The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.
Anit Banerjee, Third Party Risk Officer – Legal Risk Management, Meta
In your experience, what are some of the key challenges monitoring supply chains and Nth party risks?
Threat landscapes are changing at a higher pace. The traditional strategies to manage Supply Chain Risks are not enough to monitor and thwart any emerging risks. With more institutions acquiring significant volume of suppliers at a faster rate, the onboarding and monitoring of critical suppliers must be revisited. For example, the complexity that comes with IoT (Internet of things) devices and open vulnerabilities that hackers can use to gain unauthorized remote access could trigger widespread operational disruptions. A lot of institutions are not ready yet to address such in-depth analysis.
The primary challenge is not having adequate visibility/awareness into the supply chain, followed by complete unawareness that the institution may potentially have heavy reliance on 4th/Nth parties. The next issue is not having an adequate mechanism to understand the risk tiers/classification of the suppliers. Finally, an increased regulatory environment. Moreover, a lot of institutions can’t go past their 3rd parties. So, the monitoring or assessment stops right with the 3rd party.
Institutions should educate staff to look at risk from an enterprise-wide perspective, revamp their existing strategy and senior management should focus primarily on:
Why: A disruption can occur due to no fault of the 3rd party, but an incident can rise from the negligence of the “nth” party and directly impact your organization.
Lessons Learned: Focus on your Critical Suppliers first and understand the relational footprint of 3rd, 4th , 5th…nth parties. If management is not aware of this information, they are sitting on huge risk.
What are some security protocols to implement as a minimum standard?
I am huge fan of the ISO 27001 controls. At a very high level, the following domains are some of the must haves from a security control perspective:
How can organizations gain insight into fourth parties and beyond?
It is extremely important to first understand who are your Critical third parties (Mission Critical). It is also important to understand with third parties provide mission critical services to these third parties. In the event of a security incident (disruption) with the 4th party, your institution will have a significant impact. Your institution must utilize a matrix of your 3rd party/4th/Nth party risk matrix to visualize the potential risks to your institution. Additionally, you should know how much risk your institution can withstand in the event of an incident, likely to impact your operations. You should also have a solid understanding of the potential inherent and residual risks. Identifying and assessing these 4th parties is key during the procurement and due diligence phase. You may also utilize market tools to check 4th parties of your 3rd parties. The due diligence should address the right areas for ascertaining the 4th parties.
Where do you see the key risks and considerations when monitoring concentration?
A couple of major risk areas that needs to be addressed by many institutions are the amount spent with a single third party or heavy reliance on one third party to provide several critical services and their locations of operation. Institutions must weigh in on an enterprise-wide risk framework approach to ascertain the following thresholds of concentration risk:
What do you see as the key upcoming challenge within third party risk management?
Anit Banerjee, will be speaking at our upcoming Third Party Risk Management: Cross Industry, taking place on November 8-9 in Atlanta at the Crown Plaza Atlanta Midtown
You may also be interested in…
Have you made your free account?