How do firms manage risk beyond their own walls?
Risk no longer stops at the edge of the organisation. As firms rely more heavily on third parties, cloud providers, data partners and complex supply chains, their exposure increasingly lies beyond what they directly control. From regulatory accountability to reputational fallout, weaknesses in the wider ecosystem can quickly become a firm’s own problem.
For Alan Ludden, information security manager at Corlytics, when debating which third-party risks are the hardest to monitor and mitigate, he highlights an experience he had back in July 2024.
He explained, “On Friday, 19 July 2024, as I sat on a plane with my family at Dublin Airport awaiting final preparations for take-off, I watched chaos unfold. Unbeknown to everyone onboard, numerous airport systems went offline. News articles and social media posts quickly began appearing on my phone. Rumours of a global IT outage, cyberattack, and widespread operational disruption – the CrowdStrike outage! It felt like a scene straight out of a disaster movie.”
He went on to explain that as the passengers sat there for hours, airline staff reverted to manual processes, checking seat allocations and verifying passports.
“At one point, a gentleman stood up and shouted, “Is this the flight to Andorra?” “NO!” half the plane responded. “How did he even get on the plane?” people wondered aloud. In that moment, the true scale of the incident began to sink in. I remember feeling genuine empathy for the thousands of people who suddenly had to manage this crisis from every angle,” he remarked.
How does this link to third-party risks? For Ludden, the CrowdStrike incident, along with several major outages since, reinforced what risk practitioners already know, third-party risk management and supply chain vulnerabilities demand constant attention. Even trusted, top-tier vendors with strong security postures can become single points of failure, and mitigation can be costly when they do.
He said, “Despite thorough due diligence processes, including stringent supplier control obligations, cyber risk within the supply chain remains a leading concern. The weakest link is often a third or fourth-party provider operating with lower cybersecurity maturity. These organisations are more vulnerable to social engineering or business email compromise, which can cascade up the supply chain. While difficult to mitigate fully, targeted and ongoing training significantly reduces exposure.”
Artificial intelligence has moved from an emerging concern to a permanent fixture on corporate risk registers. As Alan Ludden observes, it is now difficult to find a risk register that does not explicitly reference AI or emerging technologies. AI is embedded across business operations and daily life, creating new opportunities while simultaneously expanding the risk landscape.
From a threat perspective, AI is increasingly used by malicious actors to conduct attacks at greater scale and sophistication, often with reduced effort. At the same time, defensive platforms are also leveraging AI to improve detection and response capabilities, narrowing attackers’ windows of impact. This dynamic creates a constantly shifting balance, where both offensive and defensive capabilities evolve rapidly.
Beyond cybersecurity, Ludden highlights how AI introduces new challenges around data sovereignty and third-party oversight. Organisations are increasingly dependent on external AI platforms, raising critical questions about where data is stored, how it is processed, and how it is ultimately used. When AI services are delivered through vendors, inadequate oversight can expose firms to regulatory breaches, intellectual property leakage and reputational damage. Effective governance, he argues, must go further than technical security controls, extending into areas such as transparency over training data usage, model lifecycle management, clarity on processing locations and clearly defined expectations around human oversight.
Frameworks like ISO/IEC 42001 are beginning to provide a more structured and accountable approach to managing these risks, offering organisations a way to formalise AI governance alongside existing compliance and risk management practices.
However, Ludden notes that vendor assessments themselves remain inconsistent. Approaches vary widely across organisations, and meaningful standardisation is difficult given that each firm operates under its own regulatory, operational and risk constraints. While a growing number of platforms now automate elements of third-party due diligence, their real value lies in their ability to ingest and analyse existing certifications such as ISO/IEC 27001, SOC 2 or PCI DSS, alongside external security posture data and financial information.
Point-in-time assessments still have a role to play, but only when embedded within strong internal and external governance frameworks that support continuous oversight. Static assessments can become obsolete quickly — a vendor that is compliant today may not be tomorrow — and they often fail to capture fourth- and fifth-party risks that can be just as consequential.
Balancing operational efficiency with regulatory expectations for third-party oversight remains a significant challenge, particularly given the sheer number of vendors many organisations rely upon. Ludden emphasises the importance of a risk-based approach that prioritises critical and important third parties. Regulations such as DORA, alongside the European Central Bank’s expanding focus on outsourcing through its draft guidelines on third-party risk management, have placed increased emphasis on comprehensive assessments, contractual audit rights and ongoing monitoring of ICT providers supporting financial entities.
To operate effectively at scale, firms need standardised governance frameworks supported by automation wherever possible. Centralised monitoring and real-time visibility across the supply chain — from critical providers down to lower-risk vendors — are becoming essential. These expectations are set to increase further, with the European Commission introducing a broader cybersecurity package, including revisions to the Cybersecurity Act aimed at strengthening risk reduction across ICT supply chains.
When vendor failures occur, Ludden is clear that regulatory accountability does not shift. While such incidents are damaging for both the primary firm and its suppliers, responsibility for compliance failures rests firmly with the regulated entity. This reality reinforces the need for vendor risk management programmes that operate continuously rather than reactively.
In Ludden’s view, progress is being made. Regulatory frameworks such as DORA, the Guidelines on Third Party Risk Management, NIS2 and PS21/3 are steadily raising governance standards across organisations and their extended ecosystems. Over time, these measures should strengthen resilience, reduce systemic risk and improve transparency and trust across increasingly complex supply chains.
A big challenge
According to Aaron Pinnick, senior manager of thought leadership at ACA Group, managing the risks posed by third parties is a perennial challenge for firms across all industries, with many firms struggling to prove the effectiveness of their vendor due diligence, a seemingly endless expansion of the third-party network, and new technologies changing the operational risks third parties present.
He said, “Financial services firms face these same challenges, with the added layer of complexity third party risk must be managed in the context of increasing regulatory pressure. Regulations like the SEC’s Amendments to Regulation S-P and the EU’s Digital Operational Resiliency Act (DORA) impose new expectations on firms for how they select, monitor, and respond to incidents, and for many firms, these new expectations are posing significant challenges.”
Beyond the regulatory challenges, firms will often struggle to address fourth‑party and “nth‑party” risks, said Pinnick. He added that third-parties in the financial services space will have their own network of vendors that they rely on to get work done, which creates a series of nested dependencies that are often difficult for a firm to identify, monitor, and remediate. Often, these fourth-party dependencies only surface during outages or cyber incidents, which can result in slower response and recovery times for the firm as they may be caught unaware of the incident.
Pinnick continued, “Another third-party challenge that many firms struggle to address is keeping pace with the rapidly evolving technology used by their third parties. As third parties rapidly adopt AI-powered tools and technologies, implement new APIs, and move between SaaS platforms the risks they present to the firm and how those risks need to be managed can change dramatically in a very short period of time. Firms often struggle to keep pace with these changes, and firms that are overly reliant on point‑in‑time due diligence questionnaires or annual vendor assessments can find themselves exposed to significant risks.”
Are current vendor assessments sufficent in a world of interconnected platforms? On this, Pinnick said in most cases, no.
He explained, “A traditional vendor assessment (i.e., due diligence questionnaire or SOC report) is not sufficient in isolation. They are certainly a critical step in understanding the risks that a third party presents, and regulators will expect to see evidence of this diligence for vendors, but these assessments were designed for a time when operations, technology, and cyber risk were far more static than they are today.”
Pinnick went on, “To supplement these traditional vendor assessments, some firms are shifting toward event‑driven vendor reviews. Firms that take this approach will identify certain triggers with their third parties (e.g., outages, cyber incidents, product changes) and if/when these events occur, that will result in the firm re-assessing the third party’s risk and identifying necessary remediation steps. This shifts the re-assessment period from a calendar or contract defined date, to one that more naturally aligns with changes in the vendor’s risk.”
When a vendor failure triggers a compliance breach, who ultimately takes responsibility From the perspective of regulators, with very few exceptions, the ultimate responsibility for breaches, incidents, or compliance failures will reside with the firm and not the third-party provider, said Pinnick. While firms can outsource work, they cannot outsource the accountability for incidents, regardless of if it is a data breach, service outage, or cyberattack that was caused by a third-party.
Pinnick concluded, “When a third-party incident does occur, firms should be prepared to demonstrate to regulators due diligence was conducted on the third-party, what contractual agreements were in place between the firm and the third party, what monitoring was in place, and incident response plans were in place to help the firm and the third party address the issue.”
The key to accountability
For Supradeep Appikonda, COO and co-founder at 4CRisk.ai, the starting point in any discussion about third-party risk is accountability. “Organizations cannot outsource their risk to other parties,” he argues. No matter how many vendors, subcontractors or downstream providers sit between a firm and a service, responsibility for failures across third-, fourth- or n-party relationships ultimately remains with the organisation that relies on them.
That responsibility is becoming harder to discharge as visibility into external risk diminishes and leverage over vendors remains limited. Appikonda points to the growing number of products that are deeply embedded within firms’ technical infrastructure, making them difficult to monitor for a wide range of risks — from technical and security threats to geopolitical exposure or concentration risk.
Where a small number of providers dominate a market, a single failure can cascade across multiple firms, leaving little room for mitigation or substitution. Recent incidents such as the AWS outage and the CrowdStrike failure illustrate how a problem at one dominant provider can quickly become systemic. Even where contracts include a ‘right to audit’, Appikonda notes that critical technical components can remain effectively invisible and “near impossible to audit”.
These challenges expose the limits of traditional vendor assessments. Current approaches, he argues, are tightly scoped and tend to focus only on the vendor product itself, overlooking the wider interconnected ecosystem on which it depends. There is also a fundamental mismatch of pace: digital systems evolve continuously, while assessments are typically conducted “at human speed”, capturing risk only at a single point in time. The result is an approach to third-party risk that Appikonda describes as “hopelessly inadequate”.
What is needed instead is real-time visibility across the entire attack surface. The risk environment is complex and constantly changing, which means resilience depends on monitoring the full ecosystem of interconnected technologies rather than a narrow list of suppliers. Appikonda points to the progress made in fraud management through real-time monitoring as an example of what is possible, but stresses that true resilience must be embedded into the technology ecosystem itself, not bolted on through periodic reviews.
Balancing this level of oversight with regulatory expectations requires firms to be more deliberate in how they structure their third-party relationships. Appikonda explains that organisations increasingly classify business processes, systems and n-party dependencies by criticality, focusing resilience efforts on their most important tier-one relationships. Contracts are becoming tighter, with ‘compliance-by-design’ principles used to increase leverage, while continuous monitoring improves visibility into emerging risks. AI and predictive modelling also play a role, helping firms build a broader and more nuanced view of their exposure.
Regulators, he notes, are not blind to the limitations firms face. Guidance is regularly updated to reflect emerging threats, with an emphasis on continuous improvement and demonstrable resilience rather than static compliance. But when failures occur, responsibility is clearly defined. Regulators hold firms accountable for compliance breaches, data loss or service disruptions, regardless of whether the root cause sits within a vendor’s systems or their own.
That accountability extends to the highest levels of the organisation. Boards of Directors are responsible for digital resilience and risk management, and regulators may hold board members, Chief Information Security Officers or Chief Risk Officers personally liable if they cannot demonstrate robust oversight or reasonable mitigation of vendor risk. Regulations such as GDPR place legal responsibility with the organisation that controls the data, requiring rapid notification of customers and regulators — within 72 hours under GDPR, or by the end of the business day under DORA.
In practice, Appikonda observes, those timelines are often missed, with notifications delayed by weeks or even months. The consequences are increasingly visible, in the form of class-action lawsuits and sustained reputational damage. While n-party vendors may see their liability capped contractually and avoid brand fallout, the firms that rely on them bear the loss of customer trust — a reminder that in interconnected ecosystems, risk may be shared operationally, but accountability is not.
Sitting on the margins
From RelyComply’s perspective, third-party risk can no longer be treated as something that sits at the margins of a firm’s compliance framework. Financial institutions today operate across digital, distributed ecosystems that extend well beyond physical offices, with vendors, consultants and subcontractors often spread across multiple jurisdictions. This global interconnectedness introduces significant complexity for both know your customer (KYC) and know your vendor (KYV) obligations.
Regulatory expectations differ markedly by region and by sector, creating layers of exposure that are difficult to manage at scale. Firms operating across financial services, technology and legal markets each bring distinct risk profiles, shaped by local governance standards that may be strong, inconsistent or entirely absent. When multiplied across hundreds or thousands of third-party relationships, these disparities can create gaps in AML and fraud controls. In effect, an organisation’s compliance strength becomes the sum of its external dependencies.
RelyComply also points to the accelerating spread of more stringent anti-financial crime and data protection requirements worldwide. Global standard setters such as the FATF, alongside regional regulators, are expanding KYC and AML accountability across new industries, while frameworks like GDPR and ISO 27001 continue to raise expectations around data security. In this environment, weak or outdated compliance practices act as clear warning signs for firms assessing potential partners.
Understanding the breadth of applicable data-driven regulations is therefore essential when designing onboarding and ongoing due diligence processes. While third-party credentials and controls must be assessed, responsibility ultimately sits with the financial institution to define appropriate risk thresholds within its KYC and KYV platforms. Any AML failure or data breach at a vendor will have direct implications for the firm it supports, reinforcing the need for systems that can proactively identify sanctions exposure, politically exposed persons (PEPs) and other red flags before a relationship progresses.
According to RelyComply, the technology to manage these risks already exists, but must be deployed with regional and operational nuance. KYC solutions can be tailored to jurisdiction-specific requirements and extended beyond initial identity checks through real-time monitoring against watchlists and government records. Automated workflows allow risk profiles to be continuously refreshed, ensuring that changes in a vendor’s compliance status are detected as they occur.
Ultimately, RelyComply argues that KYC and KYV must be treated as ongoing disciplines rather than one-off exercises. Third-party risk can evolve rapidly and create knock-on effects across an organisation’s compliance framework. Firms without the tools to monitor and respond to those shifts in real time face consequences that extend far beyond commercial disruption — many of which are preventable with the right systems in place.
Big shift
Third-party risk has shifted from a peripheral concern to a structural one, claims chief revenue officer of Label, Scott Nice. In regimes such as FATCA, CRS and KYC/AML, firms no longer just use external vendors to support compliance processes — they rely on them to shape regulatory outcomes. Data providers, screening engines, classification tools and reporting platforms now sit directly in the decision-making chain, meaning weaknesses outside the organisation can quickly become compliance failures within it, he believes.
The third-party risks that are hardest to monitor and mitigate for Nice are embedded decision logic, data provenance and lineage, sub-outsourcing and fourth-party dependencies and model updates without sufficient client transparency.
He said, “Are current vendor assessments sufficient in a world of interconnected platforms? No. Annual questionnaires and SOC reports are insufficient for dynamic AI-driven systems. Firms need continuous assurance, change management visibility, and contractual audit rights, particularly where regulatory determinations are automated.”
When contemplating how firms balancing efficiency with regulatory expectations for third-party oversight, Nice remarked that in his view, efficiency is not the regulator’s priority, control is.
He said that firms must demonstrate oversight of vendor models, clear escalation paths and documented accountability for failures.
Nice concluded, “Regulators consistently hold the regulated entity accountable. Vendor contracts may shift commercial liability, but regulatory liability remains in-house. This is why RegTech selection is a governance decision, not just a technology one.”
