What are the risks of using a third party?

Third-Party Risk is any risk associated with engaging a third party in the context of providing a service or product to a client (the second party). It is an umbrella term covering several potential risk types depending on the product or service, the third party and the nature of the engagement / relationship.

Potential Risks due to Third-Party Risk

There are numerous risks that may arise from a financial institution’s use of third parties[1]

Some of the risks are associated with the underlying activity itself, similar to the risks faced by an institution directly conducting the activity. Other potential risks arise from or are heightened by the involvement of a third party. Failure to manage these risks can expose an institution to regulatory action, financial loss, litigation and reputation damage, and may even impair the institution’s ability to establish new or service existing customer relationships.

When talking about “third-party insurance policy,” you are the first party, the insurance company is the second party, and another entity is the third party. So, although the term “third-party insurance policy” does not relate directly to third-party vendors, the concept is useful in the context of risk management.

This is because third-party insurance protects you against the claims by a third party for damage suffered when adverse events materialize. As an example, we can look at some consequences of cyber risk, and what is covered under first-party risk insurance versus third-party risk insurance.

What is first-party cyber risk coverage? In general, first-party cyber risk insurance would cover you against losses directly resulting from a cyberattack. For example, it would repay what you spend to restore your systems, to repair or replace hard or software, or possibly even loss of business from downtime.

Third-party risk insurance, on the other hand, might reimburse the cost of notifying your clients, perhaps cover court fees if a customer decides to sue you, or pay certain other damage claims. Because damage from a data breach can cost companies millions of dollars, handling cyber threat is an increasingly urgent focus of third-party risk management, particularly as cyber criminals often sneak in through the weakest security link in your supply chain – which may be your third-party. Managing cyber risk in your third-party network is critical to protecting your business.

At riskmethods, we believe that modern third-party risk management (supplier risk management, vendor risk management) should include aspects of supply chain risk management. Let our power of three – identify, assess and mitigate risk – work for you.

Companies rely on third parties to some extent. They can help companies save costs, improve service speed, and expand global reach.

But third parties can also pose risks, from security to financial to compliance. The sheer number of third-party relationships companies often have can make it difficult to oversee the multiple risks involved. That’s why having an efficient and effective tech-powered third-party risk management program is critical, from onboarding, including integrity due diligence, to persistent monitoring.

Most organizations will need to rely on third parties at some point. Those relationships expose your organization to various types of third-party risk. Even if you understand the basic concepts behind these third-party risk types, it may be difficult to know how they could affect your organization. To improve understanding of third-party risk, we’ll cover examples of typical third-party risk types to illustrate how these risks manifest.

6 Third-Party Risks and Examples

1. Compliance: This risk appears when a third party fails to comply with laws and regulations that govern the products and services your organization provides to customers.
   
   Example: Your organization has a third party that provides loan services. The third party created a marketing campaign that advertised lower interest rates on future loans for consumers who repaid on time. However, thousands of customers filed a complaint, stating they weren't eligible for lower interest rates despite a history of on-time payments. The CFPB filed an action against the third party for violating the Equal Credit Opportunity Act, leaving your organization exposed to compliance risk.
2. Strategic: The third party presents a strategic risk when its actions or decisions don't align with your own organization's objectives.
   
   Example: After creating a new product, your organization requires a third party specializing in its delivery or distribution. As you perform your due diligence on a selection of vendors, you discover that they all use the same type of technology to automate a particular function. However, two of the vendors you're vetting use outdated technology with a history of issues. Selecting a third party that uses aging technology would present strategic risk to your organization.
3. Operational: A third party can present internal and/or external operational risks. Internal risk can relate to the third party's own ineffective or failed processes, people, controls or systems. External risk can be caused by outside events like natural disasters, cyberattacks or acts of terrorism, which are beyond the control of the third party.
   
   Example: Your organization relies on a third party to provide virtual customer service. Their customer service center is in an area known to have recurring natural disasters like hurricanes, flooding or wildfires. Even though they have business continuity (BC) and disaster recovery (DR) plans, the third party hasn't tested them in over a year. They may be unaware of new risks or issues that could make their plans ineffective. As hurricane season approaches, your organization will be facing operational risk because of your third party's untested BC/DR plans.
4. Information Security: Cyber and physical security risks are under the umbrella of information security risk. Cyber risk is present when a third party has vulnerabilities that can expose your organization's data through events like cyberattacks and breaches. These vulnerabilities can be anything from an unsecured server configuration or weak policies regarding on-site visitors.
   
   Example: A third-party vendor is used to manage your customers' passwords. During the pandemic, they shifted to a hybrid work model. However, they neglected to update their information security policy with requirements specific to remote working. Your organization is exposed to information security risks and potential data breaches that can affect your customers.
5. Financial and Credit Risk: A third party's financial health can significantly affect its ability to consistently provide quality products and services to your organization. Insufficient investor funding, cash or credit can expose your organization to financial and credit risk.
   
   Example: When performing due diligence on a potential new third party, your organization reviews its financial records and discovers that they have no available credit and less than six months' worth of operating cash. An unstable or unhealthy financial profile may indicate that the third party cannot provide products and services to your organization's expectations and may go out of business during the contract term.
6. Reputation Risk: Third parties can impact your organization's reputation in many ways through poor service, lawsuits, data breaches or even misrepresenting its relationship with you. Your customers won't differentiate between your organization and a third party, so managing this risk is essential to protect your valuable reputation.
   
   Example: Your organization's third party suffered a data breach and began the process of notifying your customers who were affected. However, the third party mistakenly sent notification letters to your customers' next-of-kin. These letters revealed confidential health information such as illnesses, medications, and medical procedures. Understandably, your customers are upset and have filed a lawsuit against your organization for violating HIPAA laws which prohibit revealing patients' health records without consent. As a result, your reputation is severely damaged because of your third party's actions.

3 Best Practices to Manage Third-Party Risk

Now that you have a better understanding of how third-party risk can affect your organization, let's review some best vendor risk management practices:

1. Perform risk-based due diligence: After determining the vendor's inherent risk and criticality, you can proceed with collecting and reviewing due diligence. For critical or high-risk vendors, you'll want to review additional documentation such as BC/DR plans.
2. Schedule ongoing monitoring: Vendors need to be monitored for risk throughout the relationship, not just at the beginning. Regular performance reviews, risk assessments, document collection, and monitoring will help your organization stay on top of existing risks and identify new or emerging risks.
3. Report to the board of directors and senior management: Regulatory guidance requires that the board and senior management be involved in vendor risk management. By keeping them informed of vendor risk management activities, they'll be better prepared to set the "tone-from-the-top" and establish clear goals for your organization.

Third parties often provide significant value by delivering additional products and services or supplementing the capabilities of an organization. They can also present many risks that need to be appropriately managed. Identifying and managing existing, new and emerging risks will help your organization get more benefits from your third-party relationships.