How to manage third-party cyber-risk across your organization

September 22, 2025 | 3 minute read

Key takeaways

  • Whether or not a data breach originates internally or from a third party, companies need to build and test a response plan.
  • A fundamental task of third-party management is data protection: What data is most critical to your organization, and who has access to it?
  • Effective oversight of third parties depends on strong policies that emphasize collaboration and cybersecurity as a shared goal.

Expanding supply chains and complex digital workflows are connecting most organizations to a dynamic ecosystem of partner organizations, contractors and vendors who share sensitive data and maintain access to business systems. In addition to improving its own cybersecurity posture and employee awareness, the modern business must also grapple with the cyber-risk posed by third parties — and the often-unseen networks of suppliers and partners third parties depend on to operate.

 

Cyber incidents involving any type of third party are less common than those that target businesses directly, but they’re trending upward.1 A report found that at least 29% of data breaches originated with third parties and supply chains in the fourth quarter of 2024. The threat is greater in certain industries, such as healthcare, in which 35% of data breaches involved a third party during the same period.2

 

Data breaches represent only one part of the security risk. Third parties that share or use a company’s systems can introduce vulnerabilities through oversight or poor security practices. Mishandling of sensitive data can also significantly increase the risk of violating regulatory guidelines in many industries.

 

Managing third-party cyber-risk requires an in-depth exploration of how your company connects to other entities, what digital services it relies on and how entwined they are with critical business operations.

Here are 7 steps for building or reinforcing a third-party risk management plan: 

Create incident response plans. Your company should work with suppliers and partners that have the greatest access to your systems and data to document steps to take during and after a cyber incident, including communications and reporting protocols and identifying stakeholders.

 

Identify, track and govern your most valuable data. Your company should create systems and policies that help identify who is using critical data, such as intellectual property and customer information, and set controls that protect data in transit, in use and in storage.

 

Measure third-party risks. Your company should undertake a full risk assessment associated with third parties and identify those that could present the most serious threat to your company’s data or reputation in the event of a cyber incident.

 

Evaluate third-party security standards. Conduct assessments of your most important partners and service providers and the security controls they provide for your company’s assets. These evaluations should also consider any data privacy regulations or other compliance considerations.

 

Bind security protocols to contracts. Be proactive in building security requirements into supplier contracts and service level agreements, including protocols for reporting potential security incidents and remedial steps third parties are obligated to initiate in the event of an actualized cyberthreat.

 

Maintain oversight of third-party security. Cybersecurity requires continuous monitoring and updates to tool sets and protocols as needed. Build performance reviews and key performance indicators into your company’s most important third-party contracts. Stress collaboration during the review process to frame cybersecurity as a shared objective.

 

Refer to industry best practices and intelligence when reassessing third-party risk. The threat landscape is constantly evolving. Risk profiles of key third parties should be regularly evaluated and adjusted based on new data about existing or emerging threats. Your company should reevaluate third-party risk assessments whenever it changes its own security protocols or learns about new cyberthreats. 

1 Prevalent, “The 2024 Third-Party Risk Management Study.”

2 Security Scorecard, "Global Third-Party Cybersecurity Breaches," 2024.

Back to Homepage

Explore more

Security & Information Management

Phishing. Vishing. Smishing. Keeping up with threats from scams, fraud and cyberattacks is difficult. Our resources and insights can help you protect your company and customers.

Important Disclosures and Information

Bank of America, Merrill, their affiliates and advisors do not provide legal, tax or accounting advice. Consult your own legal and/or tax advisors before making any financial decisions. Any informational materials provided are for your discussion or review purposes only. The content on the Center for Business Empowerment (including, without limitations, third party and any Bank of America content) is provided “as is” and carries no express or implied warranties, or promise or guaranty of success. Bank of America does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content, regardless of who originates that content, and disclaims the same to the extent allowable by law. All third party trademarks, service marks, trade names and logos referenced in this material are the property of their respective owners. Bank of America does not deliver and is not responsible for the products, services or performance of any third party.

 

Not all materials on the Center for Business Empowerment will be available in Spanish.

 

Certain links may direct you away from Bank of America to unaffiliated sites. Bank of America has not been involved in the preparation of the content supplied at unaffiliated sites and does not guarantee or assume any responsibility for their content. When you visit these sites, you are agreeing to all of their terms of use, including their privacy and security policies.

 

Credit cards, credit lines and loans are subject to credit approval and creditworthiness. Some restrictions may apply.

 

Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S" or “Merrill") makes available certain investment products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“BofA Corp."). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC, and a wholly owned subsidiary of BofA Corp.

 

Banking products are provided by Bank of America, N.A., and affiliated banks, Members FDIC, and wholly owned subsidiaries of BofA Corp.

 

“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets division of Bank of America Corporation. Lending, derivatives, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA.

 

Investment products:

Are Not FDIC Insured Are Not Bank Guaranteed May Lose Value