1. Third-Party Risk Management Framework
TPRM programs implement risk-based lifecycle governance across planning, due diligence, contract negotiation, monitoring, and termination, with elevated requirements for "critical" third parties whose failure would disrupt operations or customer commitments. Regulators expect documented risk appetite, board oversight, and senior management accountability.
| Sector | Primary Framework | Key Requirements | Recent Update |
|---|---|---|---|
| US Banking | 2023 Interagency Guidance | Lifecycle TPRM, critical vendors | Replaced OCC 2013-29 |
| Healthcare | HIPAA 45 CFR §§ 160, 164 | BAAs, security risk assessments | Change Healthcare 2024 |
| EU Financial | DORA Reg 2022/2554 | ICT third-party register, exit strategies | Effective Jan 17, 2025 |
| US Cyber | NIST SP 800-161 Rev. 1 | Supply chain risk controls | Updated 2022 |
| State (NY) | 23 NYCRR 500 | Third-party policies, MFA, encryption | Amendment Nov 2023 |
What Does Third-Party Risk Management Cover?
Third-party risk management covers operational, cybersecurity, financial, compliance, reputational, strategic, country, and concentration risks arising from vendors, subcontractors (fourth parties), and supply chain relationships, with focus on critical providers (cloud, payment processors, claims administrators). Programs under global supply chain risk management address NIST SP 800-161 Rev. 1 controls, Executive Order 14028 software requirements, and CISA KEV catalogs.
Who Regulates Vendor Risk Programs?
Vendor risk programs are regulated by multiple federal and state agencies depending on industry and jurisdiction. Banking institutions answer to the OCC, Federal Reserve, and FDIC under the 2023 Interagency Guidance, healthcare organizations fall under HHS Office for Civil Rights (HIPAA penalties of $50K-$2M per tier), public companies face SEC cyber rules, and EU financial firms must comply with DORA oversight (alongside state-level rules including NYDFS 23 NYCRR 500.11 and California CCPA). Most regulatory risk management programs map vendor controls across multiple frameworks simultaneously, given overlapping authorities and inconsistent definitions of "critical" or "material."
2. Vendor Due Diligence and Onboarding
Third-party risk management lifecycle begins with planning (business need, risk tier, alternatives) and due diligence (financial condition, legal/regulatory standing, cybersecurity posture, business continuity, subcontractor reliance), followed by contracting with risk allocation, monitoring, and exit.
How Do You Conduct Vendor Due Diligence?
Vendor due diligence under third-party risk management collects financial statements, audit reports (SOC 1, SOC 2 Type II, ISO 27001), regulatory examinations, litigation history, insurance coverage, business continuity testing, and concentration analysis (key personnel, single-source dependencies). Corporate due diligence intensifies for critical vendors, with site visits, security questionnaires (CSA CAIQ, SIG), penetration testing review, and tabletop exercises under 2023 Interagency Guidance.
What Contract Provisions Allocate Risk?
Vendor contracts under third-party risk management allocate risk through SLAs with credits or termination triggers, indemnification (uncapped for IP infringement, data breach, gross negligence), limitations of liability (12-24 months fees), audit rights, regulator access, security standards, incident notification (24-72 hours), data return/destruction, and subcontractor approval. Outsourcing contracts for critical services include exit assistance, transition services agreements, source code escrow, and step-in rights.
3. Cybersecurity and Privacy in Third-Party Risk Management
Third-party risk management cybersecurity controls address supply chain attacks (SolarWinds-style compromises), ransomware via vendor access (MOVEit Cl0p), credential abuse, and shared cloud infrastructure risks, with privacy controls covering data minimization, sub-processor authorization, cross-border transfers, and breach notification.
How Do You Manage Cybersecurity Risks?
Third-party risk management cybersecurity programs implement vendor security assessments, continuous monitoring (BitSight, SecurityScorecard), software bill of materials (SBOM) review, vulnerability disclosure programs, and incident response coordination. Cybersecurity governance frameworks under NYDFS 23 NYCRR 500.11, SEC cyber rules, and NIST CSF v2.0 require board-level oversight, risk assessment, and material incident disclosure within 4 business days under SEC Item 1.05.
What Privacy and Data Protection Rules Apply?
Privacy obligations require data processing agreements (DPAs) under GDPR Article 28, HIPAA Business Associate Agreements under 45 CFR § 164.504(e), California service provider contracts under CCPA § 1798.140(v), and state contracts under Colorado, Virginia, Connecticut, Texas privacy laws. Privacy and data protection in vendor management requires subprocessor notification, cross-border transfer mechanisms (SCCs, Data Privacy Framework), and audit rights addressing contractual and statutory data subject rights.
4. Sector-Specific: Banking, Healthcare, and Dora
Third-party risk management requirements vary by sector: US banking (2023 Interagency Guidance), healthcare (HIPAA BAAs and OCR enforcement), EU financial services (DORA effective January 17, 2025), and broader US frameworks (NIST SP 800-161, SEC cyber rules).
How Does the 2023 Interagency Guidance Apply?
The June 2023 Interagency Guidance on Third-Party Relationships replaced OCC Bulletin 2013-29 and Fed SR 13-19, applying a unified lifecycle framework across OCC banks, Federal Reserve members, and FDIC institutions covering planning, due diligence, contracting, monitoring, and termination. Banking and financial services firms must identify "critical activities" (significant impact on operations, customers, financial condition), apply heightened oversight (board approval, contingency planning, regulator notification), and document risk appetite under SR 23-4.
What Do Hipaa Baas and Dora Require?
HIPAA Business Associate Agreements under 45 CFR § 164.504(e) require covered entities to obtain written assurances from business associates regarding PHI safeguards, use limitations, subcontractor flow-down, breach notification within 60 days, and termination upon material breach. HIPAA compliance intensified after the 2024 Change Healthcare attack, with OCR enforcement reaching $4.75M (Montefiore) and 2025 NPRM proposing mandatory MFA, encryption, and segmentation. DORA (EU) 2022/2554, effective January 17, 2025, requires ICT third-party register, contractual provisions (Article 30), exit strategies, and EU oversight of critical ICT providers.
Given the overlap among OCC, HIPAA, and DORA requirements, third-party risk management programs benefit from coordinated legal review well before regulatory examinations, vendor contract renewals, or supply chain incidents arise.
21 May, 2026
