Alex - stock.adobe.com
Most organizations today are acutely aware of the risks third-party relationships pose, and many employ some form of third-party risk management to understand and monitor these alliances. Another danger also bears watching, however: the threats organizations face from their vendors' vendors.
Fourth-party risk is a growing issue. Read on to learn more about fourth parties, the security challenges they pose and how to manage fourth-party relationships.
What are fourth parties?
Third parties include both upstream suppliers and vendors and downstream distributors and resellers -- many of which have direct connections or access to the organization's IT network resources and data. The number of third-party alliances has grown dramatically in recent years, partly due to the widespread transition to cloud-based as-a-service offerings. According to Gartner, 60% of organizations work with more than 1,000 third parties.
Fourth parties -- the vendors of an organization's vendor -- are becoming an increasing concern among regulators, particularly those in the banking and financial services sector. Attackers exploit fourth parties just the same as they do third parties to indirectly target an organization. As a result, these fourth parties greatly increase an IT environment's attack surface.
Many organizations might not know who their fourth parties are and what role they have in the service chain, let alone have any direct contact with them. This lack of knowledge creates a big gap in any risk assessment or cybersecurity defense program.
Certain industry standards and regulations, such as the Federal Information Security Modernization Act, Gramm-Leach-Bliley Act and Sarbanes-Oxley Act, compel organizations to monitor third-party supplier security. These, in turn, encouraged those companies to improve their security in order to remain a vendor of choice. This ripple effect, however, hasn't necessary reached as far as the companies that serve these suppliers.
Risks fourth parties introduce
Fourth parties can expose an organization to a variety of risks, including the following:
- Operational. If a critical third party is forced to suspend operations due to a successful attack against one of its key vendors, this service interruption has a direct impact on everyday operations.
- Legal, regulatory and compliance. A data breach at a fourth-party vendor that has access to an organization's sensitive data potentially means data could also be compromised. This could also force the organization to run afoul of various regulations, among them GDPR, HIPAA and PCI DSS, all of which carry heavy fines.
- Reputational. Any security event at a fourth party has the potential to damage the reputation of companies it works with directly or indirectly, leading to loss of business, customers and any contracts, such as those with government entities, that have strict cybersecurity requirements.
- Financial. In addition to potential financial losses, cybersecurity insurance carriers could challenge any claims if there is no contract with fourth parties or documented assessment of their cybersecurity policies.
These and other risks are why regulators, such as the U.S. Office of the Comptroller of the Currency and European Banking Authority, and frameworks and regulations, such as the Cybersecurity Maturity Model Certification, North American Electric Reliability Corporation Critical Infrastructure Protection and Digital Operational Resilience Act, are stepping up to the pressure -- particularly on larger institutions -- to extend their attack surface management strategy to reduce their exposure to subcontractor-generated risk and not rely solely on third parties to protect the organization against upstream and downstream vulnerabilities they may introduce.
How to manage fourth-party risks
Organizations need to implement a comprehensive third-party risk management program that extends to cover fourth-party risk management. This is the only way to ensure fourth parties are vetted appropriately.
Incorporating fourth parties into third-party risk management helps organizations assess, manage and minimize associated risks more efficiently than trying to oversee them as a separate process. A well-run third-party program should also ensure that key information about fourth parties is readily available. The auditing standard Statement on Standards for Attestation Engagements No. 18, for example, includes a vendor management section that obliges a third-party vendor to define the scope and responsibilities of all its subcontractors in their System and Organization Controls (SOC) reports.
From the SOC reports, identify the fourth parties that are most critical to the third parties. These are vendors that would generate the most significant effect on the organization in the event of a major security incident. Fourth parties whose services are used by multiple third parties should also be included. Even a small event could result in a cumulative effect, leading to business disruption at multiple third parties. These fourth parties all pose operational and cybersecurity risks. As a result, they all require special scrutiny of their business continuity and disaster recovery plans and cybersecurity controls.
Mitigate identified risks, and test the mitigations. This could entail updating certain third-party contracts, such as adding a right-to-audit clause or requiring minimum levels of due diligence and monitoring of subcontractors. Carefully consider the due diligence and monitoring requirements because many third-party risk management strategies rely on due diligence and ongoing recertification. A SOC 1 report, for example, details cybersecurity risk management controls in place on the date of issue. This approach, however, only provides a snapshot in time, missing any risks that arise between the date of issue and recertification. Requiring a SOC 2 report with ongoing monitoring is a better fourth-party risk management strategy to validate vendor security practices. Concerns can be addressed immediately. This is particularly important when monitoring fourth-party risk because it relies heavily on third-party updates and reporting.
Third-party and fourth-party risk management
It's virtually impossible to assess fourth-party risk without detailing the relationship between an organization and its third and fourth parties.
Update vendor contacts to specify how key fourth parties are vetted and monitored for compliance with contract requirements, especially those that store or process sensitive data.
Stipulate vendors notify the organization of any material changes or compliance issues with their vendors. These could trigger a shift in the organization's mitigation control strategy or signal it's time to reassess the relationship. Direct oversight of a subcontractor might be necessary if it is providing mission-critical services. In these cases, include a clause that gives the organization the contractual right to assess the subcontractor directly.
Many organizations rely on the principle of least privilege and the zero-trust model to govern access to systems and data, but it's also important to develop new or updated incident response plans that describe what to do in the event an incident originates at a fourth party. Include how to isolate networks and sensitive data before a fourth-party incident can affect them.
Using multiple parties helps many organizations operate cost-effectively, but these supply chains have become primary attack vectors. Fourth-party risk management is just as important as third-party risk oversight. Understand the roles all suppliers play, and determine how they could affect operations. Get familiar with the service fourth-party vendors provide and the business relationship they have with the organization's third parties. Response times and outcomes improve as a result.
One more benefit: A comprehensive third- and fourth-party risk management program not only reduces the organization's vendors' attack vectors, but it also makes the organization more appealing as a third party to others.