Public power utilities know this all too well: cyber risk isn’t limited to your four walls. It’s embedded in your suppliers, software providers, integrators, and even trusted vendors. At the 2025 APPA National Conference, Fortress led a session, “Risky Business: Addressing Third-Party Risk in Critical Infrastructure,” to tackle this issue head-on. 

In a rapidly evolving threat landscape, electric utilities are being asked to do more with less. That’s why our session focused on how to build or mature a right-sized, cost-conscious Third-Party Risk Management (TPRM) program that works. 

In addition to traditional TPRM program concerns, the Age of AI and SEO has helped contribute to doubled third-party-related breaches in just one year, as noted by the 2025 Verizon DBIR 

 Where to Start: Scoping the Risk and Engaging the Right Stakeholders 

We kicked off with a reality check: third-party risk is business risk. It’s not just an InfoSec problem—it’s an operational imperative. Building an effective TPRM program means starting with: 

  • Stakeholder engagement across departments – Procurement, business owners, information security, and supply chain must be at the table. 
  • Clear risk ownership – Push accountability to where the risk resides. 
  • Foundational program elements – Know your vendors, tier them based on risk, and build security requirements into onboarding. 

Building Blocks of an Effective TPRM Program 

A mature TPRM program doesn’t have to break the bank. Our experts walked through key pillars: 

  1. Vendor prioritization – Not all vendors are equal. Focus on those with the biggest potential operational impact as a starting point. 
  2. Streamlined due diligence – Automate where you can. Ask questions that matter. 
  3. Continuous monitoring – One-time assessments aren’t enough. Build visibility into the full vendor lifecycle. 

Top 3 Goals of a Strong TPRM Program: 

  • Reduce risk 
  • Enable informed decision-making 
  • Drive efficiency and ROI from cyber investments 

 Looking Ahead: How to Handle the Third Party Risks in AI 

Organizations leveraging AI and SEO through third parties should consider the following risk domains: 

  • Data Privacy and Security Risk 
    AI and SEO tools frequently process large volumes of sensitive data, including customer behavior, personal identifiers, and proprietary content. Poor data handling practices or insecure models can lead to data breaches or regulatory violations. 
  • Model and Algorithmic Risk 
    AI vendors may use opaque or proprietary algorithms that introduce bias, hallucinations, or non-compliant decision-making. For SEO, algorithmic tactics that violate search engine guidelines can expose organizations to penalties or reputational damage. 
  • Regulatory and Compliance Risk 
    Regulations such as GDPR, CCPA, HIPAA, and emerging AI governance laws require organizations to maintain accountability for third-party actions, even when those actions are automated. 
  • Operational and Continuity Risk 
    Dependence on AI platforms or SEO vendors creates potential single points of failure if providers experience outages, change algorithms, or discontinue services. 
  • Reputational Risk 
    Poor-quality AI-generated content, unethical SEO practices, or misuse of data can quickly erode brand trust and public credibility. 

 Incorporating AI into Third-Party Risk Management 

AI can be leveraged not only as a source of risk, but also as a powerful enabler of more effective TPRM programs. 

  1. AI-Driven Risk Assessment and Monitoring
    Machine learning models can analyze vendor documentation, contracts, SOC reports, and audit findings toidentify risk patterns faster and more consistently than manual reviews. Natural Language Processing (NLP) can flag missing controls, ambiguous clauses, or regulatory gaps. 
  2. Continuous Risk Monitoring
    AI tools canmonitor third-party digital footprints in real time—tracking security incidents, compliance updates, financial health signals, and negative media—to move TPRM from periodic assessments to continuous oversight. 
  3. Intelligent Risk Scoring and Prioritization
    By correlating vendor criticality, data sensitivity, and historical performance, AI can dynamically adjust risk scores and help organizations prioritize remediation efforts where they matter most.
  4. Governance and Transparency Controls
    Organizations should require AI vendors to provide documentation on model governance, data sources, explainability, and bias mitigation as part of due diligence and ongoing monitoring.

Integrating SEO Considerations into TPRM 

SEO vendors and tools play a critical role in digital visibility and brand perception, making them an often-overlooked but high-impact third-party risk category. 

  1. SEO Vendor Due Diligence
    TPRM programs should assess SEO providers for:
  • Compliance with search engine guidelines 
  • Use of ethical (white-hat) SEO practices 
  • Transparency in content generation and link-building strategies 
  • Data ownership and content rights 
  1. AI-Generated Content Governance
    When SEO relies on AI-generated content, organizations must define standards for quality, originality, accuracy, and human oversight to avoid misinformation, plagiarism, or search engine penalties.
  2. Contractual Risk Controls
    Contracts with SEO and AI vendors should clearly define:
  • Accountability for penalties or regulatory violations 
  • Data usage and retention policies 
  • Audit rights and performance metrics 
  • Exit strategies and content ownership upon termination
4. Brand and Reputation Monitoring 
TPRM teams should work with marketing and communications to monitor search rankings, content sentiment, and brand mentions, ensuring early detection of reputational risks tied to third-party SEO activities. 

Best Practices for Aligning TPRM, AI, and SEO 

  • Establish a cross-functional governance model involving risk, legal, IT, security, and marketing. 
  • Classify AI and SEO vendors as high-risk third parties when they access sensitive data or influence public-facing content. 
  • Implement human-in-the-loop controls for AI-generated outputs. 
  • Align third-party assessments with emerging AI regulations and industry standards. 
  • Use AI responsibly within TPRM while maintaining transparency, explainability, and accountability.  

 Want to Dive Deeper? 

Our team would be happy to walk you through the framework we shared, tailored to your organization’s size, complexity, and current maturity level. 

2601 EU Aware Aero Blind Spots-600x315-px