Monitoring and understanding supply chains from 4th to Nth party and determining security protocols
The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
Anit Banerjee, Third Party Risk Officer – Legal Risk Management, Meta
In your experience, what are some of the key challenges monitoring supply chains and Nth party risks?
Threat landscapes are changing at a higher pace. The traditional strategies to manage Supply Chain Risks are not enough to monitor and thwart any emerging risks. With more institutions acquiring significant volume of suppliers at a faster rate, the onboarding and monitoring of critical suppliers must be revisited. For example, the complexity that comes with IoT (Internet of things) devices and open vulnerabilities that hackers can use to gain unauthorized remote access could trigger widespread operational disruptions. A lot of institutions are not ready yet to address such in-depth analysis.
The primary challenge is not having adequate visibility/awareness into the supply chain, followed by complete unawareness that the institution may potentially have heavy reliance on 4th/Nth parties. The next issue is not having an adequate mechanism to understand the risk tiers/classification of the suppliers. Finally, an increased regulatory environment. Moreover, a lot of institutions can’t go past their 3rd parties. So, the monitoring or assessment stops right with the 3rd party.
Institutions should educate staff to look at risk from an enterprise-wide perspective, revamp their existing strategy and senior management should focus primarily on:
- Having a greater level visibility into the supply chain
- How many critical suppliers
- Who does what, when, where and how
- Who are their 3rd parties (4th Party)
- Defining a risk tolerance level
- Review security performance of your supply chain suppliers. It is extremely important to understand the security posture of the suppliers.
- Continuous monitoring by leveraging technology would be essential for assessing 3rd parties and their partner’s networks
- Create Awareness about your digital supply chain
Why: A disruption can occur due to no fault of the 3rd party, but an incident can rise from the negligence of the “nth” party and directly impact your organization.
Lessons Learned: Focus on your Critical Suppliers first and understand the relational footprint of 3rd, 4th , 5th…nth parties. If management is not aware of this information, they are sitting on huge risk.
What are some security protocols to implement as a minimum standard?
I am huge fan of the ISO 27001 controls. At a very high level, the following domains are some of the must haves from a security control perspective:
- Info-Sec roles and responsibilities
- Segregation of duties
- Governance of information security policy, controls, standards
- Human resources security
- Asset management
- Access control
- Physical and environmental security
- Operations security – change management, malware, data Loss
- Communications and network security
- System acquisition and development
- Third party technology risk management
- Security incident management
- Business continuity
How can organizations gain insight into fourth parties and beyond?
It is extremely important to first understand who are your Critical third parties (Mission Critical). It is also important to understand with third parties provide mission critical services to these third parties. In the event of a security incident (disruption) with the 4th party, your institution will have a significant impact. Your institution must utilize a matrix of your 3rd party/4th/Nth party risk matrix to visualize the potential risks to your institution. Additionally, you should know how much risk your institution can withstand in the event of an incident, likely to impact your operations. You should also have a solid understanding of the potential inherent and residual risks. Identifying and assessing these 4th parties is key during the procurement and due diligence phase. You may also utilize market tools to check 4th parties of your 3rd parties. The due diligence should address the right areas for ascertaining the 4th parties.
Where do you see the key risks and considerations when monitoring concentration?
A couple of major risk areas that needs to be addressed by many institutions are the amount spent with a single third party or heavy reliance on one third party to provide several critical services and their locations of operation. Institutions must weigh in on an enterprise-wide risk framework approach to ascertain the following thresholds of concentration risk:
- Highest Spend & the approximate institution spend compared to third party’s revenue or volume of business
- Geography, in terms of the percentage of service providers that are providing service from one region (Example: The Ukraine Crisis) this should include 4th parties too
- Heavy Dependency on single source (Example: Covid – Pandemic)
- Totality of usage of a single third party across the organization
- Resiliency models for each of these suppliers
What do you see as the key upcoming challenge within third party risk management?
- Complex supply chain (global suppliers-footprint)
- Geo-political issues
- Regulatory landscape
- Inadequate due diligence processes
- Zero trust (adoption mechanism)
- Business continuity and operational resilience (Pandemic)
Anit Banerjee, will be speaking at our upcoming Third Party Risk Management: Cross Industry, taking place on November 8-9 in Atlanta at the Crown Plaza Atlanta Midtown
You may also be interested in…
Have you made your free account?