Posted on May 28, 2018
So you have prioritized your vendor assessments and established a centralized vendor risk management program to engage in continuous monitoring. Great! And you would assume you have a strong mitigation plan. But you might be ignoring a major risk factor: Your vendor’s third parties.
In this third part of our VRM series, we’ll show how to use your vendors and contracts to implement fourth party monitoring in your VRM program.
Note: This blog was originally posted on September 2, 2016. We've completely updated and re-written this guide as of May 28, 2018.
This is part 3 of a series in which we show you how to improve your vendor risk management process. In this VRM series, we cover:
Fourth and fifth parties are your vendor’s third parties and subcontractors. They are subject to the same risk as your vendors, thus putting your organization at risk. If one of your vendor’s third parties is breached by an attacker, that attacker could access your network or sensitive information via a third party's environment.
Almost 70% of cyber attacks target secondary victims
As the 2015 Verizon Data Breach report notes, almost 70% of cyber attacks target secondary victims. And while attack methods have become more sophisticated, old vulnerabilities remain unpatched. 2016’s Verizon Data Breach report notes that the most exploited vulnerability in 2016 was identified and a patch issued in 2007.
The scenario of a malicious actor breaching a company, reaching a secondary victim, then accessing a third target’s network, is a very real possibility.
The OCC’s bulletin on Third Party Relationships (2013-29) offers a number of guidelines and standards focused on subcontractor assessment visibility. PWC’s associated regulatory brief outlines major new standards regarding fourth parties and subcontractors, such as:
But from a PWC study on Vendor Risk Management, 45% of respondents rely on third parties to monitor their subcontractors and many don’t assess fourth party risk at all. As part of a mature vendor risk management program, you should be retaining more control over fourth party monitoring and reporting.
Fourth party monitoring is usually a collaborative effort and requires a strong relationship with your vendors. By working with your vendors to establish fourth party monitoring, you’re not only improving your vendor risk management but doing the same for your vendor’s VRM process. It’s a win-win for both information security and risk management.
Because it’s an intensive effort to monitor and manage fourth parties, first understand that this is not a blanket approach. While you should be monitoring, in some capacity, all of your third party vendors, you should not have to monitor all your fourth (and fifth) party vendors.
First, identify the most risk-critical vendors in your supply chain. If you implemented best practices explained in part 1 of this series, then you’ve already identified and tiered your most critical vendors.
Next, work with each vendor to make a list of their third parties and their responsibilities. Your purpose is to define the services your vendor’s third parties provide.
The process is similar to mapping your own service risks
The process is similar to mapping your own service risks, as outlined in Part 1 of the series. Consider:
This last point is especially important as service and security risks can shift and change depending on the location of the company. Outsourcing services tend to have a higher chance of being located offshore to reduce costs. We’ll discuss options regarding offshore fourth parties later in this article.
In the last step, you compiled a list of third parties and the services they provide. Now you must understand the security monitoring capabilities of each vendor. Consider:
To get this information from your vendors, it’s important to take a collaborative approach. Knowing the security posture of your fourth party vendors is an exercise in mature vendor risk management. It also encourages your vendors to perform the right practices.
However, due to vastly different vendor relationships, contract limitations, and privacy concerns, there may be some information that your vendor cannot divulge about their third parties. Existing vendor terms, for security’s sake, often limit what can be shared to external parties. Fortunately, even then there are ways to safeguard yourself from fourth party risks.
Leveraging contracts is a way to ensure that your most critical services are not being outsourced, and require that your vendors notify you if they in turn are using vendors. When drafting a contract with a new vendor, or if amending an existing contract, be sure to specify the services that must be performed by your vendors and cannot be outsourced or subcontracted. Insert contract terminology that will trigger notifications when new subcontractors partner with your vendors.
It’s not realistic to do all vendors at once. Start with your most critical vendors, and process new vendors as they enter your third party ecosystem.
You can incorporate fourth-party insight into your vendor risk management process by tailoring questionnaires to discover subcontractors. Penetration tests and onsite assessment terms should be considered with fourth party insight as a sub-goal. If continuous monitoring is part of your ongoing vendor risk management (and it should be), then fourth-party discovery is easy to add as part of the process.
Shared assessments are strong starting point for identifying the types of definitions and contract terms to negotiate as part of any vendor risk management negotiation contact. To mitigate fourth and fifth party risk, use contract terms that:
Leveraging contracts is even more important for highly regulated industries such as the healthcare or finance industry. As General Counsel News advises, because of the strict scrutiny these organizations are subject to, these organizations should act like regulators themselves when it comes to third and fourth party risk management. By taking a proactive and regulatory approach to fourth party insight, regulated companies can be prepared to adhere to new guidelines and regulations focused on third and fourth party risk management.
By placing an approval requirement, you’re taking control of your own third and fourth party risk
Just as your third parties can pose a risk to you, your vendor’s third parties can too. As part of a mature VRM process, you should have insight into fourth party risk, giving you a more comprehensive understanding of your vendor ecosystem.
We’ve mentioned before why fourth-party insight is essential for vendor risk management – and despite being a best practice, it’s not nearly common enough. A VRM survey by the Risk Management Association survey showed that just 33% of survey respondents performed due diligence on vendor subcontractors.
PWC states that “an effective third party risk management program needs to have insight into ‘fourth party’ subcontractors that third parties are themselves using and managing.”
As third party breaches rise, so does fourth party risk. Fourth party insight has become a more urgent need, as those breaches are becoming more and more common. You must know of your critical vendors’ third party use and protect your organization through collaborative risk mitigation techniques and through legal safeguards.
Tip For SecurityScorecard Customers – Our Automatic Vendor Detection (AVD) module non-intrusively finds the third parties of your vendors and offers insight on their security rating and overall security posture. To display your fourth party vendors, just click on the “View AVD” link next to one of your vendors. The AVD module will automatically find your fourth party vendors.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.