What do the exposure of 106 million records from Capital One, 11.9 million records from Quest Diagnostics, and 7.7 million records from LabCorp have in common apart from the fact they all happened this year? In each case the breach was caused by a third party. With the Capital One breach a hacker was able to exploit a configuration vulnerability in the servers of one of its cloud partners. The other two breaches were traced to the same third party \u2013 the American Medical Collection Agency\u2019s (AMCA) system.Data breaches are nothing new. More than 5 billion records were exposed in 2018 alone and third parties were often found to be at fault. The potential cost of a data breach is enormous; even after the breach is cleaned up and the vulnerability shut down, there\u2019s the risk of fines, penalties and settlements which can amount to millions. The reputational damage can linger for years.With a proper third-party risk management strategy in place you can drastically reduce the chance of a breach happening in the first place and limit the impact on your business if it does.It\u2019s an expectation not an optionIgnorance is no defense in the event of a data breach. It doesn\u2019t matter if a third party is to blame \u2013 if your company is responsible for the data, then you will be held accountable. Regulators in the U.S. and Europe have made it crystal clear that companies are liable for the data they collect and hold, regardless of the network of third parties involved.Complying with global regulatory requirements is a constantly evolving challenge. It\u2019s important to operationalize data management and security. Start to think of compliance as a journey rather than a destination.While third-party risk management is especially important in healthcare and finance, where sensitive data and multiple partners are par for the course, this advice also applies to industries from manufacturing to retail to entertainment and beyond. Outsourcing expands your potential attack surface and heightens your exposure to risk and so it must be scrutinized from the start.Asking the right questionsWhile you can dig into technical guides like NIST\u2019s CSF and ISO 27001 to help you build solid information security strategies and policies, the best and most obvious way to reduce third-party risk is to limit what you share in the first place. Start with these questions:Why are you outsourcing this particular service or data?What precisely is being shared and does it all need to be shared?Are you doing everything you can to encrypt or anonymize data?Does the third party in question subcontract to others?Where are their data centers based?What kind of contract do you have in place?What are the provisions in the event of a data breach or a service failure?A robust incident response plan is vital and it should clearly delineate the process for dealing with a suspected data breach, including who is responsible for what, a realistic timeline for reporting and remediating, and clear lines of communication. It\u2019s alarmingly common for a relatively small incident to snowball into a major disaster because the initial alert was not properly flagged or dealt with in a timely manner.Regular vendor assessment is crucialYou can\u2019t take it on trust \u2013 third parties must be thoroughly vetted and regularly assessed. Proper third-party risk management requires clear documentation covering due diligence, detailed risk assessments, a map of third-party relationships, and clear incident response requirements. You should also be generating performance reports and conducting regular audits.Everything must be laid out in black and white in a watertight service-level agreement (SLA) to ensure you are fully compliant with regulatory requirements. If the worst should happen, then you will be expected to show regulators your workings. Failure to properly interrogate contracts and third-party practices, or to monitor them on an ongoing basis, will come back to bite you.The problem with traditional vendor assessments is that they tend to rely on a rating system that gives you an easily digestible score or rank, but an arbitrary number doesn\u2019t tell you enough about your potential exposure or how to deal with it. It\u2019s also fairly common to only conduct reviews annually, but you need real-time rolling visibility if you really want peace of mind.Acting on the resultsOne final, vital component in successfully managing third-party risk is acting on the information you gather. It\u2019s all well and good to regularly audit your vendors or even to institute continuous monitoring, but it\u2019s not going to have a positive impact unless your insights are actionable. Each failing must be accompanied by a remediation plan, and the remediation efforts must also be assessed to ensure the problem has been adequately dealt with.In extreme cases, where remediation has been unsuccessful or vendors repeatedly fail to meet your agreed upon standards, your contract should have provision for you to terminate, without penalty, and find a better partner. If you don\u2019t take third-party risk seriously and ensure that your standards cover data internally and externally, then you are undermining your security efforts and there\u2019s a good chance you\u2019ll end up paying a high price for it.