Third-parties are heavily reliant on their sub-contractors who are not thoroughly vetted due to a lack of stringent processes concerning Third-Party onboarding or it’s not a board decision yet. Often small and medium companies and in quite a few cases, large organizations do not have sufficient oversight on sub-contractors of their Third-parties which are essentially Fourth-Parties. (The typical organization has indirect relationships with 60x to 90x the number of fourth parties.) Supply Chain attacks are increasing by the day Such lack of oversight exposes an organization to security, financial, reputational, operational, concentration, and strategic risk and often results in downstream liability.
Managing your Third-parties and protecting your organization from risks in itself is a complex task which uses resources extensively. Going a level deeper and vetting the security of their sub-contractors is a nightmare and tedious exercise but should not be overlooked.
Regulated industries such as Banking, Insurance, Trading, Pharma etc. have stringent requirements that organizations comply with. Non-compliance will attract regulatory fines and reputational damage which has far-reaching negative consequences. (50% of organizations don’t monitor third parties with access to sensitive and confidential information.)
Key challenges that deter companies from performing fourth-party risk assessments
Lack of adequate Human resources and skills – Most of the organizations either have just enough people or inadequate people to run a mature TPRM program. Performing operations is a challenge as it is and asking to risk assess Fourth Parties will only increase the overhead and attrition.
Lack of automation – companies having a TPRM program are performing processes manually with little to no reliance on technology which makes it a humongous task. Adding Fourth-Party assessments will further complicate the process and make it time-consuming.
Lack of robust inventory – insufficient transparency in your extended ecosystem and managing overwhelming data on Third-Party assessments are a set of key challenges that companies face that result in unforeseen delays in understanding the impact of an incident, a zero-day that has affected a certain category of Third-parties or enforcing a new regulation. In a Global Security Survey report from Crowdstrike, only 36% have vetted all new and existing suppliers for security purposes in the last 12 months.
Over reliance on Third-parties to self-manage their sub-contractors – All categories of Third-parties rely on their Third-parties to function and grow. Having security assurance on your direct Third-parties is beneficial but a lack of security assurance from their Third-parties could get back to organizations in many ways (98% of organizations have a relationship with at least one third party that has experienced a breach in the last 2 years. Another equally jarring one: Half of all organizations have indirect relationships with at least 200 fourth parties that have had breaches in the last two years)
Missing Fourth–Parties during Third-Party off-boarding and termination – Often overlooked but topped with insufficient practices could result in data remanence and intact technology integrations that will pose a security threat.
SOLUTION?
The following best practices will certainly enable organizations to start considering evaluating Fourth-Parties and reduce the risk exposure.
Detailed inventory – This remains the starting point to avoid and address many TPRM operational challenges. Create a provision to record all the Fourth-Parties that your Third-party is using to provide services to your organization.
Bill-of-materials – Software Bill of Materials (SBOM) is one of the ways you get to know if your Third-parties have used any open-source modules (plugins or APIs) in their solution or product.
End-to-End Data flow – Data Flow Diagrams (DFDs) that depict all the environments through which it traverses and who has access to it will reveal a lot more information if there are fourth parties involved
Contractually Oblige – enforcing Third-parties to list all their tactical and strategic Third-parties will allow to decide on key contractual clauses that should be included to protect your organization from liability
Fourth-Party Assessments – Evidence-based verification of assessments being performed by your Third-parties on their sub-contractors will give assurance that your data and technology integrations are secured. You could ask for the following from your Third-parties:
- Third Party Risk Management (TPRM) Policy
- Redacted Assessment Report
- Redacted contract document
Security Ratings – give a detailed report on the security posture of Fourth-Parties. Although additional license is consumed for critical Third-parties, it is worth the price.
Risk Mitigation – There could be many ways to deal with security and regulatory non-compliance of Fourth-parties and avoid liability and Indemnity
Risk Transfer – Ensure that Third-parties have sufficient insurance coverage which can come to your rescue. Push for uncapped liability that may arise due to downstream incidents or breaches
Client Approvals – In cases where clients mandate using a Third-Party knowing that Fourth-Parties supporting your organization do not have adequate security, include additional verbiage in the contract where no liability will be transferred to your organization
Delay onboarding – at times this is the best approach to reduce the impact and time spent to overcome an incident. Raise risks and push for remediation before onboarding Third-parties.
