Supply chain attacks have become a regular occurrence and continue to increase. Cybersecurity incidents like SolarWinds, Microsoft Exchange, and Kaseya demonstrated the risks associated with third-party software, vendors, and suppliers.
To improve the security of our nation and economy, the Federal government released a Cybersecurity Executive Order (May 2021). Likewise, organizations are elevating efforts to control third-party risk. However, to strengthen the safety and security of an organization’s holistic supply chain, fourth-party risk must also be considered and addressed.
What is Fourth-Party Risk?
Let’s begin defining fourth-party risk by arriving at a common understanding of third-party cybersecurity risks: the risks associated with an organization’s trusted and direct relationships with its partners, vendors, and suppliers. Typically, these third parties maintain some level of access to the organization’s systems (directly or via the vendor’s software) and, therefore the exploitation of these relationships increases the possibility of supply chain attacks.
An organization’s vendors maintain relationships with other vendors and partners…which become a fourth-parties to the organization. The cybersecurity effectiveness of these fourth-parties ultimately impacts the primary organization’s security because an attacker can exploit a chain of trusted relationships to gain access to the primary organization.
For example, Managed Service Providers (MSPs) are targeted by cybercriminals because exploiting MSPs provides a high level of access to the MSPs’ customers’ networks. If an organization’s partner/vendor uses an MSP, the organization may be vulnerable to an attacker that exploits that MSP and pivots through the partner’s network to reach the primary organization.
Fourth-Party Risk and Regulatory Compliance
Various regulatory measures require organizations to address fourth-party risks. Further regulations (some of which are still under legislative review) are designed to secure the entire supply chain of an industry. Some examples include:
- Cybersecurity Maturity Model Certification (CMMC): The CMMC was designed by the US Department of Defense (DoD) to improve the security of controlled unclassified information (CUI) within the Defense Industrial Base (DIB). Defense contracts requiring CMMC compliance mandate that all prime and subcontractors working on the contract have CMMC compliance.
- North American Electric Reliability Corporation (NERC) CIP-013-1: This standard “Cyber Security – Supply Chain Risk Management” is enforced to address the vulnerabilities and threat vectors that external third parties introduce to the Bulk Electric System (BES). Electric grid companies are provided 18 months from the standard’s effective date (October 1, 2020) to prove compliance, increased monitoring and oversight of supply chains. Failure to do so can result in fines of up to $1M per day, per outstanding violation.
- Digital Operational Resilience Act (DORA): DORA is draft legislation progressing through the EU legislative process, expecting to be enacted in 2022. DORA is designed to help improve the resiliency of the EU financial sector and applies to all financial institutions and any organization providing direct or indirect services to financial institutions.
Each organization has a responsibility to protect sensitive data at all points within its supply chain, including fourth-parties and beyond. This effort encompasses implementing plans to ensure all parties maintain appropriate levels of data security and protection and, furthermore, monitoring the protection along its supply chain to identify potential vulnerabilities.
The continued growth in third-party services, regulations and threats of cyberattacks elevates the need for organizations to develop a holistic approach to vendor risk management. Aligning supply chain resilience with operational resilience helps organizations maintain market confidence, satisfy regulators, and continue to work with business partners that are best placed to meet an organization’s objectives.
How MorganFranklin Can Help
Managing third-party and fourth-party risks can be complex. Most companies have many trusted direct partners and even more fourth-party vendors. The supply chain is a longer and more connected chain than ever experienced due to cyberspace and online operational environments. An organization must now consider the impact of its vendor’s suppliers and partners. Attempting to secure your entire supply chain at once can be overwhelming and infeasible.
MorganFranklin analysts help map and prioritize your third-party and fourth-party risk relationships and develop a strategy for managing risks and improving the security of your organization’s supply chain.
Additionally, MorganFranklin’s supply chain practice can help with every stage of the supply chain management process from identifying “critical” vendors that need security vetting to putting tools and processes in place to more efficiently manage an organization’s supply chain risk in the future. While a number of third-party risk management tools are available, they are of limited value without the expertise required to configure them correctly, interpret the results, and develop action plans based on the available data. For more information, click here to read our blog post on “The Impact of Supply Chain Risks on Corporate Cybersecurity.”