Mapping and managing cyber risks from third parties and beyond

Learning from the headlines 

Every day, businesses experience cybersecurity incidents that can become disruptive, costly, and significantly damage their reputation. Large companies at the center of vast data ecosystems, however, face a particularly thorny problem: managing cyber and privacy risks around information that travels to third parties and beyond. These businesses share data with service providers and subcontractors to improve service delivery and reduce costs. In the process, data changes ownership multiple times and documentation, often containing information directly identifying their business and customers, travels throughout the ecosystem. Third parties are effectively custodians of the original information, and it’s critical to know what steps they are taking to safeguard the information further down the value chain.

Third party data breaches may force your organization to respond to incidents that are outside of your control or originate from an indirect source. Although you might not have an obligation to respond under current breach regulations, your organization could still suffer significant reputational damage as a result of the incident. Further, your customers could be at increased risk from criminals seeking to exploit a breach regardless of how the incident originated.

No matter which industry you are in, from hospitality to healthcare, consider the risks of your documentation traveling through vast ecosystems. How do you manage data protection risks when a large portion of the data you originate travels beyond your control?

Four solutions to managing risks and preparing your business

1. Map your data flow

Prioritize data governance and implement mechanisms for tracking data easily, in both digital or physical formats, by maintaining data records from creation to disposal. Enforce discipline through data ownership and accountability, assigning data custodians, implementing system controls, monitoring, and enforcing security policies as well as data handling procedures and auditing.

2. Assess how third parties safeguard data

Stratify third parties according to risk based on attributes like volume of transactions, regulated data, and data sensitivity type. Take into consideration the impacts of evolving data and privacy laws based on where data is being processed. Conduct assessments and evaluations of these entities and their implemented security controls surrounding the protection of the organization’s information or provided access.

3. Use leading practices and industry standards

Use cybersecurity assessment and ratings services to create risk profiles for third parties.  Cyber threat intelligence reports provide benchmarked data across third parties compared to industry leading practices -- and this information could be the basis for creating the risk profiles.

4. Create and stress test a cyber incident playbook

Make your cyber incident response plan consistent with other plans for dealing with threats to business operations. Its components include training the broader company, conducting advance planning and rehearsal, and assigning accountability for communicating with media and stakeholders. You should stress test the plan with realistic scenarios and implement a transparent, interactive customer portal for sharing knowledge and a hotline to answer questions.


The proliferation of cloud and analytics providers who might have data about your customers without your knowledge or oversight is increasing your risk exposure. In the event of a data breach involving third or fourth parties, the key steps we outline can help you quickly answer fundamental questions: Is this our data? Where does it exist? Who did we sell it to? You can’t prevent all breaches involving your customers’ data. But you can do a lot more to provide clarity, transparency, and reassurance in a difficult situation.

Contact us

Sean Joyce

Global Cybersecurity & Privacy Leader, PwC US; Cyber, Risk & Regulatory Leader, PwC US

Gerasimos J. Stellatos

Incident Response Leader, PwC US

Amandeep Lamba

Principal, Cybersecurity and Privacy, PwC US

Joseph Nocera

Cyber, Risk and Regulatory Marketing Lead Partner, PwC US

Dean Spitzer

Principal, PwC US

Follow us