Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.
In today’s interconnected world, supply chains are growing exponentially. As a result, third-party risk has become a big focus for senior management. But what about the vendors that your suppliers rely on and the threat of fourth-party risk?
Fourth-party risk is the process of assessing and managing risks, such as cybersecurity vulnerabilities or compromise, in your extended vendor ecosystem. Fourth parties are the vendors behind your vendors; the additional layer of suppliers beyond your immediate third-party partners.
The importance of fourth-party cyber risk management
While your vendor’s subcontractors provide your business with core capabilities and sources of competitive advantage, they also extend its attack surface in ways that are not always understood. They may even lack direct relationships with all of the parties involved.
To mitigate vendor cyber risk, organizations must go beyond third-party risk management to achieve a new level of risk awareness and reduction.
The challenges to knowing your extended ecosystem
A study by Gartner finds that 60% of organizations work with more than 1,000 third parties. Try to imagine the size of the fourth-party ecosystem behind that. It’s almost impossible to fathom.
This risk surface also continues to expand in ways which are not understood – most notably in the area of cybersecurity. Without a clear understanding of the business relationships and security posture of your extended ecosystem, outages, disruptions, and compromises can threaten your organization. You may also be held liable for data loss and struggle to achieve any level of cyber resiliency.
Unfortunately, many organizations are using flawed approaches to overcome these challenges.
According to research by financial services firm EY, 28% of organizations fail to monitor subcontractors at all, while 80% rely on their third parties to passively monitor fourth parties through contracts, SLAs, warranties, and self-assessments. Each of these methods show a point-in-time snapshot of the parties’ security postures. As such, they may not be entirely up-to-date or accurate.
Fourth-party cyber risk management is also hampered by many of the solutions offered by security and risk management firms. Many simply provide their clients with an inventory or list of their fourth-party suppliers under the guise of a “fourth-party risk management” solution.
In reality, you can’t claim to be managing fourth-party risk until you’re also managing and monitoring the connections between the fourth parties and their associated partners.
The impact of “concentration risk”
To better understand how your organization can manage fourth-party risk, cyber or otherwise, you need to know what you’re looking for.
Start by identifying areas of concentration risk--critical areas of risk in your supply chain that could impact your business in the event of a breach or other cyber-attack. Concentration risk (also known as aggregate risk) is becoming an increasingly large problem that can create a nasty ripple effect throughout your entire supply chain.
Previously, the approach to mitigating concentration risk was to ask your vendors to provide additional information on what types of vendors and subcontractors they work with. This approach is problematic because the responses are subjective and not verifiable.
Furthermore, as the EY study finds, nearly 75% of organizations say that fourth-party concentration risk would be extremely challenging to report on or that they can’t report it at all, often because they don’t know all of their vendors.
How to manage fourth-party cyber risk
To help you better assess and mitigate risk in your extended vendor ecosystem, we’ve identified three key areas to include in your fourth-party risk management program.
The first step in fourth-party risk management is visibility. You need to be able to identify vendors you do business with, uncover their business relationships, and validate their use of subcontractors. Only then can you identify areas of concentrated cyber risk.
BitSight can take much of the time and effort out of this process by helping you automatically pinpoint connections between any organization and its business partners. Our fourth-party risk management solution also quickly identifies and highlights potentially risky fourth parties.
It's not enough to identify the names of organizations in your fourth-party network; you must understand the risk posed by the products they use. For example, while it’s important to know that ACME Corporation has a fourth-party relationship to you, you also need to know if ACME’s product line of XYZ software is being used by your third parties on their critical domains. And, more importantly, what the security posture of that product is.
This level of insight is impossible to achieve using traditional passive monitoring techniques. Only BitSight can help you achieve this insight into concentration risk.
Using advanced analytics, BitSight identifies and tracks over 11,000 unique products across 77 product types so you can see which products your fourth parties use and the risk surface they present.
BitSight also gives you dashboard views into fourth-party dependencies, concentration risk, and insight so that you can identify and prioritize resources towards your riskiest connections.
Once you’ve uncovered concentrated risk, there are a couple of steps to take. First, adjust your business continuity and disaster recovery plans to account for newly acquired insights into risk in your supply chain. Next, validate assessment responses from your third parties as to whether they’re using fourth parties.
It’s also important to have a conversation with your third parties about enforcing contractual terms that limit them from using potentially risky partners. Alternatively, you may simply update your contracts to include language that permits you to request information on how your third-party has assessed a fourth-party partner, or even ask to assess them yourself.
If you have cybersecurity insurance, find out if you can add concentration risk to your policy.
Finally, once you have a complete list of your critical fourth parties, take steps to continuously monitor their security ratings. If a security rating drops, that may indicate a sign of security weakness that should be addressed with the vendor in question.
Don’t ignore fourth-party vendor risk
Too many organizations dismiss fourth-party risk management believing that supply chain risk is only a material goods risk or that their contracts and agreements will protect them. Today, a staggering 30% of organizations are aware of the extension of risk created by these fourth-party connections but are not taking any action.
This flawed thinking is leaving valuable insights on the table and exposing organizations to serious cybersecurity risk. With the explosive growth of outsourced technology services and cloud computing coupled with a growing dependency on contractors and subcontractors, its incumbent on your organization to assess and mitigate fourth-party risk exposure--today and for the long-term.