The Third-Party Risk Explosion
Every digital transformation initiative increases your vendor count. Every SaaS adoption expands your attack surface. Every API integration creates a potential breach pathway. Indian regulated entities now average 45+ IT vendors with some form of data access or system connectivity โ and that count grows annually.
The statistics are sobering: 82% of confirmed data breaches involve at least one third-party vendor in the attack chain. This isn't surprising โ attackers follow the path of least resistance, and a vendor's security posture is almost always weaker than a regulated entity's own controls.
SEBI recognized this reality when it included vendor risk management under ID.2 of the CSCRF. RBI's outsourcing guidelines add additional requirements for banks and NBFCs. ISO 27001:2022 dedicated specific controls (A.5.19-A.5.22) to supplier relationships. The regulatory message is clear: your vendors' security is your security.
Why Current TPRM Programs Fail
Building a TPRM Program With Teeth
Step 1: Vendor Inventory and Classification
Start with a complete inventory of all vendors with data access or system connectivity. For each vendor, capture: services provided, data accessed (type and sensitivity), system connectivity (VPN, API, direct access), contract status, and last assessment date. Then classify vendors into tiers based on risk, not spend:
- Tier 1 (Critical): Vendors with access to sensitive data or critical systems. Direct impact on regulatory compliance. Examples: core banking vendor, cloud infrastructure provider, SIEM provider
- Tier 2 (Important): Vendors with limited data access or non-critical system connectivity. Examples: HR SaaS, collaboration tools, development tools
- Tier 3 (Standard): Vendors with no data access and no system connectivity. Examples: office supplies, facility management, physical security
Step 2: Risk-Proportionate Assessment
Apply assessment rigor proportionate to the vendor's risk tier:
- Tier 1: Comprehensive security assessment โ questionnaire + evidence review + external validation (penetration test results, SOC 2 report, ISO 27001 certificate). Annual reassessment with quarterly monitoring. On-site assessment for critical vendors
- Tier 2: Standard security questionnaire with evidence for key controls (access management, encryption, incident response, backup). Annual reassessment
- Tier 3: Self-certification against basic security requirements. Assessment at onboarding and contract renewal
Step 3: Contractual Security Requirements
Security requirements must be contractually binding, not aspirational. Key contractual clauses:
- Security obligations: Specific security controls the vendor must maintain, referenced to a standard (ISO 27001, SOC 2)
- Incident notification: Vendor must notify within a defined window (24 hours for Tier 1, 72 hours for Tier 2). Must include: incident nature, data affected, containment actions, and point of contact
- Audit rights: Right to audit or assess vendor security posture, with defined frequency and scope
- Sub-contractor controls: Vendor must apply equivalent security controls to sub-contractors processing your data
- Data handling: Data classification handling, encryption requirements, retention and deletion obligations, cross-border transfer restrictions
- Termination provisions: Data return/destruction on contract end, transition period security obligations
Step 4: Continuous Monitoring
Annual assessments are necessary but insufficient. Between assessments, monitor Tier 1 vendors for: public breach disclosures, security rating changes, regulatory actions, certificate expiry, and personnel changes in key security roles. For technology vendors, monitor: vulnerability disclosures in their products, patch release timeliness, and security advisory quality.
"We had 52 vendors on our register. When we actually mapped data access and system connectivity, we discovered 23 additional vendors that business units had onboarded without security review. Our real vendor risk surface was 44% larger than we thought."
โ CISO, SEBI-Regulated Clearing CorporationBefore: Checkbox TPRM
- Vendor list maintained in spreadsheet by procurement
- Generic security questionnaire sent annually
- Vendors self-certify with no evidence review
- No tiering โ same process for all vendors
- No contractual security clauses
- No monitoring between assessments
After: Risk-Based TPRM
- Complete vendor inventory with data and system mapping
- Risk-tiered assessment with proportionate rigor
- Evidence-based assessment for Tier 1 vendors
- Contractual security clauses with audit rights
- Continuous monitoring for critical vendors
- Board-level vendor risk reporting quarterly
SEBI CSCRF ID.2: Vendor Risk Requirements
SEBI CSCRF ID.2 requires regulated entities to: identify and document all third-party service providers, assess the cyber risk associated with third-party relationships, ensure contractual provisions for security compliance, monitor third-party risk on an ongoing basis, and include third-party risks in the overall risk register.
Importantly, SEBI expects the vendor risk assessment to be integrated into the overall CSCRF compliance posture, not maintained as a separate program. Vendor risks that affect CSCRF controls must be reflected in the entity's risk register and addressed in the CEO Declaration evidence pack.
Board Investment Case: TPRM Program
TPRM / Vendor Risk Assessment โ Practitioner Toolkit
Maintain vendor inventory with risk tiering, execute proportionate security assessments, track contractual compliance, monitor vendor risk continuously, and generate SEBI CSCRF-aligned vendor risk reports.
View All 11 Tools โ