Managing 4th Party Risk with Vendor Insurance Verification
December 9, 2021
Evident spends plenty of time warning people about third-party risk. Our research has shown that, for the average enterprise, 75% of third parties fail to meet contractual insurance requirements. If you’re not managing third-party risk well, you’re risking tremendous liability.
But risk can go beyond third parties. Fourth-party risks are the unseen risks introduced by your third-party partners. As an organization’s vendors maintain relationships with other vendors and partners, they become fourth parties to the organization.
Risk can extend even beyond that, which is why the extension of risk outward is sometimes called “Nth Party Risk.” Each dependency in a critical supply chain often introduces dependencies of its own, and even small service providers can cause major disruptions. In 2016, for example, a DNS provider, Dyn, famously experienced a denial of service (DDoS) attack, which resulted in numerous customers being forced offline during the attack—including Amazon, PayPal, Netflix, BBC, Walgreens, Verizon, Twitter, Airbnb, and the New York Times. If your company had used Dyn’s DNS services, you could have been impacted by the outage.
The Dyn event was five years ago, but that hardly means that today’s risk is under control. Here’s a stat on IT and cybersecurity alone: A company named Cyberpion recently did a scan of external Fortune 500 networks (such as cloud systems) and found the average number of vulnerabilities it found was 296. Many of the vulnerabilities were critical. The most at-risk F500 company had a staggering 7,500 vulnerabilities.
So, what’s a diligent risk manager to do?
Be Sure Your Vendor Vetting Program is Up to Par
Managing fourth-party risk depends on having the right third-party vetting processes in place at your own company. Set a foundation for responsible risk management by building a strong and thorough third-party risk management (TPRM) program, including ongoing monitoring of third parties’ insurance and professional credential status.
It’s a good idea to ask prospective third parties you’re interested in hiring who their own trusted partners are (e.g. 4th parties) as part of your vetting, sign up, and contract process. Depending on the situation, you might consider asking more. You might, for instance:
- Begin by asking third parties to describe and document their own third-party management system.
- Include a contract clause that requires third parties to reveal the involvement of the most important fourth parties who will be involved in the delivery of your contract—especially if fourth parties will store or process sensitive information or have direct contact with customers.
- Identify a very specific list of the services your third party plans to have contractors perform for you as a fourth party.
- Include a clause that requires your third party to notify you if they materially change these fourth-party relationships.
- Consider including language that compels your third-party vendors to oversee fourth parties and provide records of it.
It’s important to feel comfortable with any new third parties you sign on, and a thorough due diligence process in advance will help.
Consider Limited Direct 4th Party Oversight
You have so many fourth-party relationships that you could never assess them all directly. That’s why you predominantly rely on the third-party’s own oversight and risk management system to do a good job.
But while you’re evaluating a third-party, your assessment should still include a short list of high-risk, mission-critical fourth parties. These critical fourth-party relationships should come to light as part of your own third-party vetting. The fourth parties to be concerned about are generally the ones that come in contact with sensitive company data or have direct contact with customers.
In cases where fourth parties will be doing an unusually large amount of work for the third-party you’re thinking of hiring, it may even make sense to construct a contract that allows you to examine 4th party subcontractor work directly.
Thorough Planning Builds Confidence
Even with all these processes in place, it’s important to still have a strong contingency and Business Continuity Plan in place in case an unexpected incident does occur. Understand your concentrated risk. For example, what happens if a key subcontractor goes down and which of your third-parties would be impacted?
As businesses of all sorts expand to serve national and international markets and supply chains of all sorts become more interconnected, complex, and specialized, it’s increasingly common for your third-party vendors to rely on their own set of subcontractors. These fourth parties might add value to your vendor relationships, but they also add risk. By recognizing that early on, planning for it, and taking steps to mitigate it, companies can avoid the tremendous liabilities that befall the less prepared.