What is Third-Party Risk Management (TPRM)?

Why Third-Party Risk Is Accelerating

Modern organizations operate through an ecosystem of third parties that would be unrecognizable to security practitioners of twenty years ago. The average enterprise now has relationships with thousands of vendors — SaaS applications, cloud infrastructure providers, managed service providers, payroll processors, legal firms, accounting firms, logistics partners, and technology integrators — many of whom have direct access to sensitive data or operational systems.

The attack surface created by these relationships is not theoretical. IBM's X-Force Threat Intelligence Index 2026 found that supply chain and third-party breach incidents have quadrupled over the past five years. The increase is structural: as organizations outsource more functions and integrate more deeply with external systems, the number of trusted entry points grows. Each trusted entry point is a potential attacker entry point if the third party is compromised.

Nation-state actors have explicitly adopted supply chain attacks as a strategic methodology. SolarWinds demonstrated that a single trusted software vendor, compromised through its build process, could provide authenticated access to 18,000 customers simultaneously — including the US Treasury, State Department, and multiple defense contractors. The technique is now well-documented and has been replicated in subsequent campaigns.

The TPRM Process: From Inventory to Ongoing Monitoring

A mature TPRM program follows a structured lifecycle. It begins with vendor inventory — many organizations cannot enumerate all of their active vendor relationships, making risk assessment impossible. The inventory must capture what data each vendor can access, what systems they connect to, and what the organization's dependency on each vendor looks like in operational terms.

Risk tiering classifies vendors by the risk they represent. A vendor with access to sensitive customer PII and direct database access presents different risk than a vendor providing static marketing content hosting. Tier 1 vendors — those with access to regulated data, critical systems, or significant operational dependency — require the most rigorous assessment and ongoing monitoring. Tier 3 vendors may require only a vendor questionnaire and annual review.

Initial assessment for Tier 1 vendors typically includes a detailed security questionnaire (using industry standards like SIG, CAIQ, or VSA), documentation review (SOC 2 reports, penetration test results, certifications), contractual review (data processing agreements, security addenda, breach notification requirements), and sometimes technical assessment for vendors with deep integration access.

Key TPRM Controls for Mid-Market Organizations

Contractual requirements are the first control. Every vendor with access to sensitive data or critical systems should have a contract that specifies security requirements, breach notification timelines (typically 72 hours or less), right-to-audit provisions, data handling and retention requirements, and subcontractor provisions (many breaches originate not through the direct vendor but through their subcontractors). A vendor relationship without a security addendum is an uncontrolled risk relationship.

Continuous monitoring fills the gap between periodic assessments. Vendor security posture changes — a vendor who passed a SOC 2 audit six months ago may have had a significant configuration change, a personnel departure, or a partial breach since then. Security rating services, dark web monitoring for vendor credential exposure, and automated questionnaire refresh tools provide ongoing visibility into vendor posture changes without requiring full re-assessment cycles.

Offboarding is the most commonly neglected TPRM control. When a vendor relationship ends, access must be revoked, data must be returned or destroyed per contract terms, and system integrations must be terminated. Orphaned vendor access — API keys, shared credentials, or persistent VPN access for vendors whose contracts have ended — is a known attack vector that is routinely identified in penetration tests.

TPRM and PE Due Diligence

For PE due diligence, TPRM is a significant risk area that is frequently underassessed. The questions that matter are: Can the target company enumerate all vendors with access to its systems or sensitive data? Are there MSP or IT outsourcing relationships where the vendor has privileged access to all systems? What managed service providers are in the environment, and what is their own security posture? Has the company experienced any third-party-originated incidents?

MSP relationships deserve particular scrutiny in PE due diligence. A portfolio company where a small MSP has domain administrator access across all systems has a single vendor that represents existential operational risk if compromised. Kaseya VSA, a remote management tool used by MSPs, was exploited in 2021 to push ransomware to over 1,500 downstream organizations simultaneously — demonstrating exactly this risk profile.

TPRM Frameworks and Standards

Several frameworks provide structure for TPRM programs. NIST SP 800-161 provides comprehensive guidance on supply chain risk management for federal agencies and regulated industries. The Shared Assessments SIG questionnaire is the most widely used vendor assessment tool in financial services. SOC 2 Type II reports — particularly those that include vendor management controls — are the most commonly requested vendor security evidence. ISO 27001 certification demonstrates that a vendor has implemented a structured information security management system.

For PE portfolio companies, the most practical TPRM starting point is a vendor inventory combined with tiering and contract review. Organizations that cannot enumerate their vendor relationships cannot assess their third-party risk. Organizations with vendor relationships that lack security addenda are operating on handshake trust. Both conditions are common at mid-market companies and both represent addressable risk that creates material value when remediated.

Related Reading

• What is a Supply Chain Attack?
• What is Cyber Due Diligence?
• What is M&A Cyber Due Diligence?
• What are Security Rating Services?
• What is Cybersecurity Outsourcing?

Change Healthcare: Third-Party Risk at National Scale

The February 2024 ransomware attack on Change Healthcare — a UnitedHealth Group subsidiary that processes roughly 50% of US healthcare billing transactions — demonstrated the systemic risk created by third-party concentration. The attack forced Change Healthcare to take its billing clearinghouse systems offline for weeks. Hospitals could not submit claims. Pharmacies could not verify insurance eligibility. Small medical practices faced existential cash flow crises. The direct financial impact on UnitedHealth Group exceeded $870M in the first quarter of reporting. The broader healthcare system impact — delayed care, unpaid claims, and operational disruption — was measured in billions. Every healthcare organization that relied on Change Healthcare as a billing intermediary experienced a significant operational incident through no failure of their own security controls. That is third-party risk at scale.