Riesgo de terceros

Third-Party Risk for Organizations


The European NIS 2 Directive, the legal framework on cybersecurity for the Member States, introduces in the cybersecurity strategy required of organizations in highly critical and critical sectors the obligation to monitor and assess the risk of third parties.

One of the main objectives of the NIS 2 Directive has been to achieve a cascading effect in terms of protection against cyber threats through this obligation to monitor and assess the risk of third parties for critical and essential entities. In this way, the European Union recognizes the importance of implementing extended cybersecurity strategies that prevent an organization’s value chain from becoming a significant threat that is impossible to control.

When the vulnerability is external

To stay safe and secure, organizations must consider every possible risk.

Vendors, partners, and other third parties with access to an organization’s sensitive systems and data can pose a significant risk to the organization’s cybersecurity. Cybercriminals can use third-party weaknesses to circumvent an organization’s cybersecurity strategy, access sensitive information, steal data, disrupt business operations, and more. For this reason, organizations must assess and manage their third parties’ cyber risk effectively throughout their business relationship to ensure security and continuity of operations in an increasingly interconnected environment.

This point of risk can come from outsourcing services such as hosting, as well as from third parties that use technology and can put our data at risk, such as call centers, consultancies, etc. Also, many companies use software such as CRMs in which very important information is entered What happens if this CRM suffers a cyberattack? Therefore, we must be aware of who we are working with.

Why is it essential to control third-party risk?

Often, organizations focus on the security of their system and their data, i.e., their internal perimeter, but neglect the security of the third-party systems and data they work with that belong to the organization’s external attack surface.

As reports from Spain’s National Cryptologic Centre (CCN) in recent years show, cyberattacks on third parties within the supply chain are an emerging threat. In addition, the number of such attacks is expected to increase shortly.

These attacks aim to bypass the target company’s prevention and detection controls and thus attack third parties to gain access to their systems. Most companies do not control or validate their own suppliers or partners, from a cybersecurity point of view. The few that do control only assess this risk when starting the business relationship without holding it further.

The Nth Parts: Beyond an Organization’s Third Parties

Derived from third-party risk, there is the risk associated with the so-called nth parts, over which an organization has even less control.

The nth part is an organization’s third-party value chain. Those who have access to the systems and data of the original organization’s suppliers and contractors and thus indirectly to their own. This infinite dependency system adds great complexity to identifying and managing third-party risks. In addition, the umpteenth parties may have their third parties and suppliers, further expanding the supply chain and complicating risk assessment.

This cascade effect in implementing effective cybersecurity strategies that the NIS 2 Directive seeks to achieve through the control of the value chain is nothing more than the way to fight against the cascade effect that the same value chain of any organization represents concerning risks.

How can third-party risk be reduced?

One of the most important recommendations to reduce this risk is to assess supplier risk. This process involves identifying supplier weaknesses that could pose a high risk to our company.

According to various studies, the mechanisms used by companies to determine the risk to which they are exposed in this way do not yield very encouraging results:

83% of executives say third-party risk was identified after initial onboarding and due diligence occurred.

There is a 67% chance of attack through the supply chain.

92% of companies do not implement any supplier risk management.

70% contract with suppliers without prior security checks (60% also give them access to their systems).

63% of security breaches originate from vendors

Both suppliers and their services or products that may pose a threat should be assessed before starting the business relationship to identify risks. But, they must also be monitored and evaluated during the relationship duration for the cybersecurity strategy to be effective. Analyzing suppliers’ risks does not mean they cannot suffer any security incidents because all entities can suffer them. Still, it does allow us to identify those entities that do not take a minimum of security measures and are more exposed to a cyberattack.

Latest technologies for third-party risk control

The emergence of the latest technologies, such as Artificial Intelligence and automation, has led to the emergence of XTI Cyber Intelligence solutions capable of issuing an assessment of the cybersecurity status of any supplier or partner, as well as its continuous evaluation in real-time for the duration of the collaboration between the organization and the third party.

The advantages of incorporating an XTI Cyber Intelligence solution for the organization are:

  • It allows an objective assessment of risk that does not require human intervention.
  • It works in a non-intrusive way, so it does not require authorization from the third party, thus facilitating the assessment of third parties and umpteenths.
  • It provides objective data on the vulnerability of the third party and the security breaches causing it.
  • It allows continuous and real-time monitoring and analysis of third-party risk for the duration of the business relationship.
  • It enables the organization to control the information hidden by its value chain.
  • It enables the organization to assess the risks of those umpteenth parties about which it has any suspicion.

This type of solution can be used to assess risks of third parties and umpteenth parties both in a specific operation and in a long-lasting business relationship, providing the precision and reliability lacking in the most common valuation methods, such as pen-testing or Due Diligence.


If you need to know more about third-party risk control and how to assess it thanks to the latest Cybersecurity and Cyber Intelligence solutions for continuous monitoring, you can download our Whitepaper Third-party risk: How to gain accuracy in the assessment.