Ensuring trust in third-party due diligence

The IIA has released the Third-Party Topical Requirement. It sets a clear baseline for how internal auditors must assess risks linked to vendors, suppliers, contractors, and even downstream partners. Why does this matter? Because working with third parties always comes with risks: strategic, operational, reputational, financial, legal, cyber, and even sustainability. When they fail, your organization suffers. The key reminder: Outsourcing the work does not mean outsourcing accountability. The primary organization always owns the risk. The requirement covers three big areas: ↳ Governance: Is there a formal approach, clear roles, policies, and timely reporting on third-party performance and risks? ↳ Risk management: Are risks identified, prioritized, and reviewed regularly with proper responses and escalation processes? ↳ Controls: Is there due diligence, strong contracts, onboarding, ongoing monitoring, incident management, and structured offboarding? Actionable Insights: ↳ Treat third-party risks as part of your risk universe. ↳ Don’t just rely on contracts. Test how effective monitoring and escalation processes really are. ↳ Keep an updated inventory of all third-party relationships. It sounds basic, but many organizations miss this. ↳ Make sure third-party offboarding includes revoking access and securing sensitive data. Reference: Third -Party Topical Requirement. 2025. The Institute of Internal Auditors, Inc (link to download in the comments) #internalaudit #ITaudit #digitaltransformation

☢️Manage Third-Party AI Risks Before They Become Your Problem☢️ AI systems are rarely built in isolation as they rely on pre-trained models, third-party datasets, APIs, and open-source libraries. Each of these dependencies introduces risks: security vulnerabilities, regulatory liabilities, and bias issues that can cascade into business and compliance failures. You must move beyond blind trust in AI vendors and implement practical, enforceable supply chain security controls based on #ISO42001 (#AIMS). ➡️Key Risks in the AI Supply Chain AI supply chains introduce hidden vulnerabilities: 🔸Pre-trained models – Were they trained on biased, copyrighted, or harmful data? 🔸Third-party datasets – Are they legally obtained and free from bias? 🔸API-based AI services – Are they secure, explainable, and auditable? 🔸Open-source dependencies – Are there backdoors or adversarial risks? 💡A flawed vendor AI system could expose organizations to GDPR fines, AI Act nonconformity, security exploits, or biased decision-making lawsuits. ➡️How to Secure Your AI Supply Chain 1. Vendor Due Diligence – Set Clear Requirements 🔹Require a model card – Vendors must document data sources, known biases, and model limitations. 🔹Use an AI risk assessment questionnaire – Evaluate vendors against ISO42001 & #ISO23894 risk criteria. 🔹Ensure regulatory compliance clauses in contracts – Include legal indemnities for compliance failures. 💡Why This Works: Many vendors haven’t certified against ISO42001 yet, but structured risk assessments provide visibility into potential AI liabilities. 2️. Continuous AI Supply Chain Monitoring – Track & Audit 🔹Use version-controlled model registries – Track model updates, dataset changes, and version history. 🔹Conduct quarterly vendor model audits – Monitor for bias drift, adversarial vulnerabilities, and performance degradation. 🔹Partner with AI security firms for adversarial testing – Identify risks before attackers do. (Gemma Galdon Clavell, PhD , Eticas.ai) 💡Why This Works: AI models evolve over time, meaning risks must be continuously reassessed, not just evaluated at procurement. 3️. Contractual Safeguards – Define Accountability 🔹Set AI performance SLAs – Establish measurable benchmarks for accuracy, fairness, and uptime. 🔹Mandate vendor incident response obligations – Ensure vendors are responsible for failures affecting your business. 🔹Require pre-deployment model risk assessments – Vendors must document model risks before integration. 💡Why This Works: AI failures are inevitable. Clear contracts prevent blame-shifting and liability confusion. ➡️ Move from Idealism to Realism AI supply chain risks won’t disappear, but they can be managed. The best approach? 🔸Risk awareness over blind trust 🔸Ongoing monitoring, not just one-time assessments 🔸Strong contracts to distribute liability, not absorb it If you don’t control your AI supply chain risks, you’re inheriting someone else’s. Please don’t forget that.

A recent $10M settlement with the Federal Trade Commission (FTC) demonstrates that although it can be reasonable for organizations to rely on third-parties to handle compliance issues, it is still the organization's responsibility to provide the third-party with sufficient accurate information for the third-party to get compliance right. See https://lnkd.in/eMCN9Vtn. In this case, a major entertainment company faced allegations of violating the Children’s Online Privacy Protection Rule (COPPA) by mislabeling child-directed videos on a popular platform. The mislabeling enabled unlawful data collection from children under 13, triggering targeted advertising and exposure to age-inappropriate features. Despite platform-level warnings and prior enforcement actions, the company continued to rely on default settings and failed to review individual content classifications—ultimately leading to regulatory penalties and mandated reforms. This case underscores a critical lesson: outsourcing compliance tasks does not outsource accountability. Here are key tips for organizations relying on third-parties for compliance: ✅ Provide Accurate, Timely Information Third-parties can’t ensure compliance if they’re working with incomplete or outdated data. ✅ Clarify Roles and Responsibilities Ensure contracts and workflows explicitly define who is responsible for what—and when. ✅ Avoid Blanket Defaults One-size-fits-all settings (like channel-level designations) may be convenient but can lead to systemic errors. ✅ Monitor and Audit Regularly Establish review protocols to catch misclassifications or lapses before regulators do. ✅ Respond to Warnings Promptly If a platform flags issues, treat it as a compliance issue—not a suggestion. ✅ Train Internal Teams Even if external vendors handle execution, internal staff must understand the compliance landscape. ✅ Document Everything Maintain records of decisions, communications, and updates to demonstrate diligence. ✅ Stay Ahead of Tech Shifts Emerging tools like age assurance technologies may reshape compliance expectations—be proactive, not reactive. ✅ Learn from Enforcement Trends Regulatory actions offer a roadmap of what not to do. Use them to strengthen your own practices. Compliance is a shared responsibility. Don't just assume the third-party will always get it right!

What Defines a Strong TPRM Strategy in 2025? 🤔 A mature TPRM program in 2025 isn’t just about checking boxes, it’s about building a defensible, risk-based framework that withstands scrutiny from regulators, auditors, and internal stakeholders alike. As regulatory expectations evolve globally, the benchmark for "compliance" is increasingly tied to demonstrable, ongoing due diligence, monitoring, and governance. Here’s what that looks like in practice: Key Pillars of a TPRM Strategy 1. Centralized Third Party Inventory: Maintain a dynamic inventory of all third parties, with visibility into their services, access to systems/data, and criticality to business operations. 2. Risk-Based Segmentation: Classify vendors by risk tiers (e.g., critical, high, moderate, low) based on the sensitivity of data and impact on operations. This enables proportional oversight. 3. Standardized Due Diligence and Risk Assessments: Use consistent, framework-aligned assessments (e.g., NIST CSF, ISO 27001, SIG questionnaires) for onboarding and periodic reviews. Tailor depth and frequency to risk level. 4. Continuous Monitoring: Leverage technology (e.g., security ratings, threat intelligence, performance dashboards) to track vendor health in real time, not just point-in-time reviews. 5. Strong Contractual Controls: Embed clear requirements in contracts around data protection, right to audit, breach notifications, and fourth-party oversight. Contracts are your enforcement tool. 6. Incident Response and Contingency Planning: Include third parties in your incident response playbooks. Simulate breach scenarios to test coordination, escalation, and communication processes. 7. Cross-Functional Ownership and Governance: Engage legal, procurement, cybersecurity, and business unit leaders throughout the lifecycle. Risk ownership must be shared, not siloed. To demonstrate that your program is more than just policy on paper: - Documentation – Keep detailed records of risk assessments, remediation plans, monitoring reports, and vendor interactions. - Audit Trails – Ensure transparency in decision-making: how vendors are approved, how exceptions are granted, and how issues are addressed. - Performance Metrics – Track and report KPIs (e.g., % of vendors with updated risk reviews, average remediation time) to show continuous improvement. - Regulatory Mapping – Align your TPRM framework to applicable regulations (e.g., OCC, DORA, EBA, MAS), and document how requirements are being met. Board Reporting – Periodically update senior management and the Board on third-party risk exposure, residual risk, and mitigation actions. In 2025, "being compliant enough" means being able to show that your TPRM program is consistent, risk-aligned, and operationalized. It’s not about perfection, it’s about visibility, defensibility, and accountability. #2025 #riskmanagement #riskassessment #regulations #compliance #occ #3prm #boardreporting #businessrisk #residualrisk #riskmitigation #tprm

Third-Party Risk: The Hidden Cybersecurity Battlefield in Modern Supply Chains In our interconnected digital ecosystem, your security posture is only as strong as your weakest vendor. Modern enterprises rely on 100s of third-party vendors, creating an exponentially expanding attack surface. Supply chain attacks have become the preferred vector for sophisticated threat actors. Instead of targeting well-defended enterprises directly, attackers exploit vulnerabilities in trusted vendors to simultaneously breach hundreds of downstream organizations. Game-Changing Examples SolarWinds (2020): Compromised software updates affected 18,000+ customers including Fortune 500 companies and government agencies, demonstrating how a single vendor breach cascades across entire sectors. MOVEit (2023): A single vulnerability led to data breaches affecting over 600 organizations globally, showcasing the massive scale of modern supply chain impacts. Why Third-Party Risk Monitoring is Critical Continuous Visibility: Traditional annual assessments are insufficient. Organizations need real-time monitoring of vendor security posture, breach notifications, and compliance status changes. Risk Amplification: When attackers target managed service providers or software vendors, the impact multiplies across all their clients. One compromised vendor can expose thousands of organizations simultaneously. Regulatory Liability: With GDPR, CCPA, and emerging supply chain regulations, organizations face increasing liability for third-party security failures. Proactive monitoring demonstrates due diligence. Building Effective Defense Continuous Assessment: Implement real-time vendor risk scoring across your entire ecosystem Zero Trust Extension: Apply least-privilege access controls to all third-party connections Incident Response Integration: Ensure your IR plans account for vendor breaches with clear communication protocols Contractual Protection: Update vendor agreements with security requirements and liability provisions The Bottom Line Organizations can no longer treat vendor risk as procurement afterthought. The question isn't whether your supply chain will be targeted — it's whether you'll detect and respond effectively when it happens. The strongest security programs extend beyond organizational boundaries to create defensible ecosystems, not just defensible enterprises. #ThirdPartyRisk #TRPM #SupplyChainAttack #CyberSecurity

A SOC 2 report was never intended to be the only information and documentation third party risk management teams needed in order to assess third party risk. It was also never intended to replace other procedures TPRM teams complete as part of assessing risk such as sending security questionnaires. A SOC 2 report is intended to assist TPRM teams in assessing third party risk by providing them with a report covering a third party’s internal controls over security, availability, confidentiality, processing integrity, and/or privacy, issued by an independent CPA firm. If you are a small company without personnel dedicated to performing TPRM tasks, then I definitely see SOC 2 reports playing a much bigger role in the TPRM process. As companies scale and hire personnel responsible for GRC and security, SOC 2 becomes more of a tool to assist these teams with assessing third party risk. Anybody claiming or selling SOC 2 reports as a silver bullet for closing deals faster without any type of other due diligence doesn’t understand third party risk management or SOC 2 reports. However, the hope is that TPRM teams are leveraging SOC 2 reports to reduce the amount of other due diligence they perform, assuming they are satisfied with the quality and content of the report. But even if they are satisfied with the SOC 2 report, they still may do all the same due diligence regardless. Having said this, TPRM teams doing third party risk management the right way should be using criteria to assign a security risk rating to third parties before they perform due diligence. Third parties presenting a high security risk to the company should require more due diligence than ones presenting a low risk. All of this plays a factor in how TPRM teams will rely on SOC 2 reports as part of their due diligence. If you are curious about how TPRM teams are using your SOC 2 report as part of due diligence, after you win the deal, ask them: “Is there any other information you would like to see in our SOC 2 report going forward that will make it easier for your team to perform due diligence over us in the future, if necessary?” You might receive no response or you might be pleasantly surprised.

Continuous Monitoring in TPRM: Why We Need to Stop Relying on “Set It and Forget It” Due Diligence As risk professionals, we’ve all seen it happen: we onboard a vendor, conduct rigorous due diligence, check all the boxes, and then… move on. Maybe we run an annual review if we’re diligent (pun intended). But here’s the truth: relying solely on initial or periodic due diligence is like getting a health checkup once a year and ignoring your diet and exercise in between. The reality is, vendor risk evolves continuously—cyber threats, regulatory shifts, and even a vendor’s internal changes can happen in real-time. That’s why continuous monitoring isn’t just a “nice to have”; it’s essential. It fills the gap between those initial checkups and ensures we catch emerging risks before they become our problems. So, how can we implement continuous monitoring without making it a resource-draining nightmare? Here are three practical steps: 1. Leverage Automated Risk Monitoring Tools: Tools that track third-party cyber hygiene, financial stability, and compliance in real-time are your first line of defense. Set up alerts that notify you when there are significant changes—like a drop in security posture or legal action against a vendor. No more manually chasing after the latest reports! 2. Integrate Continuous Monitoring Into Your Vendor Management Processes: Make continuous monitoring part of your day-to-day risk management workflow. Incorporate monitoring results into quarterly vendor reviews, and use the insights to adjust your risk mitigation strategies on the fly. If the data says a vendor’s risk has changed, you should change your approach. 3. Monitor Key Risk Indicators (KRIs): Define specific KRIs for each critical vendor. Whether it’s financial health, cybersecurity metrics, or changes in leadership, continuously track these indicators to assess risk levels in real time. Not all vendors need the same level of scrutiny, so tier them accordingly and focus your attention where it’s needed most. Remember, continuous monitoring doesn’t mean adding more work—it means working smarter. It gives you the visibility to manage risk dynamically, not reactively. And in a world where risks are constantly evolving, that’s the peace of mind we all need. #TPRM #ContinuousMonitoring #RiskManagement #CyberSecurity #VendorRisk #GRC #RealTimeRisk SecGenX

Navigating Third-Party Risk Management with the CARE-Report In today's interconnected business landscape, third-party relationships introduce both opportunities and risks. Cyber threats, operational disruptions, and compliance challenges can escalate quickly if companies lack a structured approach to managing third-party risks. Enter the CARE-Report—a robust assessment framework designed to guide organizations through effective CyberInsurance and Cybersecurity, offering insights such as Third-Party Risk Management (TPRM). With clear recommendations for incident response plans, cyber incident playbooks, and a systemic approach to risk mitigation, companies can fortify their resilience and safeguard critical operations. Here’s how organizations can leverage the CARE-Report to strengthen their TPRM strategy: ✅ Incident Response Plans – Prepare for the unexpected by developing clear, actionable response protocols for cyber incidents, supply chain disruptions, and compliance failures. These plans should integrate third-party coordination to ensure swift containment and recovery. 🛠️ Cyber Incident Playbooks – Build playbooks that outline key response steps for various threat scenarios, including ransomware attacks, data breaches, and vendor compromise incidents. Having predefined workflows ensures rapid decision-making under pressure. 🔍 A Systemic Approach – Move beyond reactive strategies by embedding third-party risk management into core business operations. A risk-tiering model helps prioritize vendors based on their potential impact, while continuous monitoring tools enhance real-time visibility into third-party security postures. 💡 The CARE-Report serves as more than just a checklist—it provides a strategic roadmap for organizations aiming to foster trust, compliance, and operational resilience in an ever-evolving threat landscape. Are you integrating a structured third-party risk management framework into your operations? Let’s discuss how proactive strategies can make a difference! #ThirdPartyRiskManagement #CyberSecurity #CAREReport #RiskResilience

🚢 From the Bridge to the Boardroom: Leading a World-Class Third-Party Risk Management Program In the US Navy, we have a saying: “Trust, but verify.” Whether you’re standing watch in the Combat Information Center or negotiating with a new tech vendor, the principle is the same — your mission’s success depends on the reliability of your partners. In my leadership journey — from commanding cyber defense units to serving as CISO — I’ve seen how Third-Party Risk Management (TPRM) can either safeguard your mission or sink it. The recent ProcessUnity Third-Party Risk Management Best Practices guide reminded me that great TPRM leadership isn’t just about ticking compliance boxes — it’s about building a living system that: 1️⃣ Keeps Risk Out from the Start Conduct inherent risk assessments before you sign the contract. Tier vendors (Low, Medium, High, Critical) based on operational, security, compliance, and financial factors. 2️⃣ Monitors Continuously, Not Just Annually Use residual risk scores to set review cadences. High-risk vendors? Review at least annually. Lower-risk vendors? Adjust frequency to conserve resources without sacrificing vigilance. 3️⃣ Documents & Automates for Consistency Mature programs replace spreadsheets with automation to track onboarding, due diligence, and SLA performance. Smart, self-scoring questionnaires help you focus on the issues that matter most. 4️⃣ Integrates External Intelligence Cybersecurity ratings, financial health scores, AML checks, ESG ratings — these serve as your “virtual watchstanders” between formal reviews. 5️⃣ Drives ROI, Not Just Risk Reduction Weed out underperformers, negotiate better terms, and transform your TPRM program from a cost center to a strategic advantage. 💡 Leadership takeaway: Whether you’re leading a warfighting command or a security engineering team, the fundamentals are the same: define the process, enforce accountability, and build trust through verification. 📣 Over to you: If you had to improve ONE aspect of your vendor risk management today, what would it be? How do you balance speed-to-contract with thorough due diligence in your role? Let’s learn from each other. The threats are evolving — our leadership in risk management must evolve faster. #Leadership #Cybersecurity #RiskManagement #NavyToSiliconValley #ThirdPartyRisk #TPRM #VendorManagement #ServantLeadership

Third-party #security #risk assessment is crucial to maintaining trustworthy and secure relationships with a #vendor, partner, client, contractor, consultant, intermediary or service provider. This is normally done by a comprehensive evaluation of the security posture of the #thirdparty. Steps that can be taken include: Firstly, #identify all third parties your organization interacts with. Make a detailed security #questionnaire to assess their security practices. Ideally, the questions should be based on the industry best practices and aligned with the internationally accepted security #standards or #frameworks. Ask for #reports and #certifications from third parties that substantiate the real-time risk intelligence activities that they perform like security #incidentmanagement, #penetration testing, #vulnerability scans, etc. Review their security #policies. After you receive all data, #analyze and see whether it all matches with your organization’s security standards. Discuss findings transparently with stakeholders. Take informed decisions whether to accept the risk, create an addendum, or reject the third party. #thirdpartyriskassessment #vendorselection #supplierevaluation