Unless expressly prohibited by a contract, a supplier may transfer its rights and obligations to another supplier. Your contracts should require an assignment clause that provides for notice and consent before outsourcing a supplier so that you can control the risk of a fourth party. Most companies already have a robust third-party risk assessment process in place. Whether through audits or security assessments, when a company shares consumer data with another organization, it needs to be properly reviewed. But what is this vendor organization (also known as a third-party provider) that also works with third parties? This new threat, called fourth-party risk, can infiltrate a company`s data through its relationship with third parties. Third-party threats can be anything from financial advisors to business planners working with your third-party providers. Let`s take a quick look at the first, second, third, fourth and fifth parts to understand who they are and what potential risks they pose. The FFIEC`s Supervision of Technology Service Providers brochure emphasizes that the use of third-party service providers is “the responsibility of. Board of directors and management to ensure that activities are conducted in a safe and sound manner and in accordance with applicable laws and regulations, as if the institutions were carrying out the activities internally. “The most important thing is to understand that your company`s security standards are not as good as your weakest third-party security practices. First, start with your own critical suppliers.
Let them know that you are working on the next step in your vendor management program and that third-party vendors are your priority. So how do you do what regulators expect of you without the same information you use to evaluate your third-party providers? There are certainly challenges in trying to manage third-party providers. Because you don`t have a direct contractual relationship, it`s often difficult to access the due diligence documents you need. It`s even harder when you find something that you think needs to be changed or improved. Everyone knows that relationships with third parties involve risks. But what about the second parties, the fourth parties and beyond? Your institution is not only responsible for what your supplier does. It is also responsible for the activities of its third-party providers (also known as third-party providers). The more critical your supplier is, the higher the cost and risk of supplier management. Information risk management is about looking beyond your organization`s boundaries to third-party and third-party providers who have access to your sensitive data. Perhaps the simplest example is a fourth-party call center.
They have an issuance agreement for a prepaid card program and use an outsourced call center. You can certainly understand why you need to include them in your scope of review, due diligence, risk assessment, and monitoring – they talk to your customers and have access to your customers` information! If your institution outsources an activity to another provider, that institution is a third-party provider. This includes everyone from your landscaper to your technology service provider. Whether you run a business or outsource it to a third-party provider, your institution is equally responsible for the outcome. This means it`s important to identify critical or high-risk suppliers. These are suppliers involved in critical activities that can have a huge impact on operations such as payments or IT. While fourth-party risk involves more layers and more actors than third-party risk, it doesn`t make a company less responsible for a data breach. The more your team works together with third-party vendors and vendors, the greater the potential third-party risks. All it takes is a unique opening to a threat to compromise protected information.
And as with any risk, it can have serious business implications. From fines to legal issues to your industry`s reputation, a fourth-party risk can wreak havoc on your business if left unchecked. Finally, transparency is key. Ask your current third-party providers to provide the names of their suppliers and partners. Your team can either work with your external partners to obtain security records, or add these new third-party partners to your assessment list to get a complete overview of potential vulnerabilities. Your institution outsources functions and your suppliers probably do too. A fourth part is a person to whom your supplier outsources. Fourth party suppliers have many names. Some companies call them suppliers. Others call them strategic partners. You can offer bill payment, mobile banking, basic processing, legal or other services.
The good news is that the fourth part risk has become a little easier with the Statement of Standards for Attestation Commitments 18 (SSAE 18) released last year. SSAE 18 includes a vendor management element that requires a vendor to define the scope and responsibilities of each third-party vendor it uses, and that takes into account performance reviews, audits, and monitoring. Third-party vendors that can deploy SSAE 18 simplify third-party risk management. This is an emerging area with special attention, especially if this fourth part plays a critical role in providing your company`s products or services to your customers. R&C: Can you give an overview of fourth party relationships and risks? Another example is a cloud-based SaaS provider. In this case, they often use a provider to store data on their servers (another installation). Your third-party data storage provider is your fourth. It`s naturally confusing to know where to draw the line with your supplier`s suppliers, also known as fourth parties.
Are you responsible for “managing” all your third-party providers? What about the suppliers of your fourth party, which are called fifth parties? Maybe that`s something we`re putting more emphasis on in 2019. What`s next? Want to see how you can streamline third-party risk? Plan a walk on the Whistic platform. The idea is that through this understanding, you can better anticipate risks that can be a lower level, e.B. how your data may need to be shared and may even need to be stored in a provider`s systems where you don`t have a direct contract. A breach at this level can have just as big an impact as a breach against your third party. As an information and data security expert, you`re probably familiar with the third-party risk strategy. .