Skip to content
Contact
Set Up A Call
  • Blog
  • How Do You Handle Cybersecurity and Third-Party Risk Management?
Share this post
Picture of Peter Samoray

Peter Samoray

Laptop computer with code displayed on the screen

How Do You Handle Cybersecurity and Third-Party Risk Management?

April 25, 2023
/
Cybersecurity

When a data breach occurs, and you have to tell your shareholders or customers that business-sensitive information or their personal information may have been compromised by one of your third-party vendors, nobody is going to look at the third-party vendor — they’ll be looking at the primary organization that was entrusted to protect the data and manage third-party risk appropriately.

A data breach often involves significant amounts of time, resources, and cost to fix a problem caused by a third-party risk that was not managed. However, regardless of how much you clean things up, no remediations will stop the reputational damage that will continue to cost your organization in lost business.

You cannot ignore the potential consequences of properly managing third-party risk.

Read our blog post, “How Can Generative AI Be Used in Cybersecurity?”

The "risk" of not managing third-party vendor cyber risk

In addition to managing third-party vendor risk and maintaining customer trust, cyber insurance is becoming necessary. Meanwhile, insurance premiums are increasing annually as the risk of cyber-attacks and the costs associated with a data breach increase. Effective third-party vendor risk management could make the difference between the cost of your premiums or insurers deeming your organization ineligible for coverage.

According to the global IBM Data Breach Report for 2022:

  • The average cost of a data breach in the U.S. is $9.44M
  • For 83% of companies, it’s not a matter of whether a data breach will occur but when and how prepared they will be to deal with such an event.

 

With today’s increasing integration of applications and interfaces between your organization and your third-party vendor, all aspects of cybersecurity hygiene come into play as your third-party vendor risks become your organizational risks.

There needs to be an examination of the multiple layers of third-party vendors with traceability and accountability at each level for cybersecurity and privacy practices that may impact your organization’s overall security and ability to fulfill regulatory compliance laws.

Organizations' Views of Third Parties (Adapted from ISACA.org: Managing Third-party Risk)

Third-party vendor risk management is critical to a solid cybersecurity and privacy program in both the public and private sectors.

The Department of Energy (DOE) has developed a concise Cybersecurity Capability Maturity Model for the Energy Sector C2M2 v2.1 June 2022, which spells out in several sections the importance of reviewing your third-party vendor’s cybersecurity practices. This process includes assessments of their third-party vendors’ security practices.

The Federal Trade Commission (FTC) cautions organizations that contract third-party vendors to manage sensitive personal data and security practices that should be in place.

The Cybersecurity and Infrastructure Security Agency (CISA) developed a Cyber Resource Hub to provide multiple resources to help the public and private sectors assess risk and their security processes, which can help manage third-party vendors.

Tips to lower your risk of third-party vendor risk management

One of the best ways to prevent a data breach is to understand why it would happen.

Malicious actors can have several motivating factors for breaking into an organization. Those factors could be financially or politically motivated, or the malicious actor is seeking vindication or plain old bragging rights among the hacker community. These motivating factors can help you understand why your organization may be a target.

Malicious actors may not always try to attack your organization head-on; they may go in through your employees, guests, or third-party vendors — whatever is the easiest method.

Below are some essential tips to help your organization manage third-party vendor risk and the best practices associated with each.

  1. Assess your third-party vendors’ security posture. Understand both their security and privacy program through an assessment. Understand what frameworks and security maturity model(s) their security and privacy programs are aligned with and their vulnerability management process, which could include external audits, certifications, and scanning. Request documented evidence regarding audit reports, security assessment certifications, or vulnerability remediations.
  2. Educate on compliance requirements. Ensure your third-party vendors thoroughly understand any global regulatory compliance laws and requirements your organization must comply with and any cascading requirements the third party needs to align with. Sharing these requirements with your third-party vendor will help your organization and benefit the third party in marketing their ability to support such global requirements.
  3. Employee awareness. People are often the weakest link in most organizations and one of the top causes of data breaches through poor security practices, phishing attacks, or a general lack of training on security best practices. Ensure that both your organization and your third-party employees are regularly training and testing on security and privacy best practices and appropriate actions to take.
  4. Collaborate regularly. Collaborate with your third-party vendors’ security teams to understand the shared risks, changing threat landscape, intel, and best practices. Having ongoing transparent dialogue will help your organization and third-party vendor organization increase their security postures, which is ultimately the goal of all security departments.
  5. Stay in touch. Vendor risk management is not a one-time activity; at least annually, there needs to be consistent monitoring. There may be changes in the third-party vendor’s security and privacy program and posture that your organization needs to be aware of, and your organization may need to communicate any changes in security requirements that your third-party vendor will need to support.

 

One of the best ways to manage third-party vendor risk is to understand your organizational and third-party risks and what factors would play into either organization being attacked.

We recently hosted a cybersecurity webinar for public power utilities: “Evolving Cybersecurity Threats & Challenges to Public Power.” Request the slides for this webinar and find more information in an additional blog post: “Can You Spot a Cyberattack?“

Picture of Peter Samoray

Peter Samoray

Peter has over 18 years of cybersecurity experience within multiple sectors, from automotive, defense, telecommunications, retail, consulting, and software development. Peter holds a BA in psychology from Wayne State University, an MS in information systems from the University of Detroit-Mercy, and a certificate in change leadership from Cornell University. Of late, his focus has been on improving the human factor of cybersecurity. Peter maintains the following certifications: CISSP, CISM, CISA, CIPP/US, CIPP/EU, and PMP.

Related blog posts

Loading...
open laptop
Feb 18
About Us,Cybersecurity

PCI Successfully Completes SOC/FISMA Examinations for 2024

Abstract image to help portray "secure code development training"
Feb 05
Cybersecurity

Secure Code Development Training: How to Reduce Risk & Build Secure Software

AI graphic to portray "How Can Generative AI Be Used in Cybersecurity?"
Apr 10
Cybersecurity

How Can Generative AI Be Used in Cybersecurity?

Related press

Loading...
open laptop
Feb 18
About Us,Cybersecurity

PCI Successfully Completes SOC/FISMA Examinations for 2024

Hector Hernandezcortes of PCI Energy Solutions receiving Iberdrola Mexico's prestigious award for Best Supplier in Innovation, Digitalization, and New Technologies at the company’s annual "Allies for the Green Industry" event in 2024
Nov 27
About Us,Customer Success,Mexico,Renewable Energy Trading

PCI Energy Solutions Named Best Supplier in Innovation, Digitalization, & New Technologies by Iberdrola Mexico

Oct 29
Hydrogen

Intermountain Power Agency Expands Hydrogen Storage Tracking Capabilities Using PCI Energy Solutions’ Platform

PCI Energy Solutions

PCI Energy Solutions

Also known as Power Costs, Inc.

Connect with us

U.S. 1+ 405.447.6933

Sales 1+ 405.701.7301

301 David L. Boren Blvd., Suite 2000
Norman, OK 73072

Contact us

We’re Hiring! 

Linkedin Twitter
  • Energy Trading and Optimization
  • ETRM
  • Wholesale Market Participation
  • Portfolio Optimization
  • Settlements and Billing
  • Gas & Fuels Management
  • Generation Outage Management
  • Company Type
  • Utilities
  • Generators
  • Traders
  • Renewable Energy
  • Asset Managers
  • Retailers
  • About
  • About Us
  • Leadership
  • Newsroom
  • Our Technology
  • PCI Insights
  • Cybersecurity
  • AWS Partnership
  • Careers

Subscribe to our newsletter

Subscribe
  • Transmission and Reliability
  • Transmission Outage Management
  • Transmission Scheduling
  • e-Tagging
  • Balancing Authority Operations
  • Energy Accounting
  • Settlements and Billing
  • Sustainable Energy
  • Renewables Trading & Scheduling
  • Energy Storage Optimization & Trading
  • Hydrogen
  • Hydropower
  • Carbon Intensity
  • Markets
  • North America
  • Latinoamerica
  • Europe
  • Australia
  • Thought Leadership
  • Blog
  • Webinars & Events
  • Newsletter
  • Case Studies
  • Customer Portal
  • INFOCUS Conference
  • Product Trainings
  • Product Documentation
  • Issue Tracker

© Power Costs, Inc. 2025 | All Rights Reserved.

  • Privacy Policy
  • Sitemap
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}

[gravityform id=”3″ title=”false” description=”false” ajax=”true”]

Request More Information

[gravityform id=”4″ title=”false” description=”false” ajax=”true”]

[gravityform id="11" title="false" description="false" ajax="true"]
Solutions

Energy Trading and Optimization

  • ETRM
  • Wholesale Market Participation
  • Gas & Fuels Management
  • Portfolio Optimization
  • Settlements and Billing
  • Generation Outage Management
  • ETRM
  • Wholesale Market Participation
  • Gas & Fuels Management
  • Portfolio Optimization
  • Settlements and Billing
  • Generation Outage Management

Transmission and Reliability

  • Transmission Outage Management
  • Transmission Scheduling
  • e-Tagging
  • Balancing Authority Operations
  • Settlements and Billing
  • Energy Accounting
  • Transmission Outage Management
  • Transmission Scheduling
  • e-Tagging
  • Balancing Authority Operations
  • Settlements and Billing
  • Energy Accounting

Sustainable Energy

  • Renewable Energy Trading & Scheduling
  • Energy Storage Optimization & Trading
  • Hydrogen
  • Hydropower
  • Carbon Intensity
  • Renewable Energy Trading & Scheduling
  • Energy Storage Optimization & Trading
  • Hydrogen
  • Hydropower
  • Carbon Intensity

Markets

  • North America
  • Latinoamerica
  • Europe
  • Australia
  • North America
  • Latinoamerica
  • Europe
  • Australia

Resources

Thought Leadership

  • Blog
  • Newsletter
  • Webinars & Events
  • Case Studies
  • ISO/RTO Documentation AI Chatbot
  • Blog
  • Newsletter
  • Webinars & Events
  • Case Studies
  • ISO/RTO Documentation AI Chatbot

Customer Portal

  • INFOCUS Conference 2025 Recap – 2026 Info Coming Soon!
  • Product Trainings
  • Product Documentation
  • Issue Tracker
  • INFOCUS Conference 2025 Recap – 2026 Info Coming Soon!
  • Product Trainings
  • Product Documentation
  • Issue Tracker

About Us

  • About
  • Leadership
  • Newsroom
  • Our Technology
  • PCI Insights
  • Cybersecurity
  • AWS Partnership
  • About
  • Leadership
  • Newsroom
  • Our Technology
  • PCI Insights
  • Cybersecurity
  • AWS Partnership

Careers

Contact Us