Protecting your company from fourth-party risk

In a world that is becoming ever more interconnected, organizations are learning firsthand that they are not only vulnerable to the adverse events that their vendors experience but also to the incidents that happen to those vendors’ vendors.

fourth-party risk

Recent events such as the SolarWinds breach, Microsoft Exchange server attack and Fastly outage have revealed that conventional third-party risk management (TPRM) programs are not enough to generate the necessary visibility into supply chain risk.

Since fourth parties are not generally obligated to share information with partners of their clients, organizations are now adapting their TPRM programs to address fourth-party concerns. Fortunately, there are steps companies can take to give them greater visibility into – and protection from – downstream risk.

Get to know your third parties’ partners

Despite growing awareness of the threat of fourth-party risk, clear guidelines, and uniform processes for fourth parties have not been established, resulting in disjointed, ad-hoc processes. Most of these processes are manual, requiring significant investment in time and labor, and opening the possibility of error and oversight.

To counteract this vulnerability, it is recommended that companies take the following steps to limit fourth-party risk:

Identify mission-critical vendors

The first and most important step is to identify the vendors that are mission-critical to the company and then identify their third parties. During the vendor risk assessment process, companies should ask third-party partners for a list of their critical vendors, and what sensitive data they have access to. They should also request that third parties notify them of any changes they would like to make to their third-party relationships.

However, even after vendors provide the requested information, there are still issues that exist around the reporting and accessibility of information at the fourth-party level, as third parties may lack the resources to execute due diligence or may be unwilling to share sensitive information.

For that reason, it is important to validate the data using every available source, including obtaining the list of open sources that…