Third-Party Risk Management: The Human Behaviours Behind Persistent Exposure
While third-party risk management frequently appears robust in governance forums, ongoing exposure suggests a more complex reality. This article explores human behaviours that influence the practical management of third-party cyber risk beyond the intentions of formal frameworks.
Third-party risk management (TPRM) is now a well-established discipline within cybersecurity and GRC. Most organisations can demonstrate defined processes, contractual controls, and assurance mechanisms to manage supplier risk, but many still struggle to effectively implement these measures, leaving vulnerabilities that third parties can exploit. Regulatory expectations have further reinforced the need for formal oversight of third parties, particularly in ensuring compliance with data protection laws and industry standards.
Yet incidents involving third parties remain a persistent threat. This suggests the challenge extends beyond framework maturity or technological capability. Human behaviour, organisational culture, and commercial pressures significantly influence the effectiveness of TPRM in practice, shaping the assessment and resolution of risks.
This two-part series explores behavioural dynamics that frequently undermine third-party cyber risk management practices.
The pressure to appear ‘secure’
Third parties operate in competitive environments where demonstrating security maturity has become a commercial necessity. Suppliers therefore face implicit pressure to present themselves as operationally robust, even when controls may still be evolving or inconsistently applied.
As a result, self-assessment questionnaires and maturity declarations can sometimes reflect aspirational practices rather than actual control effectiveness. Cultural factors reinforce this dynamic when internal teams feel compelled to align responses with contractual commitments or service-level agreements (SLAs).
The organisations issuing these questionnaires typically do so in a standardised format designed to streamline the process, recognising they may not have the capacity to review large volumes of supporting evidence or conduct detailed follow-ups with every supplier.
Consequently, customer organisations often rely heavily on declared security postures unless assurance processes include operational validation along with documentation.
Third-party providers may also feel pressure to avoid disclosing operational weaknesses, particularly when doing so could threaten contractual relationships. Without evidence-based validation or contractual audit rights, responses to control-maturity questionnaires may present an overly optimistic view of the security posture.
Ransomware and asymmetric exposure in third-party relationships
Ransomware has become the dominant third-party cyber risk scenario for many organisations. Suppliers often serve as a more accessible point of compromise, particularly when security investment and maturity differ significantly between the customer and the provider.
Compromising a single supplier can also provide attackers with access to multiple client environments, creating the potential for widespread disruptions or simultaneous extortion across several organisations.
The challenge is not purely technical. Cultural and behavioural dynamics also play a part. Suppliers may hesitate to disclose emerging threats or early-stage incidents due to concerns about reputational harm, commercial repercussions, or contractual penalties. At the same time, customer organisations may implicitly expect suppliers to resolve issues independently until escalation becomes unavoidable.
This dynamic discourages early transparency, even though earlier collaboration could significantly reduce the impact of incidents.
In practice, ransomware exposure in third-party relationships can manifest in several ways: service outages, attackers pivoting through trusted connections, weak recovery capabilities, or delayed incident disclosure driven by fear of contractual consequences.
Encouraging more open information sharing requires organisations to move beyond purely compliance-driven oversight to shared risk ownership. Maturity-based assessments, collaborative exercises, shared threat intelligence, and environments that encourage early disclosure all contribute to stronger relationships and greater resilience.
Criticality, certification and misplaced assurance
Tiering suppliers by criticality is a common feature of mature TPRM programmes. Certifications and third-party attestations are frequently used as indicators of security maturity within these tiers.
However, certifications are ultimately interpreted and implemented by individuals. The presence of a recognised standard can therefore create a sense of assurance that does not always reflect the real risk associated with a specific service, environment, or delivery model. Over time, this can lead to reduced scrutiny of suppliers whose formal credentials appear strong, even when operational exposure remains significant.
A graduated approach to attestation enables suppliers to provide assurance proportional to their criticality. Subsequently, high-impact suppliers must demonstrate stronger control maturity and provide more substantial supporting evidence, while lower-criticality suppliers are subject to proportionately lighter assurance requirements. This tiered approach aligns oversight with risk while avoiding unnecessary burden on smaller vendors.
Relationships, legacy, and reduced scrutiny
Long-standing supplier relationships, particularly those supported by strong personal connections at senior levels, often benefit from a degree of trust not afforded to newer providers. Over time, this trust can reduce the frequency or depth of security scrutiny.
This rarely reflects deliberate negligence. Instead, it demonstrates how human relationships influence organisational behaviour. Although governance frameworks may mandate consistent oversight, in practice, scrutiny is seldom applied uniformly across all suppliers.
Legacy contracts can further increase exposure. Many were written before today’s cyber, operational, and regulatory expectations existed and therefore lack modern security clauses, clear incident-reporting requirements, defined recovery obligations, or meaningful audit rights. These gaps can leave organisations with limited leverage during an incident.
A clear example occurred in mid-2023 when a zero-day vulnerability in MOVEit Transfer, a widely used secure file-transfer product, was exploited by the Clop ransomware group. Attackers breached servers operated by hundreds of service providers, exposing sensitive data belonging to thousands of organisations that had no direct relationship with the compromised software.
“The greatest enemy of knowledge is not ignorance, it is the illusion of knowledge.” — Daniel J. Boorstin.
The continued presence of third-party cyber risk does not necessarily indicate that frameworks are ineffective. Instead, it highlights how behavioural dynamics and organisational incentives shape how those frameworks operate in practice.
Many of the most significant drivers of exposure sit outside formal processes and control structures. For boards and senior leaders, it is essential to recognise that human behaviour fundamentally shapes the effectiveness of third-party risk management.
Part 2 will explore how these behavioural dynamics influence real-world resilience when critical third parties experience cyber incidents or operational disruptions.
Proud To Partner With
