Skip to content

Managing third-party cyber risk in 2022

Anthony Stevens Aug 01, 2022
Managing Third-Party Cyber Risk in 2022 (TPRM)

Many people view risk in business as something that should be avoided at all costs. However, we believe that with the appropriate third-party risk management processes, these risks can be catalysts for strong business growth and revenue.

For decades, organisations have searched for ways to better adapt to the marketplace of their time. In the modern economy, businesses have turned towards an ecosystem of third-party services that can cater specifically to their needs and drive their competitive advantages.

Whether it be a vendor, supplier or business partner, there are many reasons why organisations continue to engage and rely on third-party services. These vary drastically case by case, but can include:

  • Leveraging industry knowledge or subject expertise
  • Cost savings
  • Time savings
  • Outsourcing labour
  • Compliance with evolving legislation
  • Value-add to their existing services
  • Join venture or business partnership


What is a third party in a cyber context?

Traditionally, a third party is defined as an entity that ‘may be indirectly involved but is not a principal party to an arrangement, contract, deal, lawsuit, or transaction’. There are many more interpretations.

But in the world of cyber, the idea of a third party is not so simple. Third parties do still exist in the traditional form, though businesses should now consider certain technologies (namely AI, IoT, open APIs), as well as a third parties’ third parties (also referred to as fourth or fifth parties), under its guise.

The relationships between businesses and their respective third parties are far too complex to monitor using manual methods. Especially for companies with thousands of third parties, addressing the risks associated with each one would take years to process. This is not very helpful for coping with evolving compliance demands or making pre-emptive improvements in third-party cybersecurity.


The dangers of third-party cyber risk

While there are notable benefits to engaging these third-party solutions, doing so carelessly, without a structured approach, will only complicate the existing risks you face as a business. Exposure to cyber risk is among the most dangerous areas of risk for a business because of the potential to lose consumer data, intellectual property, or other sensitive digital assets.

For example, between August 2018 and March 2019, a hacker successfully penetrated the American Medical Collection Agency (AMCA) system – a prominent billing services provider in the US healthcare industry. Reportedly, the hacker obtained access to the patient records of more than 25 million people, including ‘patient names, addresses, telephone numbers, dates of birth, dates of service, account balances, banking or credit card information, and provider details.’

Numerous companies impacted by the breach are currently ‘facing lawsuits, as well as state and Senate investigations. Security researchers have noted that the impact of the breach will continue to reverberate throughout the foreseeable future.’


Common third-party mistakes

Common mistakes when dealing with third parties include:

  • Failing to fully understand which risks are critical to your business or the respective third party, leading to generic or irrelevant assessments.
  • Failing to gain accurate and actionable risk data from these third parties, due to a lack of correct guidance.
  • Manually collecting data. This is not necessarily a mistake but can cause significant delays in cybersecurity improvements and risk mitigation. Speed and agility are important to combat evolving threats.
  • Failing to create a third-party cybersecurity program that can be efficiently scaled to accommodate third-party ecosystem growth.
  • Failing to implement a third-party-specific cybersecurity process for approving or vetting third parties.
  • Failing to conduct and prioritise improvements or remediation based on which third parties pose the greatest potential threat to your business.


Protecting your business from third-party risk

The prevalence of data in modern business practices demands a comprehensive solution to protect against the cybersecurity risks posed by third parties.

Move away from spreadsheets and embrace secure digital integration in your risk management and compliance processes. Using manual processes to address cybersecurity risks is not a sustainable solution given the intertwined nature of modern data flows.

There needs to be a fundamental shift in the way organisations and third parties engage in cybersecurity. Awareness of cybersecurity best practices, and a better understanding of how these risks manifest themselves, is imperative to navigate and identify suitable third-party partnerships. Unfortunately, there is no ‘one size fits all’ approach, but a strong cyber risk management program can be the one thing that saves your business millions of dollars.

Furthermore, you need to be constantly aware of the state of all your third parties’ cybersecurity postures. As part of this, you need to develop the mutual understanding that upholding the appropriate cybersecurity standards is a non-negotiable condition of any partnership.


A simpler way to manage third-party cybersecurity

Around the world, issues of cybersecurity are more commonly discussed at the board level, and rightfully so. Executives and directors want to avoid the potential disruption of customer services or breaches in regulation, because they are beginning to understand what is really at stake.

The cyber risks associated with these third parties cannot be completely eliminated, but neither can those from within your business. Cyber threats will continue to evolve. All operators can do is seek to reduce these risks to a level that is considered ‘safe’ for your business or industry.

Third-party cybersecurity is complex to manage. But 6clicks can help. Also, read our blog - The top 5 cyber security vendor questionnaires for 2022.



Visit to learn more or book a demo at a time that suits you below.



Leave a Comment

Register for webinars, watch replays and download our ebooks

eBooks & Guides


Our blog and 6clicks TV

Latest articles and interviews with our partners and thought leaders


Our blog

6clicks TV

Top analysts and customers have spoken.

They genuinely love 6clicks.

"The best cyber GRC platform for businesses and advisors."


"We chose 6clicks not only for our clients, but also our internal use”

Partner | Big 4

"With 6clicks we can simply close deals much faster"

CEO | Startup

6clicks Reviews

"The 6clicks solution simplifies and strengthens risk, compliance, and control processes across entities and can grow and adapt as the organization changes and evolves."

Michael Rasmussen | GRC 20/20 Research LLC


Why businesses and advisors choose 6clicks

It's faster, easier and more cost effective than any alternative.

6clicks Enterprise Risk Management

Powered by artificial

Experience the magic of Hailey, our artificial intelligence engine for risk and compliance.

What's the best GRC software?

Unique Hub & Spoke architecture

Deploy multiple teams all connected to a hub - perfect for federated, multi-team structures.

Best software for ISO 27001 compliance

Fully integrated
content library

Access 100's of standards, control sets, assessment templates, libraries and playbooks.

Are you ready to experience AI-powered GRC?