Cyber Insurance

The Underlying Threat to the Supply Chain: Cloud Service Providers

Joel Alcon | June 7, 2016

Organizations have come to depend on cloud service providers for key services - from email and domain registrars, to payment processors and certificate authorities. According to the 2015 Cloud Computing Survey by IDG, 72% of organizations had at least one application in the cloud or a portion of their computing infrastructure in the cloud. As companies move key business processes to a SaaS environment, it is becoming increasingly difficult to monitor and protect sensitive data. Your organization may have excellent data security programs in place, but are your vendors -- and their own vendors -- following similar standards? Do you know exactly where your data lives and can you measure how effectively your information is being protected? Furthermore, what impact does a cloud service disruption have on your business operations?

Staying Ahead of the Threats

On October 15, 2015, UltraDNS, a web hosting service, experienced a technical issue that led to a widely publicized outage, bringing down websites for Netflix, Expedia, and many others for over an hour. In another incident earlier this year, Salesforce experienced a massive outage that left numerous clients unable to access services for over a day and even led to widespread data loss. Outages like these demonstrate the ripple effect felt across multiple industries as a result of fourth party cloud service disruptions. Some organizations are taking a proactive approach to protect themselves in the event of cloud service disruptions or even breaches. IDG expects that in 2016, organizations will increase spending on data security and cloud computing. However, as spending increases, companies must ensure that they target their efforts at the heart of the problem: service providers linked to your critical vendors.Managing Fourth Party Cyber Risk With BitSight Discover

More recently, NS1, a domain name server (DNS) provider, was the target of a sophisticated cyber attack that disrupted access to millions of US and European high-profile websites. One single attack impacted hundreds of customers that depended on this mission-critical service. To gauge the impact that a fourth party service breach would have on your organization and take appropriate remediation steps, you must first identify how critical a vendor is to your own business. You should understand the data that each vendor has access to, the business processes that connect them to your organization, and how much sensitive data they handle. As part of a mature vendor risk management program, you would identify the cloud service providers used by your critical vendors and then measure their cybersecurity performance. If your organization manages disaster recovery and business continuity plans, you can integrate this fourth party data into recovery strategies and align to areas of the organization that would be impacted by the fourth party outage or breach.

Single Points of Failure

Many organizations manage multiple domains that link to different areas of the business. Are multiple domains relying on the same service provider and what is the backup strategy in case of an outage? If there is an outage, critical systems could be impacted, so it is important to identify the systems that depend on the same service provider. As your IT environment evolves, tracking new connections and reporting this information to the C-Suite becomes an essential step to identifying single points of failure and mitigating cyber risk.

Managing Fourth Party Cyber Risk Today

Unfortunately, determining whether your organization has been affected by a fourth party outage or breach, and identifying which of your domain are impacted, can take hours or even days. This presents a problem for IT, risk, and business continuity teams. A 2015 report by the New York State Department of Financial Services surveying 40 banks revealed that only 36 percent of banks stipulate that information security requirements be extended to subcontractors of their third-party vendors. The findings are important, especially considering that financial institutions collect thousands of records, including customer names, addresses, phone numbers, emails, income data, bank account numbers, credit card information, and credit histories. Because of the amount of personal data and the number of vendors potentially accessing this information, the impact of a fourth-party data breach or outage could be catastrophic for a financial institution. So why are many organizations failing to take additional steps to manage fourth party risk? Taking a look at today’s third party risk management process could provide the answer to that question. Organizations today use questionnaires and risk assessments to gauge the risk posed by any third party. However, the process is time-consuming, only provides a moment-in-time view, and is only as accurate as the vendor’s responses.

Elevating Risk Management

Identifying fourth party relationships is a difficult process today. Being able to automatically pinpoint fourth party cloud service relationships enables risk management teams to better assess the risk from any vendor. Understanding vendor risk is not simply about the evaluating the cybersecurity performance of your vendors, but the effectiveness of their business partners as well.

As organizations move towards cloud-based solutions, continuously monitoring the performance of cloud service providers will continue to be an important aspect of vendor risk management. We expect this fourth party discussion to reach Board of Directors and regulators. In future blogs, we’ll discuss ways that organizations can use this type of fourth party data to elevate their enterprise and vendor management processes.

BitSight Technologies has launched BitSight Discover for Enterprises, the only vendor discovery solution that instantly highlights potentially risky cloud service providers connected to any vendor. BitSight leverages the most accurate data sources in the world to pinpoint connections between an organization, its vendors, and their vendors’ cloud service providers. In-depth network maps give risk teams instant visibility into the third and fourth party connections of more than 50,000 companies. When teams integrate this data with BitSight Security Ratings, organizations can identify their at-risk vendors and further analyze gaps in their vendor ecosystem. For more information about BitSight Discover, visit

Want to see the product in action? Register for our webinar on June 23 at 11:15 AM ET.

Suggested Posts

A Security Score vs. A Security Rating: What’s The Difference?

This post was originally published July 18, 2016 and has been updated for accuracy and comprehensiveness.


As Cyber Insurance Claims Soar, Businesses Need to Demonstrate a Standard of Care

Hardly a day goes by without the emergence of a disturbing new trend in cyber crime or headline-grabbing hack. Hackers are getting smarter and threat vectors are constantly evolving. The escalating threat is forcing businesses to file more


BitSight EXCHANGE Sound Bites: Transferring Risk Through Cyber Insurance

In the months since BitSight’s inaugural EXCHANGE forum inaugural EXCHANGE forum, we have been digesting and processing the incredible sessions and discussions that came about from this forum. It was a great event that brought together...


Subscribe to get security news and updates in your inbox.