Fourth-party risk is broadly classified as risk stemming from "vendors of vendors," many which the contracting organization may not even be aware of. Even if your company has a well-developed information security program, unknown fourth parties and Nth parties can still cause significant disruptions in your supply chain.
For example, take the recent ransomware attack on the Colonial Gas Pipeline. Gas stations across the U.S. east coast ran empty, and millions of consumers were left wondering how they would get to work. In many cases, individual gas stations may have never even heard of Colonial Pipeline, much less realized that a cyberattack could cripple it and, by extension, their supply chain.
An effective supply chain risk management program can help you identify, remediate and manage risks across all vendors – third-party, fourth party and beyond. This article explains how vendors are classified and provide tips for effectively managing risk at all levels of your supply chain. We’re going to cover:
Third-party vendors are companies that your organization works with directly. Fourth parties are companies that contract with your third parties. For instance, if your company contracts with a polyester supplier, then that supplier would be classified as a third party. If they utilize a manufacturer based in Vietnam, then the manufacturer would be a fourth party. A Cambodian raw material supplier to the manufacturer would be an example of a fifth party. If Cambodian laws were to change to make it more expensive to produce ethylene, a key ingredient in polyester, then it could cause a ripple effect throughout your supply chain.
Sometimes, the further removed from the contracting organization that the Nth party is, the less impact a disruption causes – but this isn’t always the case. Colonial Pipeline is a prime example of how one supplier suffering a cyberattack can cripple businesses up and down the supply chain. These risks are particularly acute when you are highly dependent on one vendor that can’t be easily replaced. The more visibility you gain into your organization’s vendors, and the vendors of your vendors, the more you will understand and effectively mitigate unacceptable risks.
Vendor Risk Management (VRM) has recently become critical for organizations of all sizes. However, many companies stop at third parties when considering vendor risk. Over the past 30 years, supply chains have become increasingly global. Many organizations now rely on hundreds, if not thousands, of fourth- and Nth-party vendors throughout their supply chains. In many cases, an organization may be completely unaware that they rely on an Nth-party vendor until a significant disruption occurs. Below are some guidelines to help you account for fourth and Nth parting in your broader VRM program.
It's important to identify the fourth parties that work with your mission-critical vendors. If a crucial fourth-party vendor experiences a security breach, supply chain issue, or other interruption, then your business will likely face consequences. To mitigate risk and plan appropriately, you need to know who your fourth-party vendors are. Examine your vendor portfolio for any fourth parties shared by several suppliers, such as Amazon Web Services or another common vendor.
In a perfect world, you could ensure that every company you work with applies the same standards to their vendors as you do. However, this is not always the case – yet you still need to work with 4th, 5th and Nth parties to successfully run your organization. That’s why it’s important to determine your company's risk tolerance related to fourth and Nth parties and build processes to assess their inherent risk and residual risk (i.e., risk levels before and after controls are applied, respectively). We recommend categorizing all vendors and including inherent risk as a key factor for establishing control requirements for each service tier. For example, your vendor’s cloud service provider will be subject to more stringent requirements than their cleaning contractor.
It’s also critical to be on the same page with vendor contracts regarding fourth-party liability and accountability. Start by documenting relationship management practices with crucial stakeholder business units and identifying partner touchpoints throughout the supply chain. Then, build service level agreements and control requirements into contracts depending on each vendor's service, tier or category and implement change management to address any scope changes. Finally, ensure that requirements are met through ongoing vendor SLA and performance management practices.
On-Demand Webinar: Strategies to Mitigate Supply Chain Risks in Fourth and Nth Parties
Join Bob Wilkinson, CEO of Cyber Marathon Solutions and former CISO at Citigroup, as he discusses best practices for gaining deeper risk visibility into your organization's vendor and supply chain ecosystem.
Because you don't directly interact with fourth parties, having a sound strategy for identifying them during the procurement and due diligence process is vital. If you're going through a competitive bidding procedure with prospective third parties, then your request for proposal (RFP) should include a question concerning fourth parties. Of course, once you've narrowed it down to a finalist, you'll need to ask additional questions during the vendor onboarding phase. In addition to identifying the fourth parties your vendor will use, you should ask the following questions regarding each fourth party:
Your head may spin a bit as you consider the broader scope of your supply chain, start identifying fourth- and Nth-party vendors, and begin to understand the risk they potentially bring to your business. That's why companies with large vendor ecosystems and deep supply chains will usually implement a centralized vendor risk management platform to deliver more visibility and control over their vendor populations.
A vendor risk management platform can serve as a central repository for all of your third-, fourth- and Nth-party data. While these platforms are also commonly referred to as third-party risk management (TPRM) solutions, many offer robust capabilities for managing and reducing fourth- and Nth party risk as well. The process still starts with bringing your third parties under management, and then leveraging the solution to extend your visibility to the fourth, fifth and Nth levels. To start, you can leverage sources of vendor intelligence to build a comprehensive supplier profile that includes industry and business insights, ownership and identifies 4th-party relationships.
During third-party onboarding, and periodically thereafter, you can leverage a vendor (or third-party) risk management solution to automate questionnaire-based risk assessments designed to gather information about each third party's vendor relationships. Prevalent's solution also includes relationship mapping capabilities that enable you to identify connections between your organization and third, fourth and Nth parties to discover dependencies and risks in your extended vendor ecosystem.
Once you gain visibility into fourth and Nth-parties that impact your business, you can then use continuous vendor monitoring to keep tabs on critical vendors. Continuous monitoring of private and public sources of vendor threat intelligence can provide early warning of cyber, business and financial events and exposures that could ultimately affect your operations. All assessment and monitoring content should be correlated and mapped to the vendor profiles in your VRM solution.
You can bring additional scale to your third-, fourth- and Nth-party risk management by tapping into vendor intelligence networks containing completed assessments, monitoring data and standardized risk scores on thousands of vendors. Organizations with limited internal resources should also consider leveraging managed vendor risk assessment services to scale their vendor data collection, analysis and remediation initiatives.
Finally, since effective vendor risk management relies on collaboration between, IT security, procurement, risk management, legal, and other stakeholders, be sure that your VRM platform provides role-based access, workflow management, and task management capabilities.
Vendor Profiling and Tiering Template
This free template includes standard criteria for determining vendor criticality to your business, a simple risk-based Red/Amber/Green rating system, and questions for quickly categorizing each of your vendors.
A successful fourth-party risk management program is not a one-and-done project; it is an integral aspect of your vendor management strategy. Fourth-party risk should be identified as a risk category to manage in your vendor management policy, and fourth-party evaluations and monitoring should be built into your standard operating procedures. Vendor risk management should be a continuous, programmatic process that accounts for risk at all levels of the supply chain.
Regardless of where you are today, Prevalent can help you build a holistic risk management program with unmatched visibility, efficiency, and scale. We’ll work with you to find a mix of managed services, network membership, and/or TPRM platform access that works best for your organization. You’ll gain a fast time to value, be equipped to make intelligence-driven decisions, and measurably reduce vendor-related risk – all with fewer headaches for you and your team.
With recent breaches and supply chain disruptions, understanding downstream risk is more critical than ever. Businesses often disregard fourth-party risk management because they assume their third parties apply the same due diligence to their third parties. Whether you employ an internal team, leverage a vendor risk management platform, or use managed services, the reality is you must evaluate all fourth parties that have an impact on your business.
Find out how Prevalent can help you identify and mitigate fourth- and Nth-party risk in your supply chain. Request a demo today.