Part 3: How to Establish Fourth Party Insight to Know Your Vendor’s Real Risk
If you have prioritized your vendor assessments, established a centralized vendor risk management program to engage in continuous monitoring, as we discussed in part 1 and part 2 of our series, you might think you have a strong mitigation plan. But you might be ignoring a major risk factor: Your vendor’s third parties.
Fourth and fifth parties are your vendor’s third parties and subcontractors that are subject to the same risk as your vendors, thus putting your organization at risk. If one of your vendor’s third parties is breached by a hacker, that hacker could potentially obtain access to your network or to sensitive information within a third party’s environment. As the 2015 Verizon Data Breach report notes, almost 70% of cyber attacks target secondary victims. As attack methods become more sophisticated and older vulnerabilities are exploited (2016’s Verizon Data Breach report notes that the most vulnerability exploited in 2016 is a 2007 CVE), the scenario of a malicious actor breaching a company, reaching a secondary victim, then accessing a third target’s network, becomes a real possibility.
The OCC’s bulletin on Third Party Relationships (2013-29) offers a number of guidelines and standards focused on subcontractor assessment visibility. PWC’s associated regulatory brief outlines major new standards regarding fourth parties and subcontractors, which include improved due diligence for subcontractors, using contract stipulations on vendors to ensure fourth party risk mitigation, and being aware of the risks and issues that are specific to fourth parties. But from a PWC study on Vendor Risk Management, 45% of respondents rely on third parties to monitor their subcontractors and many don’t assess fourth party risk at all. As part of a mature vendor risk management program, you should be retaining more control over fourth party monitoring and reporting.
In part 3 of Revamping Your VRM Program series, we’ll show you how to utilize your vendors and contracts in order to implement fourth party monitoring in your VRM program.
Establishing Vendor Relationships to Facilitate Fourth Party Monitoring
Fourth party monitoring is usually a collaborative effort and requires a strong relationship with your vendors in order to obtain information pertaining to your fourth parties. It’s important to note that by working with your vendors to facilitate and engage in fourth party monitoring, you’re not only improving your vendor risk management but doing the same for your vendor’s VRM process.
Because fourth party monitoring is an intensive effort, first understand that this is not a blanketed approach. While you should be monitoring, in some capacity, all of your third party vendors, you should not be monitoring all your fourth party vendors.
Before anything else, identify your most risk-critical vendors. If you implemented best practices listed in part 1 of the series, you’ve already identified and tiered your most critical vendors.
After identifying your risk-critical vendors, work with each vendor to produce a list of their third parties along with their responsibilities, defining the services your vendor’s third parties provide. Things to consider are:
- What services they provide and how?
- Do they have access to your sensitive data?
- Do they have access to your vendor’s sensitive data?
- If they were breached, what are the attack vectors that would lead to your data being compromised?
- Are there degrees of separation or deliberate network segmentation implemented to prevent connection between your organization and your fourth parties?
- Where are your fourth party vendors located? – This last point is especially important as service and security risks can shift and change depending on the location of the company. Outsourcing services tend to have a higher chance of being located offshore due to the reduced cost of services. We discuss options regarding offshore fourth parties later in this article.
The process is similar to understanding the service risks that could apply to you, as described in Part 1 of the series.
After compiling a list of third parties and the services they provide, you must now understand the security monitoring capabilities of your vendor. Do they have a mature VRM program in place? Are they engaged in continuous vendor risk monitoring? What are their IRPs (incident response plans) should their vendor suffer a data breach or other security compromise?
When looking to procure this information from your vendors, it’s important to take a collaborative approach. Knowing the security posture of your fourth party vendors is an exercise in mature vendor risk management and also encourages the right practices to be performed by your vendors.
However, due to vastly different vendor relationships, contract limitations, and privacy concerns, there may be some information that your vendor cannot divulge about their third parties. Existing vendor terms, for security’s sake, often limit what can be shared to external parties. Fortunately, there are ways to safeguard yourself from fourth party risks without needing to obtain information from your vendors.
Utilizing Contracts To Safeguard Against High-Risk Fourth and Fifth-Party Vendors
Leveraging contracts is a way to ensure that your most critical services are not being outsourced and that your vendors notify you if any vendors are being used. When drafting a contract with an incoming vendor or if you’re making any amendments to an existing contract, be sure to specify the services that must be performed by your vendors and cannot be outsourced or subcontracted to a third party.
This can be implemented now for your most critical vendors and moving forward as new vendors enter your third party ecosystem. You can incorporate fourth-party insight into your vendor risk management process by tailoring questionnaires to discover your vendor’s subcontractors and inserting contract terminology that will trigger notifications when new subcontractors partner with your vendors. Penetration tests and onsite assessment agreements and terms should be considered with fourth party insight as a sub-goal. If continuous monitoring is part of your ongoing vendor risk management, then fourth-party discovery can be easily added as part of the process.
Shared Assessments provides a strong starting point to the types of definitions and contract terms that should be incorporated into any vendor risk management negotiation in order to mitigate fourth and fifth party risk. These include:
- Having strict definitions between Services and services. Clearly define ‘Services’ that only your vendor can provide with specific terms and requirements that must be adhered to. This clearly defined ‘Service’ will mitigate any increased risk caused by use of subcontractors and fourth parties by preventing the use of a fourth party for your most critical services.
- Notice and approval provisions that ensure you’re notified when subcontractors are used and, for the most critical services, need you to approve any fourth party that would potentially be involved in that service. By placing an approval requirement, you’re taking control of your own third and fourth party risk.
- Ensuring offshore outsourcing risk management in order to comply with new standards, risks, and controls that emerge when dealing with offshore subcontractors due to different geographical standards and laws in place. For example, companies in the EU have different data-sharing policies than companies in the US. These kinds of differences need to be taken into consideration when dealing with a third party’s subcontractors.
Leveraging contracts is even more important for highly regulated industries such as the healthcare or finance industry. As General Counsel News advises, because of the strict scrutiny these organizations are subject to, it is beneficial for these organizations to act like regulators themselves when it comes to third and fourth party risk management. By taking a proactive and regulatory approach to fourth party insight, regulated companies can be prepared and adhere to guidelines and regulations that are increasingly becoming focused on third and fourth party risk management.
Just like your third parties can pose a risk to you, the same is true for your vendor’s third parties. As part of a mature VRM process, you should have insight into fourth party risk , giving you a more comprehensive understanding of your vendor ecosystem.
We’ve mentioned before why fourth-party insight is essential for vendor risk management and a RMA (The Risk Management Association) VRM survey shows that 33% of survey respondents performed due diligence on vendor subcontractors. PWC states that ‘an effective third party risk management program needs to have insight into “fourth party” subcontractors that third parties are themselves using and managing…”
Fourth party insight is becoming more and more important as third party breaches continue to occur because as third party breaches rise, so does fourth party risk. It’s important to have knowledge of your important vendor’s third party use and protect your organization through collaborative risk mitigation techniques and through legal safeguards.
Tips For SecurityScorecard Customers – Our Automatic Vendor Detection (AVD) module released early this year non-intrusively finds the third parties of your vendors and offers insight on their security rating and overall posture. To display your fourth party vendors, just click on the ‘View AVD’ link next to one of your vendors and the AVD module will automatically find your fourth party vendors.