulatory compliance, and cybersecurity. One of the biggest challenges for third-party risk management is finding someone to manage it! 

Ownership can often be across three different business units. Legal manages the vendor contracts and terms, while procurement handles the purchase and service level agreements, and IT/Security validates their posture to safely fulfill business objectives. This can be a lot of cooks in the kitchen and if not communicated well, a recipe for disaster. 

 There are three maturity levels of Third-Party Risk Management (TPRM): 

What’s at Stake

Potential Consequences of Un-Managed Third-Party Risk 

Many teams already have full plates, and it can be a struggle to take on one more tool or get budget for another solution. However, as previously mentioned the number of third-party vendors the business relies on to meet their objectives is only growing. So that risk is going up, not down. Let’s get into some of these concerns attributed to third-party risk. 

• Loss of Customer Base – some businesses feel their brand reputation can take the hit, but that can be a risky gamble. What if your product or services were unavailable for an extended period of time, such as the case with Whole Foods when their primary distributor United Natural Foods Inc. fell victim to a cyberattack June 2025. I remember how empty the shelves were for weeks, and I needed to shop at competitors. You never want to give your customers a reason to shop with the competition!
• Exposed Data – I know you hear this one all the time, but let’s recall in June 2025 how a global fast food chain was all over the news for their trust in third-party developer Paradox.ai. Paradox.ai built their job applicant chatbot screener to use a very basic default credential for restaurant owners, in conjunction with also having an API endpoint vulnerability. Now you can’t know everything about a vendor, but there are some good checks and balances available with certain TPRM solutions. 
• Compromised Access – the scary and a growing concern with our interconnected systems. For this one we look to the August 2025 Salesloft Drift, OAuth token compromise. It affected over 700 organizations, including 24 prominent cybersecurity vendors. While it may not be a viable option to avoid integration partners, you certainly want to fully evaluate those with the highest connectivity to your organization. Ensuring you know the full breadth of affiliation in your ecosystem with a communication and response strategy if something does occur. 
• Regulatory and Financial Implications – who can forget the largest healthcare data breach from 2024. When United Healthcare’s subsidiary Change Healthcare suffered a devastating cyberattack, resulting in 190 million individuals impacted. The financial fallout – $2.45 billion in response, $4.7 billion reimbursing providers, and heavy scrutiny from HIPPA. 

TPRM Features

This is a large market, comprised of many GRC solutions offering a TPRM module and various point solutions with differing degrees of product maturity and features. 

You may already know third-party risk management for its vendor exposure ratings, security trend timeline, alerting to vendor changes, and sending of questionnaires. 

But there are many capabilities you may not be aware of. Here are several that work towards enhancing your TPRM posture.  

Access Inventory	Record all areas of access the vendor has to your environment, policies, and data. Aligning to associated owners on both sides of relationship.
Central Repository	Store all vendor information with ownership and communication procedures in one place – contract repository, response plans, SLAs, and liability information.
Fourth and Fifth-Party Visibility	Understand the breadth of connections and health of your third-party vendor’s associated business chain.
Exposure Detection	Visibility into vendor breaches, unaddressed critical CVE’s, zero-day attacks that affect your vendors. Detect issues in vendors connected to you and what in your domain could be affected.
Zero-Day/Incident Questionnaires	Ability to bulk send questionnaires to vendors to understand their level of impact when a novel attack or impacting incident occurs.
Automate SOC2 Reviews/Questionnaires	Evaluate a vendors SOC2 report or have it populated into your questionnaire. Upload your compliance and business reports to automatically populate questionnaires you receive.
Vendors/Suppliers Dependencies	Recognize the concentration in volume of work and services associated to your vendors, which may increase potential risks if not diversified.
Renewal & Questionnaire Tracking	Workflows for upcoming renewals and questionnaire requests.
Trust Center	Offers a secure link with repository to share your businesses control and governance files – audit and compliance, privacy policy, etc. with vendors to expedite the onboarding process.
Financial Impact	Ratings for potential losses in working with vendors, calculated by FAIR and vendor posture.
Compliance Mapping	Vendors who supply information – AI scans files to complete mapping. Unresponsive vendors – AI pulls from Open Source Intelligence, public polices, and external controls from cyber ratings to align with frameworks and build compliance profile.

Our Approach to TPRM

There are a lot of solution options and ways you can leverage TPRM tooling. Here are our top considerations:

• Determine who holds a role in the relationship and managing of vendors and suppliers.
  • No Solution in Place – understand the process for all relationship owners and pick top uses cases or most impactful in generating a view of risk… automation, continuous monitoring, questionnaires. 
    • How many critical vendors do you need to evaluate and manage? 
    • What does a vendor evaluation currently look like? 
    • Which compliance regulations or frameworks are needed for governance?
  • Solution in Place – what does it to well and what areas can be enhanced? Many organizations start with the basic vendor risk rating and move into more mature features that give a deeper view of risks, communication response procedures, or compliance mapping. Adding workflows and automation helps to manage certain areas of the relationship more effectively with an ultimate progression to full vendor lifecycle management.
• Consolidation and Maturity Roadmap – look for ways to consolidate TPRM tooling to create one view and repository where appropriate. This is a growing threat vector, so make sure there is a road map to enhance your view of vendor and supplier risk beyond the basic risk rating. 

We are here to help you navigate all the features, options, as well as services or managed services if it’s too much for your teams to take on. Please reach out to  hello@sayers.com and we would be happy to assist.