To understand the significance of fourth party risk, we’ll need to know what it means. Firstly, what is a fourth party? In this context, it refers to your suppliers’ suppliers - essentially companies in your extended supply chain, but who you might not have a direct relationship with.
Many firms monitor financial, disruption, cyber security and modern slavery risks associated with their immediate suppliers. However, risks associated with fourth party suppliers are often neglected - an expensive mistake to make.
Cyber security is key to fourth party risk management. Fourth party vendors can be manipulated to give backdoor access to customer data or breach an organisation’s network, and in these cases, your supplier may only offer you a nominal level of protection.
Whilst company assessment procedures like audits and security questionnaires are used for third party risks, these rarely extend to fourth parties. Gartner research shows that over 60% of organisations now collaborate with over 1000 individual third party vendors. The number of fourth party vendors will likely be exponentially higher, increasing the vulnerability of your organisation to fourth party risk.
Just one chink in the armour can lead to a malicious actor compromising your data, resulting in severe consequences – think fines, reputational damage, legal issues and damaged customer relationships. Further, if a supplier has to suspend their activities due to a cyber-attack, your organisation risks suffering delivery disruptions. Some examples include;
1. Maersk
International shipping company Maersk was crippled for months after its Ukrainian accounting software supplier was targeted by the Russian NotPetya virus. Loss of over 49,000 laptops, 1,000 applications and almost half its servers resulted in over $250m in estimated lost revenue The company was forced to disconnect its data centres globally and work manually due to infrastructure being down. .
2. US Government
Hackers compromised SolarWinds’ Orion platform in a supply chain attack, accessing and impersonating user accounts. This resulted in over 18,000 customers installing malicious updates, including the US Department for Homeland Security and the US Treasury. Microsoft, Intel, Cisco and Deloitte also fell victims to the hack.
3. British Airways
In 2020 British Airways was fined £20m by the UK’s Information Commissioner’s Office for a GDPR breach relating to security failings. This was in response to a 2018 attack, where compromised user credentials from a 3rd party supplier were used to remotely access BA’s network. The risk posed to BA’s network and private data of over 400,000 customers could have been mitigated, had fourth party risk management and cyber-attack testing taken place.
What’s the best way to keep ahead of fourth party risk? We recommend a five-step plan.
1. Identify fourth party suppliers.
This can be done using Versed AI’s advanced supply chain technology, which automatically maps and regularly updates supply chains, using publicly available data.
2. Analyse the supply chain for concentration risk.
Versed AI’s proprietary concentration risk tools can help identify the most critical companies in your supply chain network for additional investigation.
3. Combine technology
Combine Versed AI’s supply chain data with information from your preferred provider of cyber threat identification technology. It’s important this enables dynamic monitoring of the supply chain for cyber risk, instead of giving a one-off snapshot.
4. Act on any risks identified and mitigate future risks
At the procurement stage: understanding cyber risk can help you decide whether to partner with a business, based on its vendors’ security profiles. Also ask your suppliers to share critical vendors and partners with you – using an assignment clause can also oblige your suppliers to update you on changes. This will increase your knowledge of fourth party suppliers.
For existing suppliers: encourage your suppliers to take a similar approach to understanding and monitoring their supply chain cyber risk. Set up communication channels with the right people at your suppliers to alert them to any cyber security threats facing their supply chain, so they can take early action. Focus on the companies very important to your supply chain (high concentration risk) and create contingency plans in case these companies are affected by cyber-attacks.
5. Continue to monitor and act on your supply chain risk
This is far better than just taking a one-off snapshot. New companies constantly enter the supply chain network and cyber threats evolve, so risk management must be dynamic.
Tracking fourth party risk is becoming standard practice in corporates, particularly for cyber security purposes. The first step in managing fourth party risk is identifying companies in your supply chain. Versed AI can give you the supply chain data required to achieve this.
To see more on how we can help you, simply ‘request a demo’ and we’ll be in touch.