As we’ve seen in recent events such as the SolarWinds hack, third-party risk poses a serious threat to business continuity. What the incident also demonstrated is that fourth-party risk, or the risk posed by a contracted vendor’s third parties, can equally threaten data security and operations. Your organization may have integrated a robust third-party risk management program (TPRM) – but what if keeping an eye on your third parties alone isn’t enough?
Fourth-party vendors are typically overlooked in a traditional third-party risk management program, making the risk they pose invisible to the organization. A recent podcast from ProcessUnity and Crowe discussed why organizations are placing increasing importance on this type of vendor risk: as the vendor population grows, so does the potential for fourth-party risk, creating exponential opportunities for business disruption that need to be addressed.
Identifying Risk in Fourth-Party Vendors
You may wonder how fourth-party vendors can pose a threat to your organization without a contractual relationship. However, an organization’s third parties can be used as a back door to access customer data or breach the organization’s network. Attackers need only one back door to access an integrated network and jumpstart a cascading disruption throughout the supply chain.
Third-party risk management professionals can begin to mitigate risk throughout the extended enterprise by building fourth-party controls into the core of their TPRM program.
Fourth-party risk management begins with a comprehensive third-party risk management system. During vendor onboarding, pre-contract due diligence should scope a vendor’s third-party risk management processes. Transparency around a potential third party’s key vendors should be established so that fourth parties can be wholistically understood from the start.
SecurityScorecard outlined three key items to understand about your fourth-party vendors:
- Who they are.
- What services or products they provide to your vendor that causes them to be significant to operations.
- What your service provider has done for cybersecurity due diligence on their part for these vendors.
Ongoing review of subcontractors should be an integral part of any intelligent vendor assessment, particularly if those services are critical. Overall, an organization’s risk is vastly reduced when their vendors also practice proper risk management.
Focus on Critical Vendors
According to a Ponemon study, companies share confidential and sensitive information with an average of 583 third parties. If each of these third parties has 583 vendors themselves, managing all the possible avenues for risk can seem impossible.
Fortunately, you don’t have to focus equal attention on your vendor population. Consider potential fourth-party risk as a factor during vendor classification to determine the most critical vendors. Leverage inherent risk scoring during vendor onboarding to classify which third and fourth parties to focus resources on. Ranking vendors by risk criticality with fourth-party risk in mind will help your organization sort through the noise and prepare for issues as they arise.
Using Vendor Risk Management Centralization to Address Fourth-Party Risk
Fourth-party risk can directly impact the organization’s brand and reputation within the market, making fourth-party risk the organization’s risk. Organizations can automate their vendor management processes to address a broad web of risks throughout their fourth parties. Leveraging a centralized technology platform is essential to govern third and fourth parties with cross-functional integration between departments.
ProcessUnity Vendor Risk Management offers the agility and efficiency to adequately mitigate disruption throughout the extended enterprise – including even the most distant fourth parties