Cybersecurity is top of mind for business leaders around the globe. But determining the outer boundaries of your cyber risk environment can be daunting. How vulnerable is your company to potential breaches at your third-party service providers? How about the fourth parties — and beyond — that provide services and supplies to these third parties? Yes, we’re talking about the security of your vendors’ vendors. These “Nth-party risks” further down the supply chain can also have serious consequences for organizations, and can be a risk management blind spot.
Gaining visibility into these relationships and their potential weaknesses can be challenging, particularly for large, complex organizations. Consider a company that is aggressively acquiring new entities. If the sales team has a mandate to move fast, operations, controllers, third-party risk management and IT may struggle to keep up with the vendor risk management from the stream of new vendors and subcontractors. Far too often, assessments of third- and Nth-party risk may be ad hoc, incomplete or non-existent.
Responding to PwC’s 2022 Global Digital Trust Survey, 75% of executives reported their organizations are overly complex, leading to “concerning” cyber and privacy risks. Our survey also found that many organizations have a blind spot arising from third parties and the supply chain. Only 31% said their understanding of Nth-party risk was based on formal enterprise-wide assessments. The remainder had a limited, ad hoc understanding or none at all. The organizations with industry-leading cybersecurity outcomes, however, often have a strong understanding of cyber and privacy risks from third parties.
While managing third- and Nth-party risk may feel formidable, you can take meaningful steps to make the process effective and efficient. Requesting System and Organization Controls (SOC) reports from your third-party suppliers can provide important risk management insights into their control environment and can help identify instances where Nth parties are leveraged. This level of visibility helps you assess risks further down the supply chain and avoid potential blind spots. Which SOC(s) you need will depend on the potential impact of a third- or Nth-party incident on your business operations, resiliency and other factors.
Although SOC reports may not be designed or intended to specifically address cybersecurity, they can act as a good starting point in identifying:
The potential value of getting these types of reports to help with vendor risk management can’t be overstated. Let’s look at a hypothetical example:
Company A uses a cloud-based model provided by Company B. An application for that model is hosted by Company C in a country that becomes subject to a geopolitical conflict. Company A has not reviewed the SOC report from Company B (which discloses the relationship with Company C — see diagram below). Company A’s management is therefore unaware of Company C, its location in a war zone, or that it is a prime target for nation-state hackers. When Company C’s environment is compromised, taking Company B’s environment down with it, Company A is unprepared.
As our hypothetical emphasizes, potential points of vulnerability extend far beyond your organization's direct control. How can you effectively assess and protect against potential risks throughout the different levels of service provider relationships? Important steps include:
The cyber risk landscape is sprawling, but it can be manageable if you take the right approach. Deployed effectively, SOC reports and other tools can help you map, assess and address third- and Nth-party risks. Contact PwC for assistance evaluating your situation and developing an approach for your company.
Cybersecurity Attestation Services Leader, PwC US