Fourth Party Risk – Downstream Liability affecting your organization?
Almost every company relies on its Third Parties for services and products. These Third Parties in turn outsource their work in total or partial to their Third Parties. These are called Fourth Parties. A report from Gartner says 71% of organizations have an average of 1000 Third Parties. For every third-party vendor in their supply chain, organizations typically have indirect relationships with 60 to 90 times that number of fourth-party relationships – Security Scorecard
The most common industries where Fourth Parties are prevalent are insurance, Healthcare, Logistics, Transport, Immigration, Service support and product support companies that work on behalf of the Third Party. In some of the scenarios where Fourth parties have access to an organization’s data, there could more many more…
- Lab services(Healthcare) – Some of the tests that need to be performed as prescribed by the doctor are not carried out in their own lab. Your information invariably goes to a fourth-party
- Claim settlements(Insurance) – All insurance companies have tie-ups with many Third Parties who gather details to process a claim and to verify the claim made after an incident is reported.
- Logistics– Organizations that have a presence in multiple geographies cannot rely on a single Third Party to deliver packages. In many cases, your Third Parties outsource the delivery to their Third Parties.
- Service and Support (Retail and E-commerce) – Third Parties who manufacture products often outsource their installation and support to their Third parties who end up receiving your information
The risk of information compromise from Fourth parties can make an organization liable (downstream liability) which can cost dearly.
Challenges faced by organizations when dealing with Fourth Parties
- Contract language– insufficient flow down security terms in the contract
- Security Non-Compliance– inadequate security posture and misalignment of security standards
- Liability and Indemnity– Adequate capping on the liability and indemnity
- Regulatory Non-Compliance– Regulatory fines incurred due to fourth-party non-compliance
- Software packages with Third Party and open-source modules and plugins– often Software Bill of Materials (SBOM) is not asked to understand the various software and their components that can exposure an organization to risk
- Lack of monitoring and oversight – Lack of Third Parties monitoring their Fourth Parties or ineffective practices that do not give optics of Fourth party security posture
It is crucial that your Third Parties have a robust Third Party Risk Management (TPRM) program to evaluate the security posture of their Third Parties (your Fourth Parties) and reduce the risk to a minimum.
Defentrix can support and help your organization minimize the risk from Third and Fourth Parties
- Build or optimize your Third-Party Risk Management (TPRM) program supported by the top management to manage all Third Parties
- Create a customized baseline security standard enabling you to vet the security posture of Third and Fourth Parties
- Identify security and privacy risks you are exposed to and provide guidance on remediation
- Equip with skills and required tools to manage the program
- Provide services where you allow Defentrix to own the responsibility of managing the entire program
- Enforce the right security language in the contracts to protect yourself from liability and indemnity when Fourth Parties suffer an incident or breach.