According to the Verizon 2025 Data Breach Investigations Report, third-party involvement now accounts for 30% of confirmed breaches — double the roughly 15% figure from the prior year. SolarWinds compromised approximately 18,000 organizations through a single malicious software update. MOVEit eventually affected over 2,700 organizations and nearly 96 million individuals.
The core problem is visibility. Organizations can't control what they can't see, and vendor security postures are rarely transparent. Without structured metrics and a scoring approach, third-party risk stays a gut-feel judgment call — exactly the kind of blind spot that creates board liability.
This post covers what third-party cyber risk evaluation actually involves, the metrics that reveal true vendor risk, a step-by-step evaluation framework, and how to translate those metrics into decisions boards can act on.
TL;DR
- Third-party cyber risk evaluation is the structured process of assessing vendor security posture to understand what risk each vendor introduces to your organization.
- Key metrics include security posture scores, MTTD/MTTR, patch response rates, compliance status, breach history, and access controls.
- Evaluation works best as a repeatable six-step framework: inventory, tier, gather evidence, score, interpret, act.
- Metrics only matter when connected to thresholds that trigger real decisions, not just dashboards.
- Boards need trend-based reporting: the direction a vendor's risk score is moving matters as much as the score itself.
What Is Third-Party Cyber Risk Evaluation?
Third-party cyber risk is the security exposure your organization inherits from vendors, contractors, and service providers with access to your networks, applications, or sensitive data. The key difference from internal risk: you have far less visibility and control over third parties, which is exactly what makes structured evaluation necessary.
This discipline has shifted from IT function to governance priority for good reason. Gartner forecasts worldwide public cloud spending will reach $723.4 billion in 2025, and 90% of organizations are expected to use hybrid cloud through 2027. Vendor dependencies have multiplied across every sector.
The result is that a compromise at a single trusted provider — as SolarWinds and MOVEit demonstrated — can cascade across hundreds of downstream organizations simultaneously. These are board-level events, not IT incidents.
The evaluation gap most organizations haven't closed:
- Treating vendor assessment as a one-time onboarding checkbox
- Relying entirely on self-reported questionnaires without external validation
- Producing vendor risk reports that lack defined thresholds or decision paths
- Presenting point-in-time scores rather than trend data
According to the WEF Global Cybersecurity Outlook 2024, **54% of organizations report insufficient understanding of supply chain cyber vulnerabilities**, and 41% of organizations that experienced a material incident in the prior year traced it to a third party.
Vendor security postures change, new vulnerabilities emerge, and business relationships evolve. A structured evaluation program accounts for that movement — tracking trends over time, not just capturing a snapshot at contract signing.
Key Metrics and Scores for Third-Party Cyber Risk
Not all metrics carry equal weight. The goal is a small set of indicators that together paint a reliable picture of actual vendor risk — not an exhaustive data collection exercise. Some are leading indicators — signals of what might go wrong. Others are lagging indicators — evidence of what already happened and how the vendor responded.
Security Posture Score
A security posture score is a composite rating — typically generated by a risk rating platform — reflecting a vendor's overall cybersecurity health at a point in time. Common inputs include security policy maturity, open vulnerabilities, patch cadence, incident history, and compliance certifications.
A single score is a starting point, not a conclusion. What matters for evaluation is whether the score is improving or declining over time, and how it compares to peer benchmarks. A vendor with a stable 72 is a different story than one that scored 85 six months ago and is trending downward.
Incident Response Time: MTTD and MTTR
Mean time to detect (MTTD) and mean time to respond (MTTR) reveal whether a vendor has the monitoring capabilities and processes to catch and contain threats quickly. A long detection window gives attackers time to pivot from a vendor's environment into yours.
IBM's 2024 Cost of a Data Breach report put the global average at 194 days to identify and 64 days to contain. In financial services specifically, it was 168 days to identify and 51 days to contain. For vendors in regulated industries, those sector benchmarks set a reasonable baseline expectation.
Vulnerability Management and Patch Response
An unpatched vendor environment is an open door. Key indicators:
- Time to patch critical vulnerabilities after public disclosure
- Number of unresolved high-severity findings
- Patching frequency across the vendor's environment
Google Mandiant found the median time from vulnerability disclosure to exploitation was 43 days for 2023 vulnerabilities. Verizon's 2024 DBIR found it takes approximately 55 days to remediate 50% of CISA Known Exploited Vulnerabilities after patches become available. That gap — between when patches exist and when organizations apply them — is where breaches happen.
PCI DSS v4.0 Requirement 6.3.3 sets a concrete baseline: critical security patches must be installed within one month of release.
Compliance Posture and Regulatory Alignment
Compliance status functions as both a direct indicator and a proxy for security discipline. Relevant frameworks to evaluate against:
- SOC 2 Type II — security, availability, processing integrity, confidentiality, privacy
- ISO/IEC 27001 — information security management system standards
- PCI DSS v4.0 — for vendors handling payment card data
- HIPAA — for vendors handling protected health information
A vendor with patchy compliance history reveals a cultural gap, not just a regulatory one. Their failures can directly affect your organization's own regulatory standing. Morgan Stanley paid a $35 million SEC penalty in 2022 partially due to failures involving a vendor used to decommission equipment containing customer data.
Data Breach History and Remediation Behavior
Past breach history isn't automatically disqualifying. What matters is how the vendor responded. Look for:
- Number and severity of prior incidents
- Speed of disclosure and containment
- Concrete security changes made after the breach
A vendor that experienced a breach and made demonstrable structural improvements is a materially different risk than one with repeated incidents and superficial responses.
Access Control and Privilege Management
The risk a vendor poses correlates directly with the access they hold. Evaluation metrics include:
- Number of privileged accounts with access to your environment
- Frequency and rigor of access reviews
- Account de-provisioning practices when staff or integrations change
Access risk and operational resilience are connected. A vendor with poor recovery capabilities can take your operations down alongside their own. Evaluate Recovery Time Objective (RTO) and Recovery Point Objective (RPO) to understand how quickly they can restore services after a disruption.
How to Build Your Third-Party Cyber Risk Evaluation Framework
The most common failure mode: organizations treat vendor evaluation as an onboarding event and go dark until something goes wrong. The goal here is a repeatable process that works before, during, and after incidents.
Step 1 – Build a Vendor Inventory and Tier by Risk
Document every vendor with access to your data, systems, or operational processes. Then tier them using plain business questions:
- Tier 1 (High Risk): Production access or admin rights, stores sensitive or regulated data, processes payments, supports business-critical operations, outage would stop revenue or create compliance violations
- Tier 2 (Medium Risk): User-level access, handles less sensitive data, limited but meaningful exposure
- Tier 3 (Low Risk): Minimal access, strong isolation, limited business impact
Keep the Tier 1 list tight — typically 10 to 30 vendors. When the critical tier balloons to 80 vendors, board reporting becomes a catalog rather than a decision tool. Tiering drives where to invest evaluation depth.
Step 2 – Define Scoring Criteria and Thresholds
Before assessing a single vendor, establish what "acceptable," "concerning," and "unacceptable" look like for each metric. Set thresholds tied to real decisions:
- What score or finding triggers a remediation conversation?
- What triggers a contract review?
- What triggers escalation to the board?
Without defined thresholds, metrics generate reports but not action. Each threshold should have a named owner — who decides, and at what level.
Step 3 – Gather Evidence
Match evidence requirements to vendor tier:
- Tier 3: Short security questionnaire
- Tier 2: Questionnaire plus document review (SOC 2, ISO certifications)
- Tier 1: Questionnaire, document review, and a focused review call — plus external attack surface scanning
Self-reported questionnaires alone are insufficient. External validation reveals what vendors may not know or disclose about their own exposure.
For early-stage vendors without formal certifications, compensating controls — limited access, no production data, shorter contract terms, a security roadmap with dates, and a right-to-audit clause — can manage the gap without blocking the relationship.
Step 4 – Score, Rate, and Flag
Apply your defined scoring criteria consistently across vendors to enable comparison. Flag any vendor where a single high-severity finding warrants escalation regardless of overall score — for example, a critical unpatched vulnerability on an internet-facing system holding your data.
Pair scores with impact and confidence levels. A vendor with a good score but stale evidence (last SOC 2 from 18 months ago, no recent pen test) deserves a lower confidence rating than the number alone suggests.
Step 5 – Interpret Results and Identify Red Zones
Once scores are in, the work shifts from measuring to deciding. Distinguish between:
- Vendors whose risk is manageable with existing controls
- Vendors requiring remediation before continued engagement
- Vendors where the combination of access level and security posture creates unacceptable exposure
Common interpretation mistakes: treating a good score as full clearance, or ignoring trend direction in favor of a point-in-time snapshot. A vendor trending downward for three consecutive quarters — especially one with sensitive data access — is a board-level signal regardless of their current absolute score.
Step 6 – Act, Monitor, and Reassess
For each out-of-tolerance vendor, convert the finding into one of four decision paths:
- Accept — approve a time-bound exception with an expiry date and named owner
- Reduce — require internal controls and deadlines with evidence tracking
- Transfer — shift exposure through insurance, indemnity, or stronger contract terms
- Replace — initiate an exit plan with data return and cutover steps
Set a reassessment cadence tied to vendor tier: Tier 1 quarterly with continuous monitoring, Tier 2 semi-annually, Tier 3 annually — plus trigger-based reassessment after any significant vendor security incident, major architectural change, or contract renewal.
Turning Metrics Into Defensible Board Communication
Security teams can generate metrics. The harder problem is translating them into the language boards use — risk appetite, business exposure, and decision rights. Boards don't need to know what MTTD stands for. They need to know whether vendor risk is trending in the right direction and whether any vendor poses exposure exceeding the organization's tolerance.
What a board-appropriate vendor risk report includes:
- Aggregate risk posture of the vendor portfolio
- Movement since the last reporting period (trend, not just status)
- Any vendors breaching risk thresholds, with the business impact stated plainly
- Decisions or actions required from the board, versus what is being managed at the management level
- Concentration risk statements: "We rely on Vendor X for Y% of customer-facing uptime. Our fallback plan is Z. It is tested / not tested."
According to NACD, 43% of public company directors said improvements in management cyber-risk reporting were very or extremely important for the coming year — confirming that boards want better data, not more data.
Trend-based reporting matters more than point-in-time scores. A vendor's score declining over three consecutive quarters — especially one holding sensitive customer data — is a board-level signal that a single snapshot never reveals.
That trend data only drives action when decision rights are connected to each threshold. A yellow-flagged vendor may be a CISO or risk leader decision. A red-flagged vendor with access to critical systems may require board-level awareness and a formal remediation deadline. Metrics without decision ownership produce reports, not governance.
Tyson Martin's board advisory work addresses this governance gap directly — building vendor risk dashboards that surface trend and material change, with decision paths and escalation thresholds designed to hold under real conditions. Organizations looking to establish this kind of oversight structure can engage him directly.
How Tyson Martin Can Help
Tyson Martin serves as a board advisor and fractional CISO with hands-on experience building third-party risk programs at scale — including enterprise environments at AWS and Fortune 100 retailers like Home Depot and Best Buy. These are programs built and operated under real regulatory scrutiny, not theoretical frameworks applied from the outside.
His vendor risk advisory engagements follow a structured 30-day reset that delivers concrete outcomes quickly:
- Week 1: Unified vendor inventory and three-tier risk classification
- Week 2: Baseline controls and evidence requirements by tier
- Week 3: Contract gap remediation and vendor intake workflow
- Week 4: Board-ready dashboard with trend indicators and escalation paths
Engagements deliver:
- A vendor risk tiering model aligned to business criticality
- Defined KPIs and KRIs with thresholds tied to actual decision rights
- A board reporting format that shows trend and material change without operational noise
- A 90-day plan with owners and measurable outcomes
For organizations navigating a leadership gap, M&A due diligence, or a vendor-triggered incident, Tyson can step in quickly as an interim or fractional CISO to stabilize the program and establish a repeatable foundation.
Frequently Asked Questions
What is third-party cyber risk and why does it matter at the board level?
Third-party cyber risk is the security exposure your organization inherits from vendors and service providers with access to your systems or data. Vendor breaches can trigger regulatory action, shareholder liability, and reputational damage — and SEC cybersecurity disclosure rules and DORA now hold boards explicitly accountable for demonstrating oversight.
What is a vendor risk score and how is it calculated?
A vendor risk score is a composite rating of a vendor's cybersecurity health, typically derived from security policy maturity, open vulnerabilities, patch management, and incident history. Trend direction and peer comparison matter more than any single score.
What is the difference between a KPI and a KRI in third-party risk management?
KPIs measure how well your risk management program is executing — for example, the percentage of critical vendors assessed on schedule. KRIs measure actual risk exposure and signal conditions that could lead to future losses — for example, the number of critical vendors with unresolved high-severity vulnerabilities. Both are needed for a complete picture.
How often should third-party cyber risk assessments be conducted?
Assessment frequency should follow vendor tier: Tier 1 vendors warrant quarterly review plus continuous monitoring, Tier 2 semi-annual review, and Tier 3 annual review. Trigger-based reassessment should occur whenever a vendor experiences a significant security incident, undergoes a major architectural change, or approaches contract renewal.
Which regulatory frameworks govern third-party cyber risk management?
Key frameworks include DORA (effective January 17, 2025) for financial services entities operating in the EU, SEC cybersecurity disclosure rules for US public companies, HIPAA for vendors handling protected health information, and PCI DSS v4.0 for payment data environments. If you operate in financial services or handle health or payment data, at least one of these frameworks applies to your vendor program — and each requires documented evidence of oversight, not just internal security controls.
What should a board-level third-party cyber risk report include?
An effective board report shows the aggregate risk posture of the vendor portfolio, movement since the last reporting period, any vendors breaching risk thresholds, concentration risk statements for critical dependencies, and a clear articulation of what decisions require board attention versus what is already being managed at the executive level.
