man at desk looking at triple desktop monitors in a server room.

How Telcos Can Manage Rising Third-Party Risks

Paul Kooney, Managing Director Security and Privacy
Andrew D'Angelo, Director Data Technology Risk & Resilience

The use of third-party systems and equipment by telecommunications service providers may be as old as the first telegraph transmission. It’s nothing new, but things have changed quite dramatically since those early days. Telcos today depend on a complex web of technologies to deliver critical services to consumers as well as enterprises — a business reality fraught with risk.

The big picture: Recently, reliance on third-party vendors has grown exponentially in lockstep with rapid digitization. Telcos are deploying or integrating transformational technologies like the Internet of Things, 5G and artificial intelligence (AI) to drive revenue, manage costs and meet customers’ changing digital expectations. In the process, these vendors have stretched their risk management resources to capacity and face significant financial, reputational and liability risks associated with threats such as third-party service outages, data loss, fraud and supply chain disruptions. It is no surprise that in Protiviti’s 2024 Top Risks Survey report highlighting top-of-mind risks for directors and executives around the globe, leaders from the technology, media and telecommunications industry group ranked third-party risk fifth out of 36 different risks considered, in terms of impact on the business.

To mitigate the impact of third-party risks, risk-mature telcos have become adept at:

  • Aligning their vendor management strategies with the organization’s risk appetite
  • Sustainably conducting sound inherent-risk prioritization, initial due diligence and continuous monitoring commensurate with risk
  • Mapping vendor services to business processes and contingency plans for improved operational resilience

The bottom line: Telcos are large organizations. Implementing a robust, sustainable third-party risk management program requires alignment among multiple risk functions, as well as significant investment and expertise. As technology evolves, telcos must stay focused on the task at hand and be able to demonstrate continuous progress while adapting to business objectives and volatile external factors.

How do you adapt and consistently apply a methodology aligned with the organization’s risk appetite and business objectives? Here are a few steps every telco should consider.

Risk assessment considerations

There are many important considerations — practical and strategic — when it comes to risk assessment. For instance, a robust third-party risk management program will assess risk at a hierarchical service level — which could mean different levels of due diligence among multiple services for one vendor. Tactically, this important step involves understanding the services provided, mapping business process dependencies and reinforcing the organization’s visibility into applicable vendor controls.

Strategically, it helps demonstrate a measure of completeness when viewing aggregate vendor risk, driving business decisions, contractual negotiations with individual suppliers and overall value to the business through risk managed at a program level. Creating one overarching risk assessment without distinguishing and viewing each vendor service individually may be cost-effective, but it also compromises risk visibility and affects business leaders’ ability to make informed, risk-based decisions.

Different telcos approach vendor risk management differently, but the core fundamentals remain consistent. Third-party risk program leaders should seek a single source of truth and inventory of the organization’s vendor engagements and should employ a qualifiable, consistent methodology to risk-tier and prioritize finite due diligence resources. Organizations should avoid, for example, focusing their third-party risk management programs too heavily on technology or software vendors. While this is a convenient area of focus, given heavy technology implications, organizations can be left with unexamined exposure and tough questions about why nonsoftware engagements were deemed less worthy of rigor. Some may be just as likely avenues for ransomware — or much worse.

Telcos also provide a considerable amount of critical infrastructure for government use, which puts them in a rather specific risk lens. The information and communications technology supply chain is only as strong as its weakest link. It can serve as a gateway for state-sponsored adversaries to infiltrate companies, governments and critical infrastructure systems serviced by telcos. The Cybersecurity and Infrastructure Security Agency routinely warns of a staggering number of supply chain vulnerabilities that are being introduced during various phases of the software and hardware product life cycle, with geopolitical undertones to boot.

According to at least one estimate, 45% of companies will experience an attack on their software supply chain by 2025. To minimize this risk, telcos should reevaluate the risk of using software or hardware made in or owned by nations known to be active cyber actors. Experts recommend establishing baseline security standards and developing a framework for a bill of materials, which is required for telcos that do business with the federal government under Executive Order 14028.

Harmonization across functions

Roles and responsibilities should be clearly defined to drive expectations between business units and third-party risk functions such as cybersecurity, privacy, operational risk, financial risk, compliance and procurement.

It is important to track roles and responsibilities from a wider technology-ecosystem perspective as well. In addition to a complex range of services, telcos are heavily dependent on hard infrastructure (e.g., underground cables, satellite dishes, cable boxes), often simultaneously driving and innovating in serving consumers and enterprises. A telco’s place in the technology supply chain can be fluid at times, and the lines between internal and external control environments can become blurred. Organizations must stay ahead of ambiguities in controls supporting the organization’s operations and protecting critical assets — this starts from within.

Managing third-party risks in the age of AI

As with any new technology delivered by a third party, it is key to ascertain which controls are native to the vendor’s AI tooling, which controls require upkeep, and by whom. As impactful AI has already been and portends to be, telco leaders must avoid scrutinizing one type of disruptive technology above others, despite how important technology is to market success. Rather, program leaders should have a continuous process to assess the impact of any new technologies affecting the vendor risk portfolio and capture pertinent risk information accordingly. The ability to assess the impacts of new technologies — and related risks — nimbly and meaningfully can make or break a third-party risk management program’s working relationship with the business and C-suite.

Finally, remember that adversaries are also harnessing AI. With AI-powered analytics, fraudsters can rapidly sift through the large haystack of telco data discovered on the dark web for sensitive information where it would previously have taken them months.

Important takeaway: When it comes to third-party risk management, the two major pain points for telcos are harmonizing various functions at the program level and consistently conducting due diligence across a staggering variety of third-party services. These crucial activities can help telcos manage these issues:

  • Define roles and responsibilities concerning third-party risk management throughout the organization.
  • Maintain a central vendor inventory prioritized based upon consistent, qualified risk attributes.
  • Link the inventory to the organization’s business processes and applications.
  • Manage costs by matching the rigor of due diligence to the risk associated with each service.
  • Proactively avoid issue backlogs by carefully prioritizing controls assessed during due diligence.
  • Stay prepared to assimilate disruptive technologies as a matter of business as usual.

To learn more about how to manage third-party risks effectively, visit

Michael Lyons, Protiviti’s global head of telecommunications, contributed to this blog article.

Add comment