No matter how much a company invests in its own cybersecurity program, vulnerabilities at a vendor or other third party can lead to compromises of the company’s data and potentially significant liabilities. Managing third-party risk and the responsibility of overseeing vendors is a challenge for many companies. Based on insights presented during a Davis Wright Tremaine webinar, this article addresses regulatory obligations for managing third-party risks; identifying and prioritizing those risks; and core elements of an effective third-party risk management program, including documenting those efforts. See “Checklist for Framing and Assessing Third-Party Privacy and Information Security Risk” (Sep. 28, 2023).