Originally published in the November 2024 edition of Intelligent Risk magazine

Cyber risks have gained numerous business executives’ attention as these risks are effectively operational risks due to their potentially devastating operational and financial impacts, and reputational damage to organizations. Among cyber risks, third-party or supply chain risks become one of the most challenging areas as heavy and unavoidable reliance on using third parties such as Cloud and SaaS providers is a reality of today’s IT and security operations. Organizations’ sensitive and proprietary data is transmitted to, processed by, and stored in third parties’ computing environments. However, when third parties also engage other external parties (i.e., fourth parties) to support their operations and handle your organization’s data, then how well do these parties protect it?

Figure 1: Fourth-Party Relationships in Supply Chain Management

How to identify fourth-party risks?

Since there may be many fourth parties involved in the supply chain, identifying who handles your organization’s sensitive information behind the scenes is the most important first step. The requirements of robust vendor due diligence from cybersecurity laws and guidelines for highly regulated sectors such as banking, insurance companies, health care service providers may have previously mandated risk managers to request fourth party information from third parties. The contractual stipulation of the required disclosure makes it easier to collect the information. But when there is no such clause in the already-signed contracts, and unwilling vendors push back or ignore efforts at providing the requested information, what else can organizations do?

External attack surface management (EASM) is the practice of identifying potential vulnerabilities and security gaps in an organization’s public-facing digital attack surfaces, including the SaaS providers that the organization is “linked” to as third parties and fourth parties. EASM, which is often a SaaS solution itself for dashboarding after scans, may not need to connect to the organization and performs scans only using minimal domain information of the organization. It works to identify IT assets that are publicly accessible and any vulnerabilities that might exist within them. One of the most powerful capabilities of EASM tools is its ability to discover internet-facing IT assets that the organization may or may not even know, which includes third parties and fourth parties. These AI-powered EASM tools constantly survey/scan the digital surface of the organization and identify new assets as they appear, reporting on the vulnerabilities, threats, and risks via the dashboard.

Figure 2: A sample dashboard from an EASM tool

How to manage fourth-party risks?

To manage fourth-party risks, organizations can request the third parties to explain the mechanisms they use to monitor the security controls of the fourth parties, including how and when they will be notified in case of security incidents that may affect an organization’s operations and data. Also, it is a good opportunity to review the third parties’ SLAs in security incident notification and determine if the timeframe aligns with your companies’ disaster recovery and business continuity policies and regulatory requirements.

As part of effective continuous monitoring on third parties, likely through the use of a commercial-grade security scoring tool, your organization should include the high-risk fourth parties and monitor their security scores and be proactively made aware of fourth parties’ direct breaches and even downtime that can cause outages or financial loss to your business. Additionally, with an EASM tool, continuous or regular scans can be performed to delve into vulnerabilities and misconfigurations of both the third parties and fourth parties, providing a base for the vendors to take timely remediation efforts.

What can be done to reduce your third parties’ concentration risk?

If the third parties rely heavily on one common vendor (i.e., fourth party) to deliver the services to your organization, you may not feel entirely comfortable with the risk of a single point of failure. Concentration risk can mean overly relying on a company to deliver critical services and/or on resources from a region that may have been plagued with recent civil unrest or war. Your organization could discuss the concentration risk with your third parties and raise this concern to them. In larger third parties, their risk management departments often have considered concentration risks and may have data to quantify the risk and plans to reduce such risks.

Who in your organization should monitor the fourth parties and their risk?

Managing third-party, fourth-party, and supply chain risks usually requires cross departmental efforts. The organization’s procurement and/or third-party vendor management departments may be centrally responsible for on-boarding vendors and completing initial and continuous due diligence. However, in a lot of cases, the direct interaction with the third parties – receiving the services, determining the service levels, and knowing who the fourth parties are – is done by the IT and application owners, which are decentralized from the enterprise-level departments.

IT and application owners are the exact persons who will be contacted by front-end users of the applications or the tools in cases of system outages, glitches, and security incidents, and may have collected such service and security data over time. Often disconnections between the enterprise-level departments and front-line owners who deal with the third-party relationships first-hand exist when actual service levels are not (timely) communicated. This is particularly imminent when there is not an enterprise-wide procurement, third-party vendor, or supply chain management platform in place.

To improve communication, organizations should mandate at least an annual update of third- and fourth-party information to the platform, preferably aligning with the timeline to review SLAs and renew contracts. Such a platform should ideally have the capability to integrate with a service that provides vendors’ security scores, displaying all the pertinent information in a single pane of glass. A RACI chart to detail the roles and responsibilities of the “centralized” and “decentralized” stakeholders should be created as well.

Conclusion

It takes a multi-faceted approach, such as an effective vendor risk management program, a commercial-grade vendor management platform, an EASM tool, and enhanced contractual agreements to include fourth-party disclosure, etc., to effectively manage supply chain risks. It is also evident that only amalgamating people, process, and technologies in a thoughtful and coherent way could make the management of fourth-party risks possible.

You may also like