How SMEs can overcome barriers to implement third party risk assurance

By Phil Robinson, below, Principal Consultant, Prism Infosec 

Start-ups and small to medium-sized enterprises inevitably have to outsource some elements of their business, causing them to rely heavily on third parties and/or third-party software. But with that dependency comes added complexity and risk. If we look at the software supply chain, for example, compromises cost 8.3% more and take 8.9% longer to identify and retain compared to other types of compromise, according to the Cost of a Data Breach Report 2023. Being able to proactively address and mitigate those risks can therefore make a big difference.

It’s here where Third Party Risk Assessments (TPRA), sometimes referred to as supplier risk assessments or vendor risk assessments, can help. They not only seek to ensure the supplier has security controls in place to protect against the risk of a breach but also other risks. They can provide assurances when it comes to service levels so that the business is not left high and dry if the supplier is unable to provide its services due to a loss of service. In fact, TPRA is extensive and should cover reputational, geopolitical, financial, operational, ethical and nth supplier risks. Risks can come in all shapes and sizes and need to be evaluated to determine their rating and whether that is acceptable in terms of the business’ risk appetite

Resource intensive

As a consequence, TPRAs are very resource intensive with the Cyber Security Breaches Survey 2024 revealing that only 18% of small businesses review their relationship with their immediate suppliers and just 8% the wider supply chain. And it’s a figure that halves when it comes to micro businesses: 9% and 5% respectively. There’s also no real agreement on the form the process should take. The survey found that the way in which assessments are carried out can vary from contractual arrangements to questionnaires, to adding suppliers to the risk register or logging data flows on data protection registers.

Some do seek to determine if suppliers are accredited to standards or meet the industry regulations and standards such as the Data Protection Act / GDPR and PCI DSS. However, organisations should not assume that compliance with a standard automatically confers assurance across the board. This is because the idiosyncrasies of the organisation will mean it has a unique risk tolerance. It’s also worth bearing in mind that the onus is on the business to determine if the supplier can meet their risk criteria in terms of service delivery, not the other way round.

Understandably, this can all seem very daunting to any organisation, particularly those smaller businesses without audit or governance teams, which is why we’ve seen the emergence of specialist TRPM platform providers. These use automated processes to collect the necessary information from suppliers which is then held on a central database which the business pays to access via a license. However, for the SME such licences are cost-prohibitive which many have interpreted as leaving them caught between a rock and a hard place.

If they elect not to carry out TPRM they risk leaving the business exposed and caught in a reactive stance to any issues. Pre-contract, they lose the necessary insights to negotiate contractual obligations for the supplier to meet, and post-contract they cannot govern the relationship effectively and take action to curtail risk by implementing additional controls. In contrast, conducting a TPRA can enable the business to hold the vendor to account using KPIs and by measuring performance against the SLA. It can also reveal a lot more detail, such as whether business continuity and disaster recovery processes are up to scratch, and if the risk is tolerable not just to the business but also its insurers. 

Where to start

TPRA is, therefore, undoubtedly an essential exercise but it must be performed prior to engagement so that all risks are known and documented and crucially should also be conducted periodically so that risks can be reviewed and reassessed during the course of the contract and risk registers updated. It’s therefore a continuous process but because of this it lends itself to becoming part of the management of the business, with dedicated resources and ownership assigned to specific personnel.

SMEs need not go it alone, however. They can approach third party consultancies for advice and to give them the additional capacity needed to carry out these assessments. This will typically see TPRA based upon a standard framework such as the ISO 27001 or the NIST Cyber Security Framework (CSF) which clearly lays out supplier requirements while conferring the flexibility needed to adapt to the risk appetite of the business. This may well fluctuate over time as market forces and changes in the business influence risk levels.

There are of course constraints that the SME will need to work within. Considerations include the time that the business wishes to dedicate to the assurance process, how it will prioritise supplier relationships ie those that it is most heavily reliant upon or who handle the processes that are critical to the business, how deep it will go into the supply chain in terms of nth degree of suppliers, and how it will validate risk mitigation. All of these will influence the level of assurance that can be achieved.

However, this approach does have its advantages as it places liaison front and centre. Third party risk management is all about maintaining a good working relationship between the purchaser and the supplier which can’t be achieved solely using automated processes. Taking this combined approach also provides the SME with the flexibility to explore emerging technologies and services as they are then able to assess the relative merits and risks of these, meaning the business is able to innovate and remain competitive without seeing risk necessarily increase. In this respect, TPRA isn’t just a safeguard that protects the business in the event a risk being realised but a valuable process that enables the business to evolve and expand in a controlled manner.