When Uber’s stock fell by 5% right after the opening bell in 2022, it was linked to a significant cybersecurity breach that may have compromised the company’s key databases. The databases were potentially exposed through a hacker with a Telegram handle “TeaPot” that accessed the company’s third-party HackerOne account. This was especially concerning since the cybersecurity company has access to the company’s network, systems, and sensitive data. 

This attack highlights the importance of third-party risk management for defending against reputational risk, including continuous risk monitoring and incident response planning. Third-party risk management for reputational risk should also have a communication policy in place for handling the news of the cybersecurity breach and its presentation to the media, external stakeholders, and the public. 

Understanding Reputational Risk in Third-Party Relationships

Reputation risk involves any damage to an organization’s brand that results in a loss of customer trust, directly impacting revenue, the value of the company, stock prices, and future business opportunities. Organizations are particularly sensitive when third parties are involved in behaviors that involve reputational risk because they often lack visibility into their supply chain to detect these risks, evaluate their impact, and mitigate against them. 

Examples of reputational risk in the supply chain include:

  • Data breaches caused by third-party vendors that expose sensitive data and information, resulting in a loss of potential future business contracts and customer trust.  
  • Non-compliance with regulations by suppliers can result in financial penalties, stricter regulatory audits, and lost business relationships. 
  • Recent scandals or poor media coverage that damage a vendor’s reputation, cause a reevaluation and tightening of current cybersecurity processes for an organization, result in financial penalties due to non-compliance, and cause long-term damage to the brand.  
  • Operational failures cause critical systems to stop working, delaying a product release, disrupting the supply chain, and damaging customer relations.  

4 Key Strategies for Mitigating Reputational Risks Through Third-Party Risk Management

Mitigating the reputational risks related to third parties can be particularly challenging, as your organization lacks direct control of the vendor’s network and systems. However, there are still a number of proactive steps your organization can take to defend itself against future reputational risks. 

1) Conduct Comprehensive Due Diligence

Proper due diligence is critical before your organization decides to embark on a new business relationship with a vendor. It should include the evaluation of your third party’s cybersecurity, operational controls, disaster recovery, and adherence to relevant compliance and regulations. 

Many organizations send a due diligence questionnaire to potential vendors. These questionnaires typically include questions about internal security policies, adherence to compliance standards, and background checks. The background checks often examine the vendor’s past financial and legal history, as well as current public sentiment about the company.

Once the third party is properly vetted and approved, the organization should then conduct regular third-party risk assessments to continuously evaluate these same risk factors to ensure that any risks are identified, categorized, and prioritized more effectively. 

2) Develop and Enforce Clear Vendor Contracts

Service Level Agreements (SLAs) must include the security practices the third party should adhere to, which include data protection, incident response, and breach notification, and expectations for security performance in the future such as incident response time in the event of an attack. It should also specifically state the compliance and regulations it adheres to, such as PCI-DSS, NIST CF, GDPR, or CCPA which deal with data protection, privacy, and the evaluation of security controls of third-party suppliers. Including these details in the SLAs helps protect the company in the event of a lawsuit and hold third parties accountable for their actions related to reputational risk. 

3) Implement Ongoing Monitoring Programs

The dynamic and evolving threat landscape combined with frequent updates to an organization’s IT infrastructure make it imperative for it to implement ongoing monitoring programs. Ongoing monitoring should include regular third-party risk assessments, continuous or real-time risk scoring of vendors, and the incorporation of automated tools and platforms such as security rating services (SRSes), compliance monitoring, threat intelligence tools, automated security questionnaires, and third-party risk management platforms that deliver real-time monitoring and alerts for potential risks. The tools should work together to monitor third-party performance, compliance status, and any changes in the risk profile of the third parties. 

4) Establish a Crisis Management Plan for Third-Party Incidents

The interconnectedness of the digital supply chain, increasing reliance on third parties (and their outsourcing of critical services to fourth and fifth parties) mean that it’s simply a matter of time before your organization experiences an attack that damages its reputation. You’ll need a rapid response plan and proper damage control measures in place for when these incidents occur along with communication strategies for informing the media, external stakeholders, and the relevant regulatory bodies to mitigate reputational fallout as much as possible. 

Best Practices for Building a Strong Third-Party Risk Management Program

While you can’t prevent all third-party risk, you can reduce it significantly with an effective third-party risk management program built on the foundation of best cybersecurity practices. 

The main steps of this program should include: 

  • Establish a risk management framework as a first step before investing in any risk management software or tools that address third-party reputational risk.  
  • Categorize vendors based on risk levels so that your security team knows which third-party reputational risks to prioritize.  
  • Regularly update and review risk management policies to ensure they are meeting the most current best practices and are in sync with the latest internal security policies of your organization regarding third parties. 
  • Employ collaboration across your organization that includes training, cultivating a culture of cybersecurity awareness, and knowledge of the latest threats to the organization and the best practices for defense against them. 

Establish a Risk Management Framework 

Before investing in risk management software and solutions, the CISO of an organization should first implement a risk management framework, a system the organization uses to defend itself from vendor risk  The exact framework should be determined based on a range of factors that include your organization’s risk appetite, industry, compliance requirements and reliance on third parties. Today the NIST CSF is one of the most widely adopted frameworks across organizations of all sizes and industries. Shared Assessments also have their own reputational risk framework that includes the evaluation of social capital (its perception by various stakeholders), performance capital (the quality, safety, and reliability of products and services), and organizational capital (how the organization’s culture influences its practices and systems).  

Categorize Vendors Based on Risk Levels

After identifying all third, fourth, and n-th parties in your supply chain, you’ll need to categorize the vendors based on the potential impact they have on your business if an issue arises. Risk management of the most critical vendors should have the highest priority. Traditional risk scoring is often used to evaluate the security posture of your organization, often relying on either security rating services (SRSes) or security questionnaires. However, they do not take into account the context of third-party adherence to your internal security requirements, which can in turn impact your security posture. More advanced cyber risk ratings also evaluate the security posture of your third parties at three levels: network and IT; application; and human. 

Regularly Update and Review Risk Management Policies

Since an organization’s internal security practices, networks, and systems are dynamic, it is critical for it to regularly assess its current approach to third-party reputational risk and consider adopting new policies that address evolving risk and regulatory changes. In addition, as both the threat and regulatory landscape continue to evolve, your organization needs to ensure that it proactively closes any security gaps third parties pose to defend against future attacks. 

Employ Collaboration Across Your Organization

A truly effective defense against reputational risk from third parties includes the collaboration of various internal stakeholders and different departments to foster a culture of third-party risk awareness. This might include continuous education of the best practices for cybersecurity, the different evolving threats, and how employees can report any suspicious behavior. It should also include training for continuous monitoring tools for security, IT, and third-party risk teams so that they are familiar with the process of receiving alerts, understand the level of potential risk for each alert, and how to respond to each accordingly. 

Mitigating Reputational Risks Through Third-Party Risk Management

As organizations onboard and offboard third parties regularly, their supply chain is increasingly at risk of potential reputational risk that impacts their brand. Panorays delivers a customized, scalable third-party risk management program that expedites the vendor onboarding process so that organizations can add and assess third parties in bulk to their supply chain. 

It also: 

  • Maps the threat landscape, evaluating the risk of each third party according to its Risk DNA and the business context of that relationship. 
  • Delivers accurate external assessments that evaluate human risks, recent breach history, vulnerabilities, and dependencies on AI technologies and prioritizes them as necessary. 
  • Promotes communication with internal and external teams within the application to remediate security gaps immediately, send incidence response questionnaires, and follow up with internal teammates. 
  • Provides the most accurate risk rating that includes both internal and external assessments, business impact, risk appetite, breach history, and AI-based risk prediction.
  • Continuous monitoring to detect early indications of breaches and vulnerabilities prioritized according to the level of third-party risk. 
  • Actionable remediation steps based on third-party criticality to close security gaps that pose the most risk to your organization. 

Want to learn more about how to identify, categorize and mitigate third-party reputational risk in your supply chain with Panorays? Get a demo today! 

Third-Party Reputational Risks FAQs