Now that you have stood up processes for onboarding 3rd parties, it is time to consider the same for 4th parties. What? Another vendor group I have to worry about?
Have you thought about 4th parties? These entities are the vendors of your vendors. Just as your Information Security function is responsible for security reviews, identifying and helping the organization manage the risk associated with your 3rd parties, the same is true with those 4th parties.
You have worked diligently to build your Vendor Risk Management function. You developed a vendor security questionnaire, a policy and process, and completed in-depth training to ensure your team is prepared to vet potential third parties. You have a good relationship with your in-house Legal counsel to help make sure you cover all the bases with your 3rd parties.
Most organizations may have no direct contact with entities beyond the 3rd-party contract. However, by engaging with a 3rd party, you inherit all supply chain risk, including those known and unknown risks presented by the vendor’s suppliers, subcontractors, and service providers. You are responsible for identifying and mitigating the risk presented by these 4th parties.
The Risk
Potential risks begin with cybersecurity and can quickly expand into operational, legal, regulatory, compliance, reputational, financial, or strategic risk. You should gain an awareness of:
- Data types/data elements involved
- Where your data is going
- Where is your data being stored and processed
- Who has access to your data once the third party/fourth party obtains it
- Where are the third and fourth parties physically located
- Where are the services being provided from (cloud-based services may be spread across the globe)
- What specific services are being provided by the third party in the contract
- Specific services/functions that have been outsourced by the 3rd party to a 4th party
- Does the contract paper address outsourcing of services by the 3rd party to a 4th party
If a 4th party suffers a data breach, unauthorized disclosure, ransomware, data stealing malware, or some other security incident, the 3rd party could provide some level of security, but reliance upon the 3rd party’s security measures should not be considered as sufficient protection. If a 4th party can access/transmit/process/store your sensitive data and suffers a breach, you could run afoul of GDPR, HIPAA, PCI-DSS, GLBA, and other regulatory requirements and possibly face additional negative action.
Two recent examples of failed 3rd party/4th party security:
Example 1: CloudNordic
What happened? In August 2023, CloudNordic, a large Danish cloud provider, was completely paralyzed by an intrusion and subsequent ransomware infection that shut down all their systems and trashed production data and backups. Due to lax security practices, intruders were able to install malware and gained unauthorized access to central administrative systems, storage, replication backup systems, and secondary backups.
How did this happen? CloudNordic says that this most likely occurred as servers were being moved from one data center to another. The intruders had access to administration systems which they misused to encrypt entire disks containing customer data.
Company and customer data was encrypted by the intruders with intent to extort for ransom. As a result, the majority of CloudNordic’s customers lost all their data, as it was impossible for CloudNordic to recreate what was lost. CloudNordic could not afford to pay the ransom.
While CloudNordic states there was no immediate evidence of a data breach, the loss of website and email data was catastrophic for many customers who relied upon CloudNordic’s security practices to provide secure services and keep their data safe.
One customer, 5610eu, stated that the consequences to their business were devastating. Their customers were no longer to find their website, as the data had been destroyed. Since their customers could not locate the company online, the company no longer existed. Attempts to locate this website today were unsuccessful, suggesting the company was unable to survive the loss of its website data and email data.
https://www.theregister.com/2023/08/23/ransomware_wipes_cloudnordic/
Example 2: Blackbaud
What happened? From about February 2020 to May 2020, intruders gained unauthorized access to Blackbaud’s systems, where the threat actor exploited weaknesses in Blackbaud’s environments, misused administrative accounts, and began siphoning information belonging to tens of thousands of Blackbaud’s customers representing millions of individuals.
How did this happen? While Blackbaud eventually detected the intrusion, the damage was done. Blackbaud had failed to adequately monitor its systems, missing repeated attempts to break into its systems. Blackbaud did not implement some of the most basic security practices and as a result, suffered the theft of highly sensitive data, including social security numbers, bank account information, and other financial and personal identifying information for millions of customers.
Per the FTC complaint (https://www.ftc.gov/system/files/ftc_gov/pdf/Blackbaud-Complaint.pdf ):
Blackbaud did not take reasonable steps to prevent unauthorized access to its network and the sensitive data it had been entrusted to securely store and protect. Among multiple security failures, Blackbaud did not implement and enforce adequate data retention practices, implement measures such as Multifactor Authentication (MFA) to protect access to sensitive data, and did not test, review, or assess its own security controls as would normally be done through an annual risk assessment.
Blackbaud inappropriately retained customer data in violation of its own policies, including very sensitive financial and identifying information, even after there was no longer a legitimate business or legal reason to do so.
Blackbaud employed deficient encryption practices at the time of the breach. Sensitive data such as social security number and bank account information was stored in database tables in an unencrypted state, making this data easy pickings for thieves. Blackbaud did not encrypt its database backups, meaning that thieves could freely download backup files without worry that the data would be unusable.
Blackbaud was misleading about the scope of the data breach and failed to notify impacted customers and consumers for two months despite its knowledge that sensitive information, including financial information and social security numbers, had been stolen. Blackbaud also allowed customers to upload files containing customer information that was not encrypted.
The full scope and impact of this breach remains unknown.
Gain Clarity
Obtaining visibility over your 4th parties is a crucial first step to mitigating the risk associated with third parties and fourth parties. You need this visibility to help you adequately identify, inform, and protect your company from the reputational, financial, regulatory, and other consequences.
While you may not have a direct relationship with 4th parties or may not even be aware of who they are (as some organizations may have upwards of 1,000 3rd party relationships), the risk is still there. Since you may not know who they are, it may be a challenge to obtain data you need regarding their security posture or how they plan to respond in the event of a security incident.
Identify Your Fourth Parties
It is wise to begin with a data-centric approach. Consider those third parties who will access, process, transmit, or store your sensitive data, to include intellectual property such as code, applications, advertising and marketing data and other confidential company data. Inquire about any 4th parties that they may be outsourcing services or functions to. Then ask them for security compliance documentation for those 4th parties.
Ask your 3rd parties to provide current SOC (Service Organization Control) reports. A current SOC report will provide information related to vendors in use, but even a SOC report may not cover all critical vendors. Discuss your vendors’ 3rd-party risk management program with them to ensure that they are vetting their 3rd parties. Discuss their business continuity plan to ensure it includes customer notifications and support. To the greatest extent possible, you should perform the same due diligence for related 4th parties. Consider including a use case involving a 4th party data breach as part of your annual Incident Response tabletop. This will ensure that internal resources are able to quickly connect the dots between 3rd party and 4th party relationships and respond appropriately to reduce impact on the organization.
Organizations may consider aligning with a trusted advisor who can provide further guidance related to 3rd party and 4th party relationships and help them ensure their Vendor Risk Management programs are robust.
If you need further guidance or have any questions on this topic, we are here to help. Please do not hesitate to contact us to discuss your specific questions or situation.