Risk Management in Third-Party Supply Chains

June 27, 2024

At least 29% of breaches had third-party attack vectors in 2023. Given the high volume of cyber-attacks being perpetrated through supply chains, your company must have processes and policies in place to adequately manage risk throughout the entire data lifecycle.  

In this post, we’ll outline some of the major components of a risk management framework for your third-party vendors.    

Vendor Risk Assessment: Not a One-And-Done Task 

“A supplier assessment conducted prior to bringing a supplier on board is a snapshot in time that becomes obsolete before it is completed. Mature acquirers establish supplier-monitoring programs that cover the entire supplier relationship life cycle and monitor a variety of risks…” – National Institute of Standards and Technology (NIST). 

NIST makes it clear that securing your supply chain is an ongoing process, not a one-time event. It requires comprehensive and flexible vendor agreements and vigilance on your part too.  

Vendor Contracts as a Cyber Risk Management Tool 

Your vendor contracts should outline the expectations, standards, and safeguards that your partners must adhere to. As always, it’s essential to treat these documents as a business tool, not ‘just’ a legal compliance document. These documents must: 

  • Be Clear and Comprehensive: Document your requirements regarding data protection, access controls, incident response, and ongoing security assessments. Your vendors need to understand precisely what’s required of them. 
  • Allow For Data Protection: Your contracts must stipulate how your vendors will protect the data you share with them, both in transit and when it’s stored. This includes encryption standards, access limitations, and clear requirements for data disposal. 
  • Provide For Regular Audits and Assessments: Include terms for regular security audits and assessments of your vendors’ systems and processes. This ensures that your vendor’s overall security keeps pace with best practices and your expectations over time.  
  • Include An Incident Response Plan: Detail your joined incident response plan including how and when your vendor will notify you of a breach, what steps will be taken to contain the damage, and require cooperation from your vendor with your investigation. 

Ongoing Monitoring & Metrics 

With the (right) vendor contracts in place, the next step is to implement the processes laid out in your contract for ongoing monitoring.  

While the exact metrics you track will vary depending on the type and sensitivity of data you share with your vendor, these are some common metrics you might consider tracking:  

  • Security metrics, such as average time to patch vulnerabilities, data loss prevention incidents, percentage of applications with mandatory multifactor authentication implemented, and data breach notifications.  
  • Data hygiene metrics, such as data deletion compliance rate and data backup timelines. 
  • Vendor training metrics, such as phishing click-through rate and employee training completion rate.  

Sometimes very large vendors will not agree to individualized customer-led audits; instead they will offer to demonstrate compliance with their contract obligations by providing a copy of their most-recent third-party audit report. If this is the case, be sure request a copy of this report each year and follow-up with the vendor on any significant findings or recommended remediation.    

A Final Note About Offboarding  

Managing offboarding can be challenging, especially if the relationship is ending on a poor note. Your contracts and the processes you set up earlier will play a very important role in protecting your data during offboarding.  

Here’s a quick overview of some considerations:  

  • Promptly remove access to your company’s systems and data. 
  • For any data the vendor has in its systems, you should request written confirmation that it is deleted. The data deletion processes should be thoroughly detailed in your contracts.  
  • If relevant, you should also provide for knowledge transfer at the end of your relationship with your vendor.   

Remember, a secure supply chain is a competitive advantage. If you want to implement processes and policies to improve your supply chain cybersecurity, reach out. Our privacy attorneys would love to help.  


The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.

Other Articles

External Privacy Policy with hand hovering above it and reading glasses sitting on it Is an External Privacy Policy Enough?
GDPR Explained: A Quick Guide for U.S. Businesses
Children’s Data Privacy: Five Takeaways from the FTC’s Recent Workshop

    Ready to Talk?
    Contact Us

    We would to hear from you

    Please take a moment to tell us a few things about your needs and someone from our team will reach out to you as soon as possible.

    We would to hear from you

    Thank you for reaching out!

    Someone from our team will get back to you shortly

    We would to hear from you