Towards N-th Party Risk Management

The responsibilities of vendors, suppliers, and service providers have grown increasingly important in the dynamic digital economy. The growing digitalisation and reliance on third-party entities significantly enhances business operations while concurrently introducing a spectrum of security risks. 

Recognising these challenges, regulatory supervisors have been actively creating frameworks over the years to make sure that financial entities in particular appropriately handle and mitigate the risks of security incidents that could directly affect their operations.

The adoption of specific guidelines by the European Banking Authority (EBA) in marked a substantial acceleration of the shift towards a more security-conscious approach when interacting with third parties. These guidelines were a significant advancement in highlighting the important security aspects to take into account while working with third parties. 

However, with the recent final Regulatory Standards published, the Digital Operational Resilience Act (DORA) is further evolving the requirements and expectations in light of multiple high-profile breaches involving third parties and the supply chain. The entry into force of this European Regulation, which takes effect in January 2025, marks the beginning of a new era in third party security management. 

It signals a time when strict compliance and proactive risk management are more important than ever in third-party contacts, and it also emphasises the significance of operational resilience and indicates a heightened response to the changing threat landscape.

While researching the state of the Art in "Third Party" risk management I came across an Report recently published by Wade Baker, Ph.D. and the Cyentia Institute titled “Risk to the Nth-Party Degree: Parsing the Tangled Web".

In true Cyentia Institute fashion the report is a data driven and provides plenty of opportunity for the data science geeks amongst us to rejoice - for the others it's one of the first publicly available reports providing us with data analysis on the matter with.

The Report highlights a crucial aspect that is often overlooked in risk management: vendor risk extends beyond direct third parties.

What really is "third party" risk ?

Traditional Cybersecurity risk management approaches often focus on direct, third-party relationships. However, today more than ever businesses, especially digital businesses, are enmeshed in a far more complex network of organizations. 

This “nth-party” risk extends far beyond direct vendors, is frequently invisible, yet harbors potential for significant and widespread consequences. The report underscores that attacks on any segment of this intricate network can trigger a domino effect, impacting multiple organizations simultaneously.

Source: Cyentia Insitute - Risk to the Nth-Party Degree

Introduction to "Nth-Party Risk"

Nth-party risk refers to the hidden dangers that arise from an organization's indirect relationships — those beyond direct third-party partners. Third parties rely on their own network of partners. This cascade of relationships forms a complex web of dependencies, where risks at any level can propagate and potentially impact the entire network.

The Ripple Effect of Nth-Party Relationships 

The concept of nth-party risk can be likened to a ripple effect in a pond. When a stone is thrown (representing a risk event), the ripples (impact) spread out far beyond the initial point of impact. Similarly, an incident involving a fourth-party (or higher) can have unforeseen consequences for the primary organization, despite there being no direct contractual relationship. This interconnectedness means that risks can amplify as they cascade through the network, making nth-party risk management a critical aspect of modern business strategy.

Key findings 

Here is a list of the key findings from the report and my thoughts: 

Direct Third Parties only make about 5% of the Cybersecurity Vendor risk

1. This contradicts the common perception and traditional risk management focus. This finding highlights a critical underestimation of the risks posed by nth-party networks. Businesses may not realize the extent to which their risk exposure is magnified by the web of suppliers.
2. It underscores the complexity and depth of modern supply chains.
3. The finding suggests that most of the vendor risk lies outside of an organization’s immediate visibility and control. This poses a significant challenge for risk management strategies-

87% of organizations’ vendor relationships extend to the 8th party

This surprised me as well : 

1. Reach - This statistic highlights the unexpectedly vast reach of modern supply chains. The fact that a majority of organizations have a chain of relationships extending to the 8th level underscores just how deep and complex vendor networks have become
2. Hidden interdependency - This interdependency is often hidden in the layers of the supply chain, making it even more challenging to identify and manage potential risks.

A breach at the 4th-party level tends to affect every 3rd party in an organization’s network – as many as 10 times over 3 years

I wondered about this one :

1. Frequency - It suggests that the repercussions of a single security incident can recur multiple times, affecting various entities within the network. The frequency shows how vulnerabilities can persist and be exploited repeatedly if not properly addressed
2. Interconnectedness - This seems to indicates that on average we have a high level of interconnectedness and dependency among third and fourth parties that many organizations might not be aware of or have not fully considered in their risk assessments.
3. Challenges status quo - This finding challenges the common perception that indirect, or nth-party risks, are less likely to have a significant impact.

More than 80% of organizations have recurrent 3rd-party connections

1. Common Pool - I find this striking, this means that on average the business ecosystem is more interconnected than previously assumed, with many companies relying on a common pool of third-party vendors and suppliers.
2. Implications for Business Continuity Planning - This has significant implications for incident response and business continuity planning. Organizations need to consider the cascading effects of an incident in one part of their vendor network and how it could impact other parts.
3. Increased Shared Risk - If a commonly used third-party vendor experiences a security breach or operational failure, it could simultaneously affect a large number of organizations, leading to widespread disruptions.A risk affecting a single vendor can quickly become a systemic issue, affecting multiple organizations within this interconnected network.

Source: Cyentia Insitute - Risk to the Nth-Party Degree

What can we learn ?

Below are my takeaways from the report 

1. High-Impact Vendor Identification

• The usefulness of contractual clauses requiring sub-outsourcing to require the same level of security controls seems more useful in term is risk transfer than I imagined.
• Prioritize the identification and thorough risk assessment of high-impact vendors, those whose compromise could gravely impact your operations or data security. 
• Extend risk assessments, potentially using specialised third party assessment SaaS tools, to encompass the fourth and fifth-party networks of these vendors. This comprehensive approach ensures a more accurate understanding of the potential risks and vulnerabilities within the extended supply chain.

2. Mapping Critical Intersections

• Contractual clauses to be informed regularly of sub-outsourcing activities of your third-parties seem more useful than I imagined.
• Diligently map out the critical intersections within your supply chain, focusing on points where a single vendor is interconnected with multiple partners. Recognize these nodes as potential risk propagation hotspots. Understanding these intersections aids in developing targeted strategies for risk mitigation and incident response.

3. Look into Automated Risk Monitoring

• Leverage technology to implement automated, continuous monitoring systems for vendor risk management.This dynamic approach is crucial for maintaining real-time visibility and responsiveness, especially as the supply chain network evolves and expands with new vendor. 

4. Enhance Due Diligence

• Incorporate enhanced due diligence processes that delve into the security practices and histories of nth-party vendors. Ensure that contractual agreements with primary vendors include clauses mandating security standards and practices, extending these requirements to their nth-party networks.

5. Material Changes

• In your contracts with third-party vendors, include clauses that obligate them to notify you of any material changes in their subcontractors.
• Define 'material changes' clearly – this could include changes in ownership, data processing locations, security policies, or compliance status.
• Upon receiving a notification, assess the potential impact of the change on your operations and risk profile.This might involve reviewing the new subcontractor's security measures, compliance certifications, or financial stability.

5. Proactive Incident Response Planning

• Develop proactive incident response plans that account for potential disruptions and breaches within nth-party networks.
• Regularly test and update these plans to ensure effectiveness in the face of evolving threats and complex supply chain structures.

Sources and References

• “Risk to the Nth-Party Degree: Parsing the Tangled Web" by Cyentia Institute