Going beyond third-party risk management (TPRM)
How an endpoint security company’s global outage highlighted the need to focus on supply chain risks
An American cybersecurity technology company’s global outage affected supply chains considerably. Millions of flights across the globe were cancelled. Emergency services, credit card payments, medical and even banking services faced considerable disruptions. Employees in organisations were affected by a blue screen that flashed on their screen and caused the systems to continuously restart.
What was the issue? Was it a security incident?
Initial investigations suggest that it was only a mistake as the disruption was caused by an update pushed through the company’s software which had a bug and affected the Microsoft operating system.
Was the cybersecurity giant listed as a third party or a critical fourth party across organisations?
Today, most businesses rely on third parties today for services like cloud storage, IT support, outsourcing of admin functions and many more processes. While Microsoft might be listed as a third party for such organisations, the important question to ask is whether the endpoint security company was listed as a subcontractor of Microsoft. The answer lies in asking organisations if they were mapping their fourth parties. Furthermore, we believe that organisations that map fourth parties may have also missed listing the cybersecurity firm as a fourth party, since the typical definition of the same is ‘material subcontractors who deliver services or components to the third party’, while the cybersecurity firm was a ‘material contractor providing critical software to a third party’.
Why do we need to identify and monitor fourth parties?
Over the last few months, we have had many conversations with clients focusing on the importance of identifying and continuously monitoring high-risk fourth parties and not relying on traditional checklist-based, point-of-time assessments limited to third parties. As the Microsoft incident highlighted, many third parties outsource work or rely on services by their third parties, and might end up sharing critical or sensitive information about our organisation. This exposes our organisations to data privacy or cyberattack risks due to the security posture of all third parties involved in delivering work or services to us.
Some lessons learnt from this incident have been outlined below:
Identify all third parties and critical fourth parties across the supply chain
In today’s rapidly evolving world, knowing and managing your third-party risks is not enough, as made evident from the global IT blackout incident. Tracking the entire supply chain and identifying fourth parties/material subcontractors will help in developing a resilient third-party risk management (TPRM) process.
Identify software-related fourth-party risks
While TPRM traditionally involved identifying and managing risks related to direct material and service providers, identifying and managing all the software/technology risks associated with third parties is also equally important. Even one vulnerable technology/service can easily compromise your vital applications and platforms and bring business to a standstill.
Manage fourth party risks across your supply chain
As supply chains become more complex, identifying the key fourth parties/subcontractors being used to deliver work and services indirectly to your organisation becomes critical. Hence, it becomes important to consider designing a risk-based monitoring process to assess, manage and mitigate your fourth party risks across the supply chain.
Therefore, investing in a robust supply chain framework that involves identification and management of risks across all types of third-party arrangements, mapping of high-risk and the material fourth parties, designing a risk-based framework for monitoring the parties, and managing contractual obligations will be key to limiting the extent and damage caused by such incidents.
