Mind the (risk intelligence) gap!
Article by Sean O'Brien, director at DVV Solutions
If GDPR hasn’t raised the stakes and drawn attention to the risks in the data supply chain then maybe nothing will.
The mix of media attention, ICO updates and messaging produced by GRC solution providers over the last months/years should have done a pretty good job of raising awareness of the issues surrounding Third Party cyber risk (where there is a direct, contractual link with your outsourced data processors). And that's without mentioning the ever-increasing examples of lax security controls in place at many of the largest and most commonly used IT firms that can leave the back door open to an organisation's network. See Cisco's hardcoded data centre admin password flaw, Twitter's potential user password exposure and Ticketmaster's third party data breach as prime examples
But what if we look beyond the direct relationships your organisation has on a day-to-day basis? Think for a moment about the eco-systems and downstream supply chains that your IT service providers and data processors (and possibly unwittingly YOU) rely on to help deliver their services. These could be Fourth, Fifth or even Sixth-party suppliers – usually referred to as "nth Parties" but for simplicity let’s refer to them as "Fourth Parties".
How securely and safely do they manage and support your commercial operations and process sensitive Personally Identifiable Information (PII) data?
You’re only as strong as your weakest link!
What if most of your key suppliers all rely themselves on one common Fourth Party supplier for a critical service? And what happens if that common supplier is attacked or breached? What’s the domino effect on your business? Here’s a few ideas on the potential risks and impacts of Outsourcing and Fourth Party Risks.
It’s still early days but Shared Assessments has shed some light on the increasing awareness and development of proactive thinking around Fourth Party risk:
“Responses to the very real threat that down chain parties can pose through access to crown jewels, such as intellectual property (IP) and PII, are beginning to show in the Fourth Party management arena. Twice as many outsourcing organisations (75%) now rely on controls of their third party to monitor Fourth Parties than two years ago; and 73% report they use contractual terms to achieve this process. Such efforts mandate all stakeholders within the supply chain become effective in establishing a rigorous third party environment with well defined: Roles and responsibilities, Reporting accountability and Well-documented processes and procedures.”
However, it’s not enough to simply amend and update contractual terms to extend cover of Fourth Party supplier liability. Remediation planning, finger pointing and litigation only serve to clean up the mess once systems have been breached, data has been lost or stolen, reputations are tarnished and costs have, most definitely, been incurred.
A more holistic approach to Fourth party cyber risk needs to be taken. One that includes not only those suppliers you have direct contact and control over but also the extended network and ecosystem of Fourth Party subcontractors, suppliers and agents. But where to start?
Five steps to managing Fourth Party cybersecurity risk
1. Think big strategy, but start small and simple
Ultimately, long term thinking should focus on finding and developing a suite of Third Party suppliers that are not only willing to engage in mutually-aligned Third Party risk management (TPRM) strategies but also share common processes and platforms.
Whilst it is unlikely that you’ll start or maybe even ever end up there, going forward you can immediately consider adapting your new supplier search criteria and existing supplier evaluation. This should include an assessment and understanding of their Third-Party risk management and processes with a focus on alignment and shared interest between you and your Third Parties on Fourth Party risk.
2. Let industry regulations and standards guide you
With Fourth Party risk assessment being a relatively new concept in GRC circles, industry regulators and guidelines should be a first port of call. These will likely refer to undefined “best”, “standard” or “appropriate” practices and measures with very little prescribed behaviours and actions.
However, when the auditors call they will certainly want you to be able to identify how you have developed processes and procedures that can clearly relate to any regulations and liabilities, and the associated risks they seek to address.
A well defined and documented program of remote and onsite risk assessments utilising industry-recognised methodologies such as Shared Assessments’ Standardised Information Gathering (SIG and SIG Lite) questionnaire sets and Standardised Control Assessments(SCA) is therefore a great place to start from.
3. Collaborate with your Third Party suppliers
The good news in this is that your Third Party suppliers have a mutual interest and skin in the game when it comes to managing the risk their suppliers pose. That doesn’t necessarily mean they’ll happily open up their entire internal operations to you but you should find at least some level of shared interest and appreciation in the need for robust Third Party Risk Management. If not then this certainly should raise red flags in the relationship.
Since you don’t have a direct contract with Fourth Party suppliers, getting access to information about systems, security policies and controls can be difficult. None of us would share this sort of information with a party not bound by confidentiality agreements, etc. and without a solid, legitimate “need to know”. This is why collaboration is critical and a shared strategy and approach will yield much more effective and accurate results.
Assuming you’ve found allies in your supply chain you’ll want to find out exactly who does what with your data and what gaps in either assessing or managing risk need addressing. Some starting points for understanding the current state of their TPRM and inherent risks in their supply chain should include requests for:
- A copy of their own supplier risk management policy;
- A full list of all suppliers they classify as critical and/or high risk; and
- Copies of their most recent annual review of each of these suppliers
4. Get a continuous view of potential risks
Risk never sleeps, so you also need a continuous view of the risk landscape. Which is where “Continuous Threat Monitoring” services come into play.
Using a qualified and validated stream of information - critically without the need for contractual right-to-audit – threat intelligence services, such as Supplier Threat Monitor, can provide you the deep technical monitoring plus the strategic business context of suppliers’ risk, wherever they fit into your supply chain.
Why look at the business context as well as cyber events? Understanding the business context: operational, financial, legal, and brand risk events - ensures that you are looking beyond tactical network health and gaining the strategic business view that drives suppliers’ cyber security risk.
Has the supplier suffered a data breach? Legal action? Fraud investigation? A hijacking of its brand for a phishing attack? Inexplicable credit risk score trend decline? Has a key IT resource reduced its R&D spend? Has a critical platform provider divested business units? Are there alternative providers with better risk scores? These and many more potential risk events are surfaced and scored to enable you to make informed decisions about your supply chain.
5. Don’t forget GDPR!
Looking at the implications of Fourth Party Risk in relation to GDPR, Article 28(1)-(3): Processor Obligations provides a focus on the need to ensure sufficient guarantees that a third party processor has implemented appropriate technical and organisational measures.
Processor obligations extend to subcontractors or sub-service organisations they may outsource data processing activities to. Such extension of liability should be defined in your supplier contracts, including notifications and authorisations for subcontracting, and extend to the Fourth parties and beyond based on the type of processing performed. This can be quite a simple process when engaging new suppliers but what about existing Third Parties and partners?
To help ensure GDPR compliance throughout your data supply chain DVV Solutions has introduced GDPR Third Party Risk Assessments that interrogate each data processor’s policies, processes and practices. The result is a thorough evaluation of their GDPR-readiness and any potential gaps in compliance that you may need to address.
Close your Risk intelligence gap
You should aim to treat Fourth Party risk like any other, applying the same level of rigour from your current Third Party risk assessment process. As ever, gathering assessments and risk profiles isn’t as easy as it sounds but this is where a shared approach with a willing partner will ensure greater levels of success.
Many suppliers may not have a full picture of their subcontractor landscape themselves or a clear grasp of who has access to different parts of your data and exactly what they do with it. Again, this should be a warning sign but is to be expected as many organisations are still building their GDPR-compliance and Third Party risk management programs.
GDPR is certainly a game changer in terms of the financial penalties that can be handed out, but the operational cost and reputational damage that a breach can have on your organisation is potentially just as severe.
It’s better late than never, and there’s never a bad time to start thinking seriously about the security posture of your downstream suppliers and making efforts to understand and mitigate the risks to you and your customers.