Critical Vendor / Critical Third Party

A critical vendor or critical third party is an external organization whose failure, compromise, or disruption would have a material impact on the first party's operations, revenue, regulatory standing, or data security. Identifying and classifying critical vendors is a foundational step in any third-party cyber risk management program, as these relationships require the most rigorous assessment, the most frequent monitoring, and the most detailed contractual protections.