Set clear data boundaries: The reality is that any organization consuming third-party software-as-a-service offerings and services has extremely limited control over the partners that their third parties are working with, says Curtis Simpson, CISO at Armis.”This is why it’s critically important to understand the sub-processors involved in the delivery of contracted SaaS offerings and services, the outcomes that those sub-processors are responsible for, and the data required to deliver those outcomes,” he says.”The first and most important step to begin enforcing security standards for fourth parties is to ensure that third parties have access only to the data required to deliver an offering and that any subset of that data being shared with their partners is equally purposeful and appropriate,” he adds. “Contractually, it’s important to ensure that an appropriate and reasonable level of liability is assigned to third parties in case their partners are breached and such data is lost.”
Extend cybersecurity oversight using standard risk frameworks: Once relationships are mapped, the next challenge is extending security governance beyond immediate vendors. Many organizations are adopting industry standards, such as NIST SP 800-161, ISO/IEC 27036, and SOC 2 to apply consistent expectations to all tiers of the supply chain.”NIST SP 800-161 and the updated NIST Cybersecurity Framework 2.0 treat supply chain risk management as a strategic imperative, offering structured guidance for addressing risks at all levels,” Christos Tulumba, CISO at Cohesity says.ISO/IEC 27036 specifically focuses on securing supplier relationships, while the Shared Assessments tools, such as the Standardized Information Gathering questionnaire and the Standardized Control Assessment, allow for deeper due diligence into both third and fourth parties, according to Tulumba.”In terms of practical approaches, leading organizations now require vendors to disclose their critical sub-processors and fourth parties, implement risk-tiered oversight models with continuous monitoring, and mandate adherence to established control frameworks like CIS Controls or ISO 27001 for all material vendors and their subcontractors,” he notes.
Use contracts to hold vendors and their suppliers accountable: Because companies rarely have direct contracts with fourth parties, they must rely on their vendors to enforce legal protections with these fourth parties.The most common mechanism is the flow-down clause, a contractual requirement for third parties to impose equivalent cybersecurity standards on their own vendors. These clauses often address data protection, breach notification, secure development practices and audit rights.”To enforce security standards downstream, companies typically build in flow-down obligations, contract clauses that require third-party vendors to impose the same, or equivalent, security requirements on all their subcontractors,” says Paul Malie, a partner at Tucker Ellis.He adds that strong contracts should also include audit rights to inspect fourth-party practices, subcontractor approval clauses, and indemnification provisions that hold vendors liable for breaches caused by their suppliers.Flow-down clauses, audit rights, and change notification clauses give companies the levers they need to enforce security requirements deeper into the vendor ecosystem, says Tulumba.
Balance the need for visibility with vendor confidentiality: Striking the right balance between transparency and discretion becomes even more complex when dealing with fourth-party relationships. While visibility into these indirect vendors is essential for managing risk, demanding too much disclosure can strain trust and compromise proprietary information.As businesses grow more interconnected, companies rely heavily on third-party vendors that often have their own subcontractors, creating complex layers of downstream dependencies.”It becomes a delicate balancing act of deciding how much information to share while protecting proprietary information and IP,” says Mandy Andress, CISO at Elastic. “The key lies in understanding the business model, potential outcomes, planning proactively, and implementing risk mitigation strategies to protect against damaging scenarios.”Achieving complete transparency across a vast and layered supply chain is often unrealistic. Instead, organizations should focus on their most critical dependencies and apply oversight where exposure is highest.”Many organizations recognize this and adopt a risk-based sampling approach, prioritizing oversight based on criticality and exposure rather than attempting full control,” Tulumba notes. “Ultimately, effective governance hinges more on fostering accountability and trust rather than enforcing granular visibility at every level.”Reiko Feaver, partner at CM Law, adds that sharing of any confidential information, whether directly or passed down to contractors, agents, or representatives, should be governed by strong confidentiality obligations. She emphasizes that the direct supplier is responsible for protecting its own proprietary information and that of its vendors.”I can’t see how it’s reasonable for the direct vendor to withhold these relationships from its customers,” Feaver says. “It would be up to the direct vendor to protect that information vis-a-vis its customer. It is common to restrict disclosures of certain types of proprietary information from disclosure to or use by competitors. Of course, the more confidential information is gathered the more risk of a violation of confidentiality obligations and associated liability.”
Move beyond point-in-time audits: Many companies still depend on annual questionnaires or compliance attestations to assess vendor security, an approach that’s dangerously outdated. Continuous monitoring is absolutely crucial when it comes to reducing risk.”The majority [of companies] continues to focus primarily on direct third-party vendors, often relying on self-attestations or point-in-time assessments that fail to capture downstream risk,” says Tulumba.As a result, companies usually find out about fourth parties only after something goes wrong, such as a security breach, a service outage, or during regulatory audits, he says. And finding out about issues only after they happen shows why it’s important to have constant and active monitoring in place.Adding to this view, Jim Routh, chief trust officer at Saviynt, argues that the future of risk management lies in real-time, data-driven scoring, not outdated surveys. “Questionnaires are inadequate,” he says. “We need to apply data science to track risk daily and educate regulators and auditors on why that’s necessary.”A vulnerability discovered today could be exploited tomorrow. For that reason, relying solely on point-in-time assessments or third-party attestations isn’t enough to manage fourth-party risk, Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, says. When companies lack direct contracts with fourth parties and therefore can’t enforce audits or specific controls, external intelligence becomes essential.However, putting continuous monitoring into practice becomes even more difficult in complex global supply chains.”The greatest challenge is gaining timely, accurate insight into the security posture of globally distributed, multilayered suppliers, especially those not under direct contract,” says Fisher. “Lenovo addresses this with a layered approach: we combine geopolitical risk analytics, automated supplier scoring, and industry threat intelligence feeds with hands-on audit activity.”
Make fourth party risk a shared responsibility: Finally, managing fourth-party risk isn’t just a security problem, it’s an organizational one.The most effective shift in managing fourth-party risk has been internal alignment, this means working closely with procurement, legal, and engineering to treat fourth-party risk as a shared responsibility, says Swapnil Deshmukh, cybersecurity executive, Certus Cybersecurity Solutions.Deshmukh emphasizes the need for cross-functional coordination to embed security into every layer of the supply chain. However, that internal groundwork must be matched by external diligence, says Andress.”It all comes back to building a strong chain of trust,” says Andress. “That involves carefully selecting reputable third parties and ensuring that they are also picking trusted vendors with strong protections.”
Balance the need for visibility with vendor confidentiality: Striking the right balance between transparency and discretion becomes even more complex when dealing with fourth-party relationships. While visibility into these indirect vendors is essential for managing risk, demanding too much disclosure can strain trust and compromise proprietary information.As businesses grow more interconnected, companies rely heavily on third-party vendors that often have their own subcontractors, creating complex layers of downstream dependencies.”It becomes a delicate balancing act of deciding how much information to share while protecting proprietary information and IP,” says Mandy Andress, CISO at Elastic. “The key lies in understanding the business model, potential outcomes, planning proactively, and implementing risk mitigation strategies to protect against damaging scenarios.”Achieving complete transparency across a vast and layered supply chain is often unrealistic. Instead, organizations should focus on their most critical dependencies and apply oversight where exposure is highest.”Many organizations recognize this and adopt a risk-based sampling approach, prioritizing oversight based on criticality and exposure rather than attempting full control,” Tulumba notes. “Ultimately, effective governance hinges more on fostering accountability and trust rather than enforcing granular visibility at every level.”Reiko Feaver, partner at CM Law, adds that sharing of any confidential information, whether directly or passed down to contractors, agents, or representatives, should be governed by strong confidentiality obligations. She emphasizes that the direct supplier is responsible for protecting its own proprietary information and that of its vendors.”I can’t see how it’s reasonable for the direct vendor to withhold these relationships from its customers,” Feaver says. “It would be up to the direct vendor to protect that information vis-a-vis its customer. It is common to restrict disclosures of certain types of proprietary information from disclosure to or use by competitors. Of course, the more confidential information is gathered the more risk of a violation of confidentiality obligations and associated liability.”
Move beyond point-in-time audits: Many companies still depend on annual questionnaires or compliance attestations to assess vendor security, an approach that’s dangerously outdated. Continuous monitoring is absolutely crucial when it comes to reducing risk.”The majority [of companies] continues to focus primarily on direct third-party vendors, often relying on self-attestations or point-in-time assessments that fail to capture downstream risk,” says Tulumba.As a result, companies usually find out about fourth parties only after something goes wrong, such as a security breach, a service outage, or during regulatory audits, he says. And finding out about issues only after they happen shows why it’s important to have constant and active monitoring in place.Adding to this view, Jim Routh, chief trust officer at Saviynt, argues that the future of risk management lies in real-time, data-driven scoring, not outdated surveys. “Questionnaires are inadequate,” he says. “We need to apply data science to track risk daily and educate regulators and auditors on why that’s necessary.”A vulnerability discovered today could be exploited tomorrow. For that reason, relying solely on point-in-time assessments or third-party attestations isn’t enough to manage fourth-party risk, Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, says. When companies lack direct contracts with fourth parties and therefore can’t enforce audits or specific controls, external intelligence becomes essential.However, putting continuous monitoring into practice becomes even more difficult in complex global supply chains.”The greatest challenge is gaining timely, accurate insight into the security posture of globally distributed, multilayered suppliers, especially those not under direct contract,” says Fisher. “Lenovo addresses this with a layered approach: we combine geopolitical risk analytics, automated supplier scoring, and industry threat intelligence feeds with hands-on audit activity.”
Make fourth party risk a shared responsibility: Finally, managing fourth-party risk isn’t just a security problem, it’s an organizational one.The most effective shift in managing fourth-party risk has been internal alignment, this means working closely with procurement, legal, and engineering to treat fourth-party risk as a shared responsibility, says Swapnil Deshmukh, cybersecurity executive, Certus Cybersecurity Solutions.Deshmukh emphasizes the need for cross-functional coordination to embed security into every layer of the supply chain. However, that internal groundwork must be matched by external diligence, says Andress.”It all comes back to building a strong chain of trust,” says Andress. “That involves carefully selecting reputable third parties and ensuring that they are also picking trusted vendors with strong protections.”
Make fourth party risk a shared responsibility: Finally, managing fourth-party risk isn’t just a security problem, it’s an organizational one.The most effective shift in managing fourth-party risk has been internal alignment, this means working closely with procurement, legal, and engineering to treat fourth-party risk as a shared responsibility, says Swapnil Deshmukh, cybersecurity executive, Certus Cybersecurity Solutions.Deshmukh emphasizes the need for cross-functional coordination to embed security into every layer of the supply chain. However, that internal groundwork must be matched by external diligence, says Andress.”It all comes back to building a strong chain of trust,” says Andress. “That involves carefully selecting reputable third parties and ensuring that they are also picking trusted vendors with strong protections.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4009360/cybersecurity-in-the-supply-chain-strategies-for-managing-fourth-party-risks.html
