Monitoring and understanding supply chains from 4th to Nth party and determining security protocols

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Anit Banerjee, Third Party Risk Officer – Legal Risk Management, Meta

In your experience, what are some of the key challenges monitoring supply chains and Nth party risks?

Threat landscapes are changing at a higher pace. The traditional strategies to manage Supply Chain Risks are not enough to monitor and thwart any emerging risks. With more institutions acquiring significant volume of suppliers at a faster rate, the onboarding and monitoring of critical suppliers must be revisited. For example, the complexity that comes with IoT (Internet of things) devices and open vulnerabilities that hackers can use to gain unauthorized remote access could trigger widespread operational disruptions. A lot of institutions are not ready yet to address such in-depth analysis.

The primary challenge is not having adequate visibility/awareness into the supply chain, followed by complete unawareness that the institution may potentially have heavy reliance on 4^th/Nth parties. The next issue is not having an adequate mechanism to understand the risk tiers/classification of the suppliers. Finally, an increased regulatory environment. Moreover, a lot of institutions can’t go past their 3^rd parties. So, the monitoring or assessment stops right with the 3^rd party.

Institutions should educate staff to look at risk from an enterprise-wide perspective, revamp their existing strategy and senior management should focus primarily on:

1. Having a greater level visibility into the supply chain
   1. How many critical suppliers
   2. Who does what, when, where and how
   3. Who are their 3^rd parties (4^th Party)
   4. Defining a risk tolerance level
2. Review security performance of your supply chain suppliers. It is extremely important to understand the security posture of the suppliers.
3. Continuous monitoring by leveraging technology would be essential for assessing 3^rd parties and their partner’s networks
4. Create Awareness about your digital supply chain

Why: A disruption can occur due to no fault of the 3^rd party, but an incident can rise from the negligence of the “nth” party and directly impact your organization.

Lessons Learned: Focus on your Critical Suppliers first and understand the relational footprint of 3^rd, 4^th , 5^th…nth parties. If management is not aware of this information, they are sitting on huge risk.

What are some security protocols to implement as a minimum standard?

I am huge fan of the ISO 27001 controls. At a very high level, the following domains are some of the must haves from a security control perspective:

1. Info-Sec roles and responsibilities
2. Segregation of duties
3. Governance of information security policy, controls, standards
4. Human resources security
5. Asset management
6. Access control
7. Cryptography
8. Physical and environmental security
9. Operations security – change management, malware, data Loss
10. Communications and network security
11. System acquisition and development
12. Third party technology risk management
13. Security incident management
14. Business continuity
15. Compliance

How can organizations gain insight into fourth parties and beyond?

It is extremely important to first understand who are your Critical third parties (Mission Critical). It is also important to understand with third parties provide mission critical services to these third parties. In the event of a security incident (disruption) with the 4^th party, your institution will have a significant impact. Your institution must utilize a matrix of your 3^rd party/4^th/Nth party risk matrix to visualize the potential risks to your institution. Additionally, you should know how much risk your institution can withstand in the event of an incident, likely to impact your operations. You should also have a solid understanding of the potential inherent and residual risks. Identifying and assessing these 4^th parties is key during the procurement and due diligence phase. You may also utilize market tools to check 4^th parties of your 3^rd parties. The due diligence should address the right areas for ascertaining the 4^th parties.

Where do you see the key risks and considerations when monitoring concentration?

A couple of major risk areas that needs to be addressed by many institutions are the amount spent with a single third party or heavy reliance on one third party to provide several critical services and their locations of operation. Institutions must weigh in on an enterprise-wide risk framework approach to ascertain the following thresholds of concentration risk:

1. Highest Spend & the approximate institution spend compared to third party’s revenue or volume of business
2. Geography, in terms of the percentage of service providers that are providing service from one region (Example: The Ukraine Crisis) this should include 4^th parties too
3. Heavy Dependency on single source (Example: Covid – Pandemic)
4. Totality of usage of a single third party across the organization
5. Resiliency models for each of these suppliers

What do you see as the key upcoming challenge within third party risk management?

1. Complex supply chain (global suppliers-footprint)
2. Geo-political issues
3. Regulatory landscape
4. Inadequate due diligence processes
5. Zero trust (adoption mechanism)
6. Business continuity and operational resilience (Pandemic)

Anit Banerjee, will be speaking at our upcoming Third Party Risk Management: Cross Industry, taking place on November 8-9 in Atlanta at the Crown Plaza Atlanta Midtown