News
Jul 8, 2025

How geopolitics and trade policies impact third-party risks (and what businesses can do about it)

In our connected world, it's easy to overlook the incredible achievement that the Internet truly is. It's possible to have a conversation and do business with almost anyone, regardless of where they might be — even while they're on the move! Businesses have been able to find talent, vendors, and partners all over the world to boost their offerings and accelerate growth, bringing about many of the game-changing innovations that we have seen in this century.

In the last few years, though, we’ve seen a number of examples that remind us borders still exist – and they're not just about countries. Since digital services have wound their way into so many aspects of human life, both large and small, legal considerations have appeared at the city and state level, too.

Even more recently, the world is bearing witness to a growing geopolitical tension between many nations, some of which have even resulted in years-long armed conflicts. In this environment, Western countries (in particular) have enacted sanctions and a myriad of trade policies, often with a wide range of impacts on businesses.

Although the tariffs enacted by the Trump administration in the United States received a lot of publicity, European countries have also implemented sanctions or trade policies to impose restrictions on certain types of business deals. As an example, the EU is still looking for a solution regarding the price of Chinese electric cars, while a few European countries have sought to remove Chinese products from their communications networks.

When the business environment changes, organizations that are ready to adapt are more likely to succeed. As companies are forced to switch vendors because of sanctions, find other partners, or expand their supply chain to avoid tariffs, a robust Third-Party Cyber Risk Management (TPCRM) strategy can help keep operations running smoothly.

Business options and solutions

While the existence of our connected world has allowed new types of business to exist and propelled others forward, even small changes to this new ecosystem can lead to significant operational challenges for those same companies.

We should mention that this isn't limited to multinational corporations – small  businesses have also found worldwide success, thanks to reduced shipping costs and the capability to reach consumers all over the planet through social media. 

Nevertheless, larger businesses tend to be the most affected, usually because they have more complex needs and employ a greater number of third parties. As such, trade policies and geopolitical tensions might compel them to:

  • Expand the supply chain to be more resilient against sudden changes in market conditions. Even if none of a company’s vendors or suppliers are directly impacted, they might have to fulfill orders from other market players who were affected by a change in regulation, leading to a sort of domino effect of companies seeking new suppliers.
  • Switch vendors if said vendors are sanctioned, affected by tariffs, or in a position where they might not be able to comply with the regulations that a business is subjected to. This can happen when the laws in the third party's jurisdiction become incompatible with the laws their clients or partners are subjected to. We are seeing this happen at a regional level in the European Union in regard to cloud computing, sparking a very divisive political discussion.

Both actions can be quite challenging at a business and operational level. In addition, they can expose the business to new third-party risks.

As a business expands its supply chain, each additional link in that metaphorical chain adds a little more risk, requiring a stronger risk management strategy to avoid issues involving data leaks, reputational damage, or disruptions like ransomware attacks. According to the 2025 Verizon Data Breach Investigations Report, 30% of data loss incidents involve a third party.

Switching vendors and business partners does not necessarily increase an organization's attack surface, but it still puts a business in unfamiliar territory. Even if a previous vendor or partner never had a cybersecurity incident, only good TPCRM strategy will manage that risk going forward.

How TPCRM can become a key to a resilient business

To mitigate the risk stemming from third parties, businesses employ a variety of methods, such as questionnaires, audits, and testing. Many of these approaches are time-consuming and adversarial, as we discussed in our previous post. They also disregard the cybersecurity challenges faced by smaller businesses, such as the added cost of security features in many software products and services.

In a fast-changing environment where many businesses have to look for new vendors regularly, there are always added complications. Companies could be forced to lower their standards or to fast-track vendor approval processes, sometimes with no plan for future oversight, to avoid sudden disruptions.

To avoid that, businesses should strive to build a TPCRM strategy through which they can be continually assured of their third parties' cybersecurity posture, shifting the focus from the contracting phase to the life cycle of each partnership. To this end, they should build a process by which they can work together with their third parties to close security gaps and weaknesses.

By relying on this collaborative approach, organizations with a higher level of cybersecurity maturity will find that they can expand their ecosystem with less friction. They'll also have more options, as they don't have to worry if a vendor or partner already meets their cybersecurity requirements.

Through collaboration, it's possible to help partners and vendors achieve a higher maturity level, opening business opportunities for all parties involved that would have been deemed too risky or uncertain before.

A solution with continuous inside-out monitoring helps organizations obtain valuable data about the cybersecurity posture of participating third parties in a way that will lead to objective improvements while also providing assurance that a third party is committed to securing their IT infrastructure.

Among other things, this helps businesses navigate a challenging trade environment, such as the one many are already dealing with.

Cybersecurity is often an enabler for business – and this is even more true in difficult environments where risk could become a limiting factor to growth. Tools that can help us improve and build trust can go a long way toward allowing businesses to maintain their momentum or find new paths to growth.

Share
Latest Posts
Como a geopolítica e políticas comerciais impactam os riscos de terceiros (e como empresas podem se preparar)
Read more
What does Third-Party Cyber Risk Management mean for third parties?
Read more
Third-party cyber risk rises above the fold: the Verizon 2025 Data Breach Investigations Report (DBIR)
Read more