In a world that is becoming ever more interconnected, organizations are learning firsthand that they are not only vulnerable to the adverse events that their vendors experience but also to the incidents that happen to those vendors’ vendors.
Recent events such as the SolarWinds breach, Microsoft Exchange server attack and Fastly outage have revealed that conventional third-party risk management (TPRM) programs are not enough to generate the necessary visibility into supply chain risk.
Since fourth parties are not generally obligated to share information with partners of their clients, organizations are now adapting their TPRM programs to address fourth-party concerns. Fortunately, there are steps companies can take to give them greater visibility into – and protection from – downstream risk.
Get to know your third parties’ partners
Despite growing awareness of the threat of fourth-party risk, clear guidelines, and uniform processes for fourth parties have not been established, resulting in disjointed, ad-hoc processes. Most of these processes are manual, requiring significant investment in time and labor, and opening the possibility of error and oversight.
To counteract this vulnerability, it is recommended that companies take the following steps to limit fourth-party risk:
Identify mission-critical vendors
The first and most important step is to identify the vendors that are mission-critical to the company and then identify their third parties. During the vendor risk assessment process, companies should ask third-party partners for a list of their critical vendors, and what sensitive data they have access to. They should also request that third parties notify them of any changes they would like to make to their third-party relationships.
However, even after vendors provide the requested information, there are still issues that exist around the reporting and accessibility of information at the fourth-party level, as third parties may lack the resources to execute due diligence or may be unwilling to share sensitive information.
For that reason, it is important to validate the data using every available source, including obtaining the list of open sources that the third party uses, their business continuity and disaster recovery plans, their internet security management system, and the internet technologies they use for their website and IT supply chain.
Look for concentration risk
It is also important for organizations to conduct a broader review of their overall vendor portfolio to identify any fourth parties that are common to multiple vendors. Even if a company’s third-party base of vendors is diverse, it can still face concentration risks if its suppliers are leveraging the same supplier for their critical functions.
Some examples might be Microsoft Azure, Google Cloud Platform or AWS, which are used by tens of thousands of companies across the globe. Should one of those giants fail, the impact could ripple across multiple vendors, posing a serious risk to a company. The recent Kaseya attack is an example of the devastating consequences of an attack on a single company’s software product, which has affected thousands of its customers worldwide. Having visibility into fourth-party concentration risk allows a company to identify and respond to a threat more quickly.
Establish a continuous monitoring strategy
Since companies do not have a direct contractual relationship with fourth parties, managing their risk is more challenging than overseeing the risk of third parties. The key is to expand the scope of the existing TPRM program to include the monitoring of fourth parties.
The first step is for companies to understand how their third parties are monitoring their vendors. This includes direct monitoring (i.e., what are they doing to monitor their third parties) and general vendor management (i.e., do they have their own vendor management program and how effective is it). Companies can ask these questions through periodic performance reviews as well as through their annual risk and due diligence reassessments. The best way to complete this practice is with the right technology that keeps assessing for threats by continuously collecting data from an ever-growing number of data sources.
Lastly, and especially with mission-critical vendors, enterprises should continuously monitor their fourth parties and not wait until the third party provides notification of a breach. By proactively monitoring, the risk is reduced, and the entire vendor ecosystem becomes safer and more efficient.
Automation and orchestration are key
One way to monitor fourth parties is to choose a vendor risk management solution that automates and orchestrates the TPRM program across all risk domains. The best of these applications use natural language processing and sophisticated data harvesting to continuously collect information from people, documents and machines while performing analysis and creating a feedback loop between data sources. This creates actionable risk insights from third parties and beyond, ultimately reducing risk and operational costs while improving accuracy and corporate performance.
These solutions enable companies to gain unprecedented visibility into fourth-party risk and flush out concentration risk – saving subject matter experts a considerable amount of work and allowing them to focus on more high-value tasks.
Even if a company does not have a formal, working relationship with the fourth-party vendors that serve their third parties, they can still pose a real threat. Risk assessment with continuous monitoring is key to keeping companies safe from the potential hazards of fourth parties. Organizations can now utilize advanced TPRM solutions that automate and orchestrate the monitoring of third-party vendors and their suppliers to ensure that they can quickly identify, anticipate, and manage risk across the supply chain – without the need to invest in additional personnel.