What is Fourth-Party Vendor Risk Management?
According to expert studies, more than 70% of organizations have a moderate to high level of dependency on external entities. This includes third, fourth, or even fifth-party vendors. Research has found that on average, businesses use over 500 third-party vendors — with Fortune 100 organizations with vendor counts in the tens of thousands. On the lower end of the spectrum, 58% of organizations still say they share information with more than 100 third parties. While your organization may have prioritized vendor assessments vendor and risk management programs, you could be overlooking a major risk factor — your fourth-party vendors. A fourth-party vendor is a vendor that your organization doesn’t have a direct contract with, but your vendor (third-party) does.
Why Fourth-Party Vendor Management is Important?
As third-party breaches rise, so does fourth-party risk. For example, an organization can easily use 30 vendors, and if each of those vendors outsources to 30 other companies, that represents 900 companies with risk exposure. For larger companies, that number can increase exponentially. So, with the increase in data breaches and cyber-attacks becoming more prevalent and costly, it’s even more important to add fourth-party oversight to your vendor management program. If you’re feeling overwhelmed, don’ worry, you’re not alone.
How to Implement Fourth-Party Oversight?
If you have already established a third-party risk management program, then expanding it to include fourth parties shouldn’t be that difficult a task. In fact, helping vendors with their third-party monitoring also helps your business have a more comprehensive understanding of your vendor risk exposure. Here are a few steps to get you started:
1. Identify your most critical third-party vendors. Those that present the most significant risk to your organization are a good place to start.
2. Work with each vendor to create a list of their most critical vendors. Especially those specific to your business and those that “touch” your data and the services that are provided. It is important to understand if they have access to your vendor’s sensitive data, what vulnerabilities exist with how they access your data, how the network is set up to prevent accessing your data, what BCP and Incident Response plans they have, and where they are located.
3. Ensure that your third party has done its due diligence on their vendors. BitSight scores are a helpful resource for identifying concentrations of risk.
4. Review SSAE 18 to assess whether third-party vendors use good vendor management. The Statement on Standards for Attestation Engagements 18 (SSAE 18) includes a vendor management section that requires a vendor to define the scope and responsibilities of all its subcontractors.
5. Review and revise your third-party contracts as needed based on the risks identified above. Be sure to include a “right to audit” clause in the contract.
6. Conduct periodic audits to validate vendor security practices. This one is self-explanatory but crucial. In order for the risk to be reduced, it's important not to let your guard down. Stay on top of these vendors with regular audits and verbalize any concerns.
Data Breaches have been steadily increasing over the years, and an attack against your organization is not limited to how secure your network is. There have been numerous examples of “secondary attacks”, where a data breach victim has its vendors attacked, or where an attacker uses a vendor to reach its primary target’s data. Therefore, you must know of your critical vendors’ third-party use and protect your organization through collaborative risk mitigation techniques and thorough safeguards. Overall, the key to vendor management really goes back to the idea of building a strong working relationship in which both organizations know what is expected of one another and a willingness to deliver.