‘Tis the season for.… Fourth Party Risk Management
We all know the drill. It’s time for some annual festivity, frivolity and fake fir trees. But without wanting to sound like the Grinch, there is one thing that doesn’t take a holiday. RISK!
Over the last few years, growing media attention from third party data breaches, backed up by the growing regulations and guidance from the likes of the ICO and GDPR, have done a pretty good job of raising awareness of the issues surrounding Third Party Risk Management (TPRM).
But what if we look beyond the direct relationships your organisation has on a day-to-day basis? Think for a moment about the eco-systems and supply chains that your suppliers (and possibly unwittingly YOU) rely on to help deliver outsourced operations.
You’re Only As Strong As Your Weakest Link
How securely and safely do these business and services you have no direct control over manage, process and support your commercial operations and sensitive Personally Identifiable Information (PII) data? Here’s a few ideas on the potential risks and impacts of Outsourcing and Fourth Party Risks.
According to research by financial services firm EY, 28% of organisations fail to monitor subcontractors at all, while 60% of organisations that identify fourth parties do not maintain an inventory for monitoring and governance purposes. In addition, the vast majority (80%) of organisations that say they monitor fourth parties rely indirectly on their third parties through contracts, SLAs, warranties, and self-assessments.
But it’s not enough to simply amend and update contractual terms to extend cover of Fourth Party supplier liability. Remediation planning, finger pointing and litigation only serve to clean up the mess once systems have been breached, data has been lost or stolen, reputations are tarnished and costs have, most definitely, been incurred.
A more holistic approach to supplier risk needs to be taken. One that includes not only those suppliers you have direct contact and control over but also the extended network and ecosystem of downstream subcontractors, suppliers and agents. But where to start?
Adding Fourth Party Supplier Risk As A Strategic Component Of Your TPRM Program.
Think big strategy, but start small and simple
Ultimately, long term thinking should focus on finding and developing a suite of Third Party suppliers that are not only willing to engage in mutually-aligned TPRM strategies but also share common processes and platforms.
Whilst it is unlikely that you’ll start or maybe even ever end up there, going forward you can immediately consider adapting your new supplier search criteria and existing supplier evaluation. This should include an assessment and understanding of their Third-Party risk management and processes with a focus on alignment and shared interest between you and your Third Parties on security and risk in the cyber supply chain.
Let industry regulations guide you
With Fourth Party risk assessment being a relatively emerging compliance issue, industry regulators and guidelines should be a first port of call. These will likely refer to undefined “best”, “standard” or “appropriate” practices and measures with very little prescribed behaviours and actions.
However, when the auditors call they will certainly want you to be able to identify how you have developed processes and procedures that can clearly relate to any regulations and the associated risks they seek to address. So a defined and executed program of detailed remote and onsite risk assessments utilising industry-recognised methodologies such as Shared Assessments’ Standardised Information Gathering (SIG and SIG Lite) questionnaire sets and Standardised Control Assessments (SCA) is a great place to start from.
Collaborate with your Third Party suppliers
The good news in this is that your Third Party suppliers have a mutual interest and skin in the game when it comes to managing the risk their suppliers pose. That doesn’t necessarily mean they’ll happily open up their entire internal operations to you but you should find at least some level of shared interest and appreciation in the need for robust Third Party Risk Management. If not, then this certainly should raise a red flags in the relationship.
Since you don’t have a direct contract with Fourth Party suppliers, getting access to information about systems, security policies and controls can be difficult. None of us would share this sort of information with a party not bound by confidentiality agreements, etc. and without a solid, legitimate “need to know”. This is why collaboration is critical and a shared strategy and approach will yield much more effective and accurate results.
Assuming you’ve found allies in your supply chain you’ll want to find out exactly who does what with your data and what gaps in either assessing or managing risk need addressing. Some starting points for understanding the current state of their TPRM and inherent risks in their supply chain should include requests for:
• A copy of their own supplier risk management policy;
• A full list of all suppliers they classify as critical and/or high risk; and
• Copies of their most recent annual review of each of these suppliers
Don’t forget GDPR!
Looking at the implications of Fourth Party Risk in relation to GDPR, Article 28(1)-(3): Processor Obligations provides a focus on the need to ensure sufficient guarantees that a third party processor has implemented appropriate technical and organisational measures. Processor obligations extend to subcontractors or sub-service organisations they may outsource data processing activities to.
Such extension of liability should be defined in your supplier contracts, including notifications and authorisations for subcontracting, and extend to the 4th, 5th & nth party based on the type of processing performed, and a key part of service and contract reviews with existing Third Parties and partners.
Make Fourth Party Risk Assessment A New Year’s Resolution
You should aim to treat Fourth Party risk like any other, applying the same level of rigour from your current Third Party risk assessment process. As ever, gathering assessments and risk profiles isn’t as easy as it sounds but this is where a shared approach with a willing partner will ensure greater levels of success.
Many suppliers may not have a full picture of their subcontractor landscape themselves or a clear grasp of who has access to different parts of your data and exactly what they do with it. Again, this should be a warning sign but is to be expected as many organisations are still in the early phases of TPRM maturity.
It is also highly likely that many Fourth Parties will be small to medium size businesses (SMB) where levels of IT and cyber-security sophistication can be significantly different to those of large corporates. Cybersecurity scorecards based on passive scans of a company’s domain require no involvement from the Assessed organisation and can be a cost-effective way to screen for critical issues and vulnerabilities that you can bring to the table at supplier reviews.
There’s never a bad time to start thinking seriously about the security posture of your extended enterprise. DVV Solutions are here to help with a range of services and solutions to take the pain out of Third (and Fourth) Party Risk Management.
Sean O’Brien, DVV Solutions