Every company outsources parts of its operations to multiple suppliers. Those suppliers, in turn, outsource their operations to other suppliers. This is fourth-party risk. The risk to your company posed by suppliers' suppliers.
Digital transformation has extended to the supply chain, meaning organizations, especially those in banking and financial services, are now dealing with more third parties than ever. In fact, Gartner research shows that 60 percent of organizations work with more than 1,000 third parties.
While an organization may have effective cybersecurity practices in place, its vendors may not. A third-party risk management program helps to mitigate the digital risks associated with this ever-growing attack vector.
If you understand fourth-party risk and want to know how to monitor your fourth-party risk, click here to skip ahead.
What is a Fourth Party?
Fourth parties are your organization's vendors' vendors. Most organizations do not have any direct contact with entities beyond third-party vendors.
Your information security team still remains just as responsible for fourth-party risk management as they are for third-party risk management (TPRM).
You can identify your organization's fourth parties from your own vendor's System and Organization Control (SOC) reports. It is important that your third parties have a robust vendor risk management program in place to ensure fourth parties are vetted appropriately.
- Type 1 SOC Report: Details that an organization has appropriate cybersecurity risk management controls in place on the date of issue.
- Type 2 SOC Report: Focuses on the effectiveness of the controls outlined in the Type 1 report. Type 2 SOC reports usually cover a timeframe of six months to a year to assess if the controls are operating effectively in practice.
The SSAE 18 Standard
The introduction of Statement on Standards for Attestation Engagements (SSAE) 18 has made fourth-party identification and prioritization more transparent.
SSAE 18 is an audit standard that aims to improve the functionality and quality of SOC reports. The standard came into effect on May 1, 2017, superseding both SSAE 16 and SAS 70.
It states that third parties are now obliged to inform your organization of their critical vendors - your fourth parties - in their SOC reporting.
SSAE 18 aims to ensure that organizations are:
- Taking more ownership of internal controls and compliance monitoring to identify and classify risk.
- Appropriately managing third-party risk and vendor relationships.
Why is Fourth-Party Risk Important?
Your organization inherits all the risk in its ecosystem or supply chain. While third parties are more directly connected to your organization than fourth parties, it is still just as important to monitor your vendors' suppliers, subcontractors, and service providers.
If a fourth party suffers a data breach, the associated third party may offer an additional layer of security, but this is not sufficient protection.
Regardless of where the breach occurs, your organization is wholly responsible for implementing comprehensive attack surface management. This responsibility means that your organization is still liable for any regulatory, financial, or reputational consequences a fourth party may bring to your organization.
It's also important to note that provided an organization can easily have upwards of 1,000 third-party relationships, this number multiplies exponentially when fourth parties are also taken into account. Security teams must acknowledge the significant increase fourth parties bring to an organization's total attack vectors.
How Fourth-Party Vendors Pose a Threat to Your Business
Fourth parties do not have a direct contract with your organization, or you may not even be aware of who your fourth-party vendors are. This lack of documentation means your organization also does not know the cybersecurity risk management practices your fourth parties have in place.
This poses a threat to your organization in the event one of your critical vendors' vendors experiences a security incident, as you will not be aware of the fourth party's business continuity plan — if any.
For example, if your vendor is forced to cease operations due to a data breach, cyber attack, or other security incident affecting one of their critical vendors, this will directly impact your organization's operations.
Even worse, if a fourth-party vendor has access to any of your organization's sensitive data, then you will also be at risk of being compromised in the event of a security incident. In such an instance, your organization could also fail to comply with regulations like GDPR, HIPAA, and PCI-DSS.
Aside from cybersecurity risk, other potential risks posed by fourth-party vendors can include:
- Operational risk
- Legal, regulatory, and compliance risk
- Reputational risk
- Financial risk
- Strategic risk
Gaining visibility over your fourth parties is the first step to mitigating these risks. The discipline of managing fourth-party security risks is known as Fourth-Party Risk Management (FPRM)
What Do You Need to Know About Your Fourth-Party Vendors?
Your organization should prioritize identifying who its critical vendors' vendors are. These fourth parties are the most likely to pose operational and cybersecurity risks to your organization, especially if they are also critical to your vendors.
Understanding the services these fourth-party vendors provide and other information about their business relationship with your vendors will help your organization to respond accordingly during a security incident.
Identify Fourth-Party Risks From Your Supply Chain
After identifying your organization's most critical fourth parties, it is also important to find out who your vendors' mutual vendors are. For example, many vendors will have Amazon and Microsoft services as common fourth parties.
These vendors may not pose a great risk to your organization on their own. However, the combination of all vendors experiencing business disruption due to a mutual fourth party's security incident is certainly a reason for concern.
Should Vendor Assessments Include Fourth Parties?
Your organization likely has thousands of fourth-party relationships, which would be impossible to assess independently.
Your third parties should be responsible for performing risk assessments and must have an effective third-party risk management framework in place.
A defined TPRM program ensures your vendors are performing their due diligence and tracking your fourth parties through appropriate cybersecurity metrics.
Monitoring Fourth-Party Risk
To monitor fourth-party risk effectively, your organization should focus its efforts on examining the most relevant fourth parties to establish a manageable fourth-party risk program. Traditional fourth-party monitoring methods rely heavily on third-party reporting.
This reporting may not always be accurate and communication lapses can prevent the flow of up-to-date information.
The most effective way to do this is by focusing on concentration risk in your supply chain. Identifying concentration risk involves pinpointing critical areas of your fourth-party risk exposure.
This process should cover:
- Each fourth party's security rating.
- The total number of products your vendors are using.
- How many of your vendors are using the fourth party.
How to Manage and Assess Fourth-Party Risks
Successfully managing and assessing your fourth parties requires close collaboration with your third-party vendors. Scaling your security team across a growing vendor base can prove difficult.
Using UpGuard's fourth-party risk module, you can automatically identify all of your fourth parties and mitigate the impact of their vulnerabilities on your sensitive data, thereby reducing the threat of supply chain attacks.