As third party breaches rise, so does fourth party risk. Visibility into “fourth party” risks is a must-have part of a mature VRM program.
So you have prioritized your vendor assessments and established a centralized vendor risk management program to engage in continuous monitoring. Great! And you would assume you have a strong mitigation plan. But you might be ignoring a major risk factor: Your vendor’s third parties.
In this third part of our VRM series, we’ll show how to use your vendors and contracts to implement fourth party monitoring in your VRM program.
This is part 3 of a series in which we show you how to improve your vendor risk management process. In this VRM series, we cover:
- How to Improve Your Vendor Risk Management: Start with an audit of known risks and vendors
- Replace Point-In-Time Third Party Vendor Risk Assessments with Continuous Monitoring
- How to Establish Fourth Party Insight to Know Your Vendor’s Real Risk
Third party, fourth party, fifth party… not as fun as you’d think
Fourth and fifth parties are your vendor’s third parties and subcontractors. They are subject to the same risk as your vendors, thus putting your organization at risk. If one of your vendor’s third parties is breached by an attacker, that attacker could access your network or sensitive information via a third party’s environment.
Almost 70% of cyber attacks target secondary victims
As the 2015 Verizon Data Breach report notes, almost 70% of cyber attacks target secondary victims. And while attack methods have become more sophisticated, old vulnerabilities remain unpatched. 2016’s Verizon Data Breach report notes that the most exploited vulnerability in 2016 was identified and a patch issued in 2007.
The scenario of a malicious actor breaching a company, reaching a secondary victim, then accessing a third target’s network, is a very real possibility.
Clear guidance, poor execution
The OCC’s bulletin on Third Party Relationships (2013-29) offers a number of guidelines and standards focused on subcontractor assessment visibility. PWC’s associated regulatory brief outlines major new standards regarding fourth parties and subcontractors, such as:
- Improved due diligence for subcontractors
- Using contract stipulations on vendors to ensure fourth party risk mitigation
- Being aware of the risks and issues that are specific to fourth parties.
But from a PWC study on Vendor Risk Management, 45% of respondents rely on third parties to monitor their subcontractors and many don’t assess fourth party risk at all. As part of a mature vendor risk management program, you should be retaining more control over fourth party monitoring and reporting.
How to establish vendor relationships to facilitate fourth party monitoring
Fourth party monitoring is usually a collaborative effort and requires a strong relationship with your vendors. By working with your vendors to establish fourth party monitoring, you’re not only improving your vendor risk management but doing the same for your vendor’s VRM process. It’s a win-win for both information security and risk management.
Because it’s an intensive effort to monitor and manage fourth parties, first understand that this is not a blanket approach. While you should be monitoring, in some capacity, all of your third party vendors, you should not have to monitor all your fourth (and fifth) party vendors.
- First, identify the most risk-critical vendors in your supply chain. If you implemented best practices explained in part 1 of this VRM series, then you’ve already identified and tiered your most critical vendors.
- Next, work with each vendor to make a list of their third parties and their responsibilities. Your purpose is to define the services your vendor’s third parties provide.
The process is similar to mapping your own service risks
The process is similar to mapping your own service risks, as outlined in Part 1 of the series. Consider:
- What services do they provide and how?
- Do they have access to your vendor’s sensitive data?
- Do they have access to your sensitive data?
- If they were breached, what are the attack vectors that would lead to you?
- Are degrees of separation or deliberate network segmentation to prevent connection between you and your fourth parties?
- What is their security response and business continuity plan if-and-when they are breached?
- Do they use security ratings to assess their third-party risks?
- Where are your fourth party vendors located?
This last point is especially important as service and security risks can shift and change depending on the location of the company. Outsourcing services tend to have a higher chance of being located offshore to reduce costs. We’ll discuss options regarding offshore fourth parties later in this article.
Step 1: Understand your vendors’ cyber security capabilities
In the last step, you compiled a list of third parties and the services they provide. Now you must understand the security monitoring capabilities of each vendor. Consider:
- Do they have a mature VRM program in place?
- Are they engaged in continuous vendor risk monitoring?
- What are their IRPs (incident response plans) should their vendor be breached or compromised?
To get this information from your vendors, it’s important to take a collaborative approach. Knowing the security posture of your fourth party vendors is an exercise in mature vendor risk management. It also encourages your vendors to perform the right practices.
However, due to vastly different vendor relationships, contract limitations, and privacy concerns, there may be some information that your vendor cannot divulge about their third parties. Existing vendor terms, for security’s sake, often limit what can be shared to external parties. Fortunately, even then there are ways to safeguard yourself from fourth party risks.
Step 2: Use contracts to safeguard against high-risk fourth and fifth-party vendors
Leveraging contracts is a way to ensure that your most critical services are not being outsourced, and require that your vendors notify you if they in turn are using vendors. When drafting a contract with a new vendor, or if amending an existing contract, be sure to specify the services that must be performed by your vendors and cannot be outsourced or subcontracted. Insert contract terminology that will trigger notifications when new subcontractors partner with your vendors.
It’s not realistic to do all vendors at once. Start with your most critical vendors, and process new vendors as they enter your third party ecosystem.
You can incorporate fourth-party insight into your vendor risk management process by tailoring questionnaires to discover subcontractors. Penetration tests and onsite assessment terms should be considered with fourth party insight as a sub-goal. If continuous monitoring is part of your ongoing vendor risk management (and it should be), then fourth-party discovery is easy to add as part of the process.
Shared assessments are strong starting point for identifying the types of definitions and contract terms to negotiate as part of any vendor risk management negotiation contact. To mitigate fourth and fifth party risk, use contract terms that:
- Have strict delineations between Services and services. Clearly define “Services” that only your vendor may provide, with specific terms and requirements that must be adhered to. This clearly defined “Service” will mitigate risk caused by use of subcontractors and fourth parties, by prohibiting their use at all. (Of course, this should apply only for your more critical services.)
- Require notice and approval such subcontractors are used. For the most critical services you may need to approve any fourth party that would be involved. By placing an approval requirement, you’re taking control of your own third and fourth party risk.
- Ensure risk management extends offshore. Different local laws and standards are likely to apply to offshore subcontractors. For example, companies doing business in the EU have different data-sharing policies than those in the US. These kinds of differences need to be taken into consideration when dealing with a third party’s subcontractors.
Leveraging contracts is even more important for highly regulated industries such as the healthcare or finance industry. As General Counsel News advises, because of the strict scrutiny these organizations are subject to, these organizations should act like regulators themselves when it comes to third and fourth party risk management. By taking a proactive and regulatory approach to fourth party insight, regulated companies can be prepared to adhere to new guidelines and regulations focused on third and fourth party risk management.
By placing an approval requirement, you’re taking control of your own third and fourth party risk
Step 3: A mature VRM process provides insight to fourth party and fifth-party risk
Just as your third parties can pose a risk to you, your vendor’s third parties can too. As part of a mature VRM process, you should have insight into fourth party risk, giving you a more comprehensive understanding of your vendor ecosystem.
We’ve mentioned before why fourth-party insight is essential for vendor risk management – and despite being a best practice, it’s not nearly common enough. A VRM survey by the Risk Management Association survey showed that just 33% of survey respondents performed due diligence on vendor subcontractors.
PWC states that “an effective third party risk management program needs to have insight into ‘fourth party’ subcontractors that third parties are themselves using and managing.”
As third party breaches rise, so does fourth party risk. Fourth party insight has become a more urgent need, as those breaches are becoming more and more common. You must know of your critical vendors’ third party use and protect your organization through collaborative risk mitigation techniques and through legal safeguards.