Public power utilities know this all too well: cyber risk isn’t limited to your four walls. It’s embedded in your suppliers, software providers, integrators, and even trusted vendors. At the 2025 APPA National Conference, Fortress led a session, “Risky Business: Addressing Third-Party Risk in Critical Infrastructure,” to tackle this issue head-on. 

In a rapidly evolving threat landscape, electric utilities are being asked to do more with less. That’s why our session focused on how to build or mature a right-sized, cost-conscious Third-Party Risk Management (TPRM) program that works. 

Where to Start: Scoping the Risk and Engaging the Right Stakeholders 

We kicked off with a reality check: third-party risk is business risk. It’s not just an InfoSec problem—it’s an operational imperative. Building an effective TPRM program means starting with: 

  • Stakeholder engagement across departments – Procurement, business owners, information security, and supply chain must be at the table. 
  • Clear risk ownership – Push accountability to where the risk resides. 
  • Foundational program elements – Know your vendors, tier them based on risk, and build security requirements into onboarding. 

Building Blocks of an Effective TPRM Program 

A mature TPRM program doesn’t have to break the bank. Our experts walked through key pillars: 

  1. Vendor prioritization – Not all vendors are equal. Focus on those with the biggest potential operational impact as a starting point. 
  2. Streamlined due diligence – Automate where you can. Ask questions that matter. 
  3. Continuous monitoring – One-time assessments aren’t enough. Build visibility into the full vendor lifecycle. 

 Top 3 Goals of a Strong TPRM Program: 

  • Reduce risk 
  • Enable informed decision-making 
  • Drive efficiency and ROI from cyber investments 

Looking Ahead: AI, Emerging Threats & Industry-Wide Lessons 

The 2025 Verizon DBIR found that third-party-related breaches have doubled in just one year, up to 30%. With emerging threats from AI-generated attacks and deepening supply chain dependencies, utilities must stay proactive. 

We discussed how leading organizations are now incorporating AI risk as a formal consideration in their supply chain and vendor evaluations. 

Want to Dive Deeper? 

Our team would be happy to walk you through the framework we shared, tailored to your organization’s size, complexity, and current maturity level. 

📅 Schedule a conversation with our experts 
Let’s build a third-party risk program that’s collaborative, comprehensive, and conclusive.