Third-Party Risk and Business Disruption: What Directors Need to Know

In today's interconnected business landscape, third-party risk has emerged as a critical concern for organizations of all sizes. As companies increasingly rely on external vendors, suppliers, and service providers, they expose themselves to potential disruptions ranging from cybersecurity breaches to operational failures.

Third-party incidents, such as the CrowdStrike outage on July 19, 2024, serve as a stark reminder of how a single third-party vulnerability can trigger widespread disruptions across multiple industries. These incidents not only highlight the far-reaching consequences of third-party risk, but they also underscore the urgent need for boards to take a more proactive stance in overseeing and mitigating these risks to ensure organizational resilience and continuity.

The CrowdStrike Incident: A Case Study

The CrowdStrike outage exemplifies the consequences of third-party risk in the interconnected business landscape. A flawed software update from the trusted security vendor caused millions of Microsoft Windows systems to crash worldwide, disrupting critical services and business operations on an unprecedented scale.

Organizations struggled to maintain basic operations as information technology (IT) teams worldwide implemented workarounds and restored systems, a process complicated by the need for manual intervention on affected devices.

Long-term consequences continue to unfold, with renewed scrutiny of third-party dependencies and potential risks to business continuity. Many organizations are reassessing their vendor management strategies, particularly for critical services. The financial impact is substantial, with insurers estimating losses of approximately $5.4 billion for Fortune 500 companies alone, according to Parametrix Solutions’ analysis.

This incident highlighted the need for more robust business continuity planning and disaster recovery strategies. Organizations are now grappling with questions about appropriate redundancy levels for critical systems and the balance between efficiency and resilience in their IT infrastructure.

The CrowdStrike incident underscores the importance of third-party risk management in today's business environment, emphasizing how a single point of failure can cascade into widespread disruption, a pressing concern for boards and executives alike.

Key Lessons from Third-Party Incidents

Below are lessons boards and C-suite leaders can learn from this and other third-party incidents, including the 2024 Salt Typhoon telecommunications breach.

The dangers of overreliance on a single vendor. These crises starkly illustrate the risks associated with depending too heavily on a single service provider, even one as reputable as CrowdStrike. The 2024 Salt Typhoon campaign demonstrated how vulnerabilities in common infrastructure components, such as Cisco Systems routers used across multiple telecom providers, can cause industry-wide exposure. When that provider experiences a significant issue, the ripple effects can be catastrophic. Boards should encourage management to regularly assess the organization's vendor dependencies and consider strategies to mitigate concentration risk.

The importance of robust business continuity plans. Organizations with well-developed and regularly tested business continuity plans are better positioned to weather disruptions. The telecommunications sector breach of 2024, which impacted major providers including T-Mobile and other carriers, highlighted how critical infrastructure sectors need particularly robust contingency planning. These plans should account for various scenarios, including the sudden loss of critical third-party services. Boards should ensure that business continuity planning is a priority and that plans are periodically reviewed and updated to reflect the evolving risk landscape.

The need for rapid response and communication strategies. These incidents highlight the importance of swift and effective communication during a crisis. Organizations that had clear communication protocols in place were able to inform stakeholders promptly, manage expectations, and coordinate recovery efforts more efficiently. Boards should oversee the development of crisis communication plans that address both internal and external stakeholders.

The value of diversification in critical services. Companies that have diversified their security and IT services are generally able to recover more quickly from disruptions. While complete redundancy may not always be feasible or cost-effective, strategically diversifying critical services can significantly enhance resilience. Boards should encourage management to explore multi-vendor strategies for essential services, balancing the benefits of diversification against potential increases in complexity and cost.

Third-Party Risk in the Context of Business Disruption

Third-party risk in the modern business landscape extends far beyond simple vendor management. As organizations increasingly rely on external partners for critical functions, they expose themselves to a complex web of potential disruptions. Understanding these risks is crucial to effective governance and risk management. Below are types of third-party risks that can lead to business disruption.

Operational failures. These occur when a third-party vendor fails to deliver promised services or experiences significant downtime. The CrowdStrike incident is a prime example.

Cybersecurity breaches. Third-party vendors often have access to sensitive company data. A breach at the vendor level can expose this data, leading to reputational damage, legal liabilities, and operational disruptions.

Supply chain interruptions. Disruptions in the supply chain, whether due to natural disasters, geopolitical events, or vendor bankruptcies, can severely impact an organization's ability to deliver products or services.

Regulatory noncompliance. As regulatory landscapes evolve, third-party vendors may fall out of compliance, exposing their client organizations to legal and financial risks.

The Ripple Effect

The interconnected nature of modern business means that a problem with one third-party vendor can quickly escalate into a company-wide crisis. For instance, a cybersecurity breach at a cloud service provider could compromise data across multiple departments, leading to operational shutdowns, customer trust issues, and potential legal challenges. Similarly, the failure of a key component supplier could halt production, affecting sales, customer relationships, and financial performance. Boards should understand these potential cascading effects to effectively oversee risk management strategies.

Essential Questions for Directors

By regularly engaging with these questions, boards can enhance their oversight of third-party risk management and better prepare their organizations for potential disruptions.

1. How dependent is our organization on third-party vendors for critical operations?
2. What is our strategy for mitigating third-party risks?
3. How prepared are we to handle a major disruption from a key vendor?
4. How do we assess the resiliency of our critical third-party providers?
5. What is our communication plan in the event of a third-party–induced crisis?

The Board's Role in Mitigating Third-Party Risk

In light of recent incidents such as the CrowdStrike disruption and the Salt Typhoon telecommunications breach, boards should strengthen their oversight of third-party risk management. Below are five critical responsibilities that directors should prioritize to protect their organizations.

Set the tone for a risk-aware culture. Directors should champion a culture that prioritizes risk awareness and management throughout the organization. This involves regularly discussing risk at board meetings and ensuring that risk considerations are integrated into strategic decision-making.

Ensure management has robust vendor assessment and monitoring processes. Boards should oversee the development and implementation of comprehensive vendor assessment frameworks. These should include initial due diligence, ongoing monitoring, and periodic reevaluations of key vendors. In addition, boards should ensure that management negotiates robust contracts with vendors that include clear performance metrics, security requirements, and provisions for audits and termination.

Oversee the development and testing of business continuity plans. Directors should ensure that management develops and regularly updates and tests business continuity plans that address various third-party disruption scenarios.

Promote diversity in critical service providers. Boards should encourage management to consider multi-vendor strategies for critical services, balancing the benefits of diversification against potential increases in complexity and cost. One solution is to enhance internal capabilities to reduce reliance on external providers.

Ensure adequate investment in backup systems and redundancies. Directors should advocate for appropriate investments in backup systems and redundancies, particularly for critical functions that rely heavily on third-party providers.

Internal Audit's Role in Supporting Board Oversight

Internal audit serves as the board's eyes and ears in monitoring third-party risk management, providing independent insights that inform board decisions. Here are the key ways in which internal audit supports effective board oversight.

It strengthens board risk oversight through independent assessment. Internal audit evaluates vendor management processes and controls, delivering objective findings that help the board fulfill its risk governance responsibilities.

It informs board decisions through critical vendor assessments. By auditing high-risk providers, internal audit gives boards the assurance needed to evaluate vendor relationships and oversight effectiveness.

It supports board oversight of operational resilience. Internal audit's testing of business continuity plans helps boards ensure that the organization can withstand third-party disruptions, informing strategic decisions about redundancy and risk tolerance.

It enables risk-aware governance through emerging risk insights. Internal audit keeps boards informed about evolving threats and industry practices, supporting more effective oversight of third-party risk management strategies.

Looking Ahead: Emerging Trends in Third-Party Risk

As organizations continue to navigate an evolving risk landscape, several key trends are shaping the future of third-party risk management. Below are critical developments that boards and executives should monitor.

The impact of emerging technologies on third-party relationships. Technologies such as artificial intelligence, blockchain, and the Internet of Things are reshaping third-party relationships, introducing new capabilities and new risks that boards should understand and oversee.

The evolving regulatory landscape and compliance requirements. Increasing regulatory scrutiny of third-party relationships, particularly in areas such as data privacy and cybersecurity, requires boards to stay informed and ensure compliance.

The growing importance of fourth-party and “nth-party” risk management. As supply chains and service networks become more complex, organizations should look beyond immediate vendors to understand and manage risks from subcontractors and other downstream providers.

As directors navigate an increasingly complex business landscape, the ability to effectively manage third-party risks will be a key differentiator for successful organizations. Boards that rise to this challenge will not only protect their organizations from potential disruptions but also position them to thrive in an interconnected world.

Mike Levy is CEO of Cherry Hill Advisory, a global risk advisory firm focused on corporate governance and internal audit services with a specialization in risk management concerning emerging technologies such as artificial intelligence.