Vendor vulnerabilities: Understanding third-party risk management

Read Time: 5 Min
As businesses increasingly rely on third parties for essential services, strengthening vendor risk management practices has become critical to remaining resilient against cyber threats.

By: Navpreet Jatana, Huntington Chief Information Security Officer

Key takeaways

  1. Consolidating third-party vendor management can help organizations understand which agreements exist and what data is being shared with third parties.
  2. Building a strong incident response plan that specifically addresses third-party incidents can allow organizations to swiftly react to data breaches.
  3. Establishing a third-party risk management function or dedicated team can ensure consistency across the organization and enhance protections against risk.

Imagine discovering one of your vendors has suffered a data breach. Suddenly, despite all the cybersecurity controls you’ve put in place, your organization is exposed. It’s a tough reality, but not an uncommon one.

As businesses increasingly rely more on third-party providers for every type of service from cloud storage to customer management, our digital perimeter is expanding. This creates more opportunities, but it also means more risk and exposure. Recently, reported breaches involving a third party have doubled from the prior year1.

The answer is not to eliminate all reliance on third party vendors. Instead, companies should endeavor to understand their third-party risks, strengthen risk management practices to build resiliency, and build a sustainable third-party risk management framework. This article provides an overview of third-party risk management, proactively protecting against incidents, and best practices to mitigate cyber and fraud risk.

How third-party risk impacts businesses

Third-party risk refers to the potential disruptions, losses, and security vulnerabilities that arise from outsourcing business operations to external entities. These entities include vendors, service providers, or suppliers that have access to your data, systems, or processes.

Data responsibility represents one such third-party risk: When your company shares data with third parties, you retain responsibility for its security. If a vendor experiences a data breach that exposes a company’s data, that company may be liable and face consequences, including notification requirements, legal and financial penalties, operational disruption, reputational damage, and costs for investigation and mitigation.

It’s important to note that cybersecurity risk associated with third parties isn’t limited to your vendors. Secondary entities – vendors your primary vendor relies on (i.e., 4th and 5th parties) – also present risk. If one of those secondary entities suffers a security breach, it could unexpectedly introduce risk into your environment.

Building resiliency through third-party risk management

Third-party risk management begins with understanding the vendor landscape within your organization, a challenging task. Often, companies have multiple contracts with multiple vendors, sometimes even multiple contracts with the same vendor, making it difficult to truly understand what information is being released.

Though not easy, organizations should consider prioritizing a centralized vendor management system. A unified system that brings together vendor-related information and controls allows companies to see a full picture of their third-party relationships and what data is being sent to them.

Other components of a third-party risk management program include, but are not limited to:

  • Role-based access controls to limit vendor access to only required data and systems.
  • Standardized procedures for creating, approving, and managing vendor contracts.
  • Vendor assessment processes to verify health and safety of the vendor, including cybersecurity practices.
  • Continuous monitoring and reassessing existing vendor relationships.
  • Strict guidelines for vendors to dispose of data, credentials, and other sensitive information after a relationship has ended.

The role of incident response plans in third-party risk management

When cyber incidents inevitably occur with a vendor, how a company responds is crucial. An incident response plan, part of a broader overall business continuity strategy, can help guide an organization’s response to third-party breaches.

The top four considerations for creating your incident response plan:

  1. Clearly define the roles, responsibilities, and procedures for handling third-party security incidents.
  2. Outline specific steps to isolate breaches and mitigate damage, focusing on quickly containing any security lapses or vulnerabilities.
  3. Involve stakeholders across the organization, including IT, executive leaders, and communication teams, in developing, approving, and practicing this plan.
  4. The cyber threat landscape is constantly evolving. An organization’s incident response plan should be regularly updated to address new threats and incorporate lessons learned from past incidents.

These plans should not be static. Best practice includes conducting regular tabletop exercises with all stakeholders that simulate vendor security breaches to test responses. After each exercise, use insights gained to refine the incident response strategies.

Best practices to help mitigate third-party risk

Employee training and awareness

Employees play a critical role in maintaining cybersecurity in your organization. Last year, 60% of reported breaches involved the “human element”1. Provide trainings to educate employees about risks associated with third-party vendors and their role in preventing and responding to security events.

Third-party security audits

Schedule periodic security audits to evaluate the cybersecurity measures of third-party vendors, then use the results to identify and address discrepancies or vulnerabilities.

Vulnerability management

Threat actors can exploit vulnerabilities, or security weaknesses, in networks, software, operating systems, and equipment – and they do, often. Last year, 20% of breaches began with attackers exploiting known vulnerabilities, highlighting how skipping patches can open the door to serious risk1. Managing vulnerabilities is one way in which organizations could help prevent malicious access through compromised vendor software or systems.

Regulatory compliance

Ensure your company and its vendors adhere strictly to these regulations to avoid legal and reputational risks, especially if your organization is beholden to additional regulatory standards.

Dedicated third-party management team

Establishing a dedicated third-party risk management program or team can further help organizations centralize oversight of vendor, supplier, and other third-party relationships. Bringing this responsibility into one place can help enhance the effectiveness of risk management strategies and ensure compliance with security standards.

Managing risk from vendors, suppliers, and other third parties

Businesses will continue to rely on third parties to access specialized expertise, reduce costs, and enhance efficiencies. As this reliance grows, so do the risks associated with it. However, organizations can help mitigate risks by holding their vendors to the same security standards they follow, building a strong incident response plan, and dedicating a team to protecting against threats.

Huntington can support you with the insights, resources, and expertise needed to develop a strong cybersecurity and fraud risk strategy. Explore our cybersecurity and fraud resources, then contact your relationship manager to learn how Huntington can help you protect your employees and your business.

Financial & industry insights delivered to your inbox.

Subscribe to Huntington Insights

Sign up to receive emails about our latest articles, case studies, and events on topics that matter most to your business.
Subscribe

Related Content

Cybersecurity & Fraud
Cybersecurity & Fraud
Understanding cybersecurity best practices can help protect your organization against bad actors and better manage risk. Read about threat trends, security insights, combatting fraud, and more from Huntington’s cybersecurity team.
Cybersecurity & Fraud
Read Time: 7 Min
Six Strategies to Protect Your Business Against Account Takeovers and Scams
Brand impersonation and account takeovers are on the rise. These tactics can help organizations combat the threat and protect their brand identity.
August 26, 2025
1 Verizon. 2025. “ 2025 Data Breach Investigations Report.” Accessed October 16, 2025.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Huntington, Huntington Bank, and the Huntington Brandmark are service marks of Huntington Bancshares Incorporated.