Carrier Services Case Studies | Aqueduct Technologies

CASE STUDY
Reducing Third-Party Cyber Risk Across Global Pharmaceutical Manufacturing Partners

Implementing a risk-based, enterprise-scale TPRM program to protect product integrity, ensure regulatory compliance, and strengthen supply chain resilience.

Company Overview

Industry: Multinational Pharmaceutical

Company Size: 750+ employees | $1B+ revenue

IT Environment: Hybrid (SaaS, Cloud, On-Prem)

Solution: Third Party Risk Management & Quantified Risk Scoring

A multinational pharmaceutical organization rapidly expanded its network of contract manufacturing organizations (CMOs) to support global growth. As the ecosystem scaled to 20+ partners, third-party cybersecurity assessments became inconsistent, limiting visibility into risk exposure across critical manufacturing operations.

At the same time, increasing regulatory scrutiny (FDA, EMA), product serialization requirements, and rising ransomware threats elevated third-party cyber risk from an IT concern to a direct business risk impacting product availability, compliance, and revenue continuity.

To address this, the organization implemented a structured, risk-based Third-Party Risk Management (TPRM) program, enabling consistent risk evaluation, quantification, and prioritization across all manufacturing partners, aligned to business impact.

Results

62% improvement in detection and containment readiness across Tier 1 CMOs
40% reduction in high-risk control gaps within 12 months
“For the first time, we had clear visibility into which manufacturing partners posed the greatest risk to our operations—and the data to prioritize action before it impacted the business.”
— Associate Director, Cybersecurity

THIRD-PARTY RISK CHALLENGES

The organization faced several critical gaps in managing third-party cyber risk:

  • Fragmented vendor assessments with inconsistent scoring across regions
  • No standardized model to evaluate risk based on business impact and product criticality
  • Increasing exposure to ransomware and operational disruption across manufacturing systems (batch release, serialization, QA)
  • Limited executive visibility into which third parties posed the greatest risk to product delivery and compliance

CUSTOMER GOALS

Executive leadership aligned on the following objectives:

  • Establish a defensible, enterprise-wide framework for third-party cybersecurity governance
  • Quantify and prioritize cyber risk across CMOs based on business and regulatory impact
  • Strengthen supply chain resilience and reduce risk to product availability
  • Provide clear, executive-level visibility into third-party risk exposure
  • Align cybersecurity risk management with broader enterprise risk and compliance programs

SOLUTION DETAILS

To achieve these objectives, Aqueduct implemented a risk-based TPRM program designed to translate technical risk into business-relevant insights for executive decision-making.

TPRM Solution Approach 
  1. Risk Quantification Model
  2. Criticality-Based Tiering
  3. Standardized Questionnaire Across 34 Control Domains
  4. Continuous Monitoring Strategy
  5. Executive Risk Dashboard
Business Outcomes

The organization transformed third-party cybersecurity into a measurable, business-aligned risk management capability tied to product delivery and compliance.

  • Standardized risk scoring across 20+ global manufacturing partners, enabling consistent decision-making
  • Executive-level visibility into third-party risk tied directly to product revenue and supply chain impact
  • Improved regulatory defensibility during FDA and EMA inspections
  • Formalized benchmarking of ransomware resilience across manufacturing partners
  • Clear prioritization of security investments based on quantified business risk
  • Enhanced ability to identify and address high-risk partners before impacting product delivery
Read the Full Case Study