Strengthening Third-Party Cybersecurity Risk Management
- Katarzyna Celińska
- 2 days ago
- 2 min read
A newly published research report, “Strengthening the Management of Third-Party Cybersecurity Risks by Financial Institutions”.
As someone who is strongly interested in (and works in) supply chain cybersecurity risk, I can say this is a genuinely good publication.
It clearly explains key regulatory expectations and the major building blocks of TPRM/ TPCRM. It also provides a useful view of how practices differ across regions and how these approaches translate into the Japanese financial sector context.
Photo: Freepik
For teams responsible for TPRM, procurement, operational resilience, and supply chain security, this is a great piece to read and discuss internally, not as theory, but as a source of concrete ideas for improvement.
Why this report is worth your time
☑️ Major financial institutions in the US/EU/UK have established third-party cyber risk as a dedicated risk domain within TPRM, with cybersecurity functions acting as domain experts rather than “owning” the entire TPRM framework.
☑️ The report shows classification isn’t only “critical vs non-critical.” Institutions classify third parties across multiple dimensions, for example:
➡️ third vs nth party,
➡️ intra-group vs external,
➡️ in-scope vs out-of-scope for TPRM,
➡️ criticality (operational resilience),
➡️ inherent/residual risk tiers,
➡️ category/type of service (technology vs non-technology).
☑️ It touches several areas that many organizations still treat as “optional”:
➡️ Nth parties (often limited operationally to visibility up to 4th parties, and mitigation via evaluating how the 3rd party manages its subcontractors)
➡️ Concentration risk (service, geographic, and nth-party concentration) and visualization through TPRM tools
➡️ Ongoing monitoring using cyber threat intelligence tools, risk scoring, and dark web monitoring
➡️ Audit rights & on-site inspection clauses as standard contract practice, with explicit minimum security controls expected contractually
➡️ Exit strategies and exit plans, including tabletop testing and updates
➡️ Third-party incident response playbooks and collaboration between contract owners and cyber incident response teams
➡️ The report notes SBOM efforts (still often pilot-stage), and it explicitly connects SBOM-type transparency with broader future needs (AIBOM, hardware BOM) and even cryptoinventory concepts relevant to post-quantum migration.
☑️ It clearly states why Excel breaks at scale and why mature organizations use tooling for ledgers/workflows/questionnaires
Author: Sebastian Burgemejster
Comments