AlignTrust
Operations & Governance

Third-Party Risk

The exposure an organisation faces from the security posture, actions, or failures of its external partners, suppliers, and service providers.

What Is Third-Party Risk?

Third-party risk is the risk that arises from an organisation's relationships with external parties — vendors, suppliers, contractors, partners, and service providers. When you grant a third party access to your systems or data, or when your operations depend on their reliability, you inherit a portion of their risk.

Third-party risk includes:

  • Cyber risk: A vendor's security breach that exposes your data
  • Operational risk: A critical provider going offline and disrupting your operations
  • Compliance risk: A vendor mishandling personal data in violation of GDPR or other regulations
  • Reputational risk: A partner's misconduct affecting your brand

Third-Party Risk vs Supply Chain Attack

These terms overlap but are distinct:

  • Third-party risk is the broader category — all risk arising from external relationships
  • Supply chain attack is a specific attack vector — an adversary deliberately compromising a vendor to reach you

Both underscore the same fundamental point: your security is only as strong as the weakest link you trust.

High-Risk Third-Party Relationships

Not all vendors carry equal risk. Prioritise scrutiny for:

  • Managed Service Providers (MSPs): Often have admin-level access to client systems
  • Cloud storage and SaaS platforms: Hold large volumes of sensitive data
  • Payroll and HR systems: Process employee PII and financial data
  • IT support and security vendors: Privileged access to networks and endpoints
  • Legal and accounting firms: Handle confidential business and financial information

Managing Third-Party Risk

  1. Maintain a vendor inventory — you can't manage what you don't know about
  2. Classify vendors by risk tier based on data access and criticality
  3. Require security evidence (SOC 2, ISO 27001, questionnaire) from high-risk vendors
  4. Include security requirements and breach notification clauses in contracts
  5. Implement least privilege for all vendor access
  6. Offboard promptly — revoke credentials immediately when vendor relationships end
  7. Review vendor risk annually, or after any significant change to the relationship

Related Terms

Vendor Risk ManagementSupply Chain AttackCompliance FrameworkData Classification

Related Articles

← Back to Security Glossary