How SOC reporting can help assess cybersecurity risk management in third-party relationships — and beyond

Cybersecurity is top of mind for business leaders around the globe. But determining the outer boundaries of your cyber risk environment can be daunting. How vulnerable is your company to potential breaches at your third-party service providers? How about the fourth parties — and beyond — that provide services and supplies to these third parties? Yes, we’re talking about the security of your vendors’ vendors. These “Nth-party risks” further down the supply chain can also have serious consequences for organizations, and can be a risk management blind spot.

Why should companies do a supplier risk assessment?

Gaining visibility into these relationships and their potential weaknesses can be challenging, particularly for large, complex organizations. Consider a company that is aggressively acquiring new entities. If the sales team has a mandate to move fast, operations, controllers, third-party risk management and IT may struggle to keep up with the vendor risk management from the stream of new vendors and subcontractors. Far too often, assessments of third- and Nth-party risk may be ad hoc, incomplete or non-existent.

Responding to PwC’s 2022 Global Digital Trust Survey, 75% of executives reported their organizations are overly complex, leading to “concerning” cyber and privacy risks. Our survey also found that many organizations have a blind spot arising from third parties and the supply chain. Only 31% said their understanding of Nth-party risk was based on formal enterprise-wide assessments. The remainder had a limited, ad hoc understanding or none at all. The organizations with industry-leading cybersecurity outcomes, however, often have a strong understanding of cyber and privacy risks from third parties.

SOC solutions

While managing third- and Nth-party risk may feel formidable, you can take meaningful steps to make the process effective and efficient. Requesting System and Organization Controls (SOC) reports from your third-party suppliers can provide important risk management insights into their control environment and can help identify instances where Nth parties are leveraged. This level of visibility helps you assess risks further down the supply chain and avoid potential blind spots. Which SOC(s) you need will depend on the potential impact of a third- or Nth-party incident on your business operations, resiliency and other factors.

Although SOC reports may not be designed or intended to specifically address cybersecurity, they can act as a good starting point in identifying:

  • third- and Nth-party relationships,
  • highlight potential risks and exposures to organizations arising from such relationships, and 
  • controls relevant to operations, security, and other areas.

Typical reporting options, at a glance

SOC 1 reports

These focus on outsourced services that impact financial reporting. Payroll processors, custodians and loan servicers, as well as technology providers that host applications relevant to financial reporting are among the businesses that typically provide SOC 1 reports to their clients.

SOC 2 reports

These can benefit an even broader range of stakeholders. SOC 2 reports build on security criteria to cover issues such as security, availability, confidentiality, processing integrity and privacy. SOC 2s can be highly effective for businesses with sophisticated supply chains and digital service offerings. As companies increasingly focus on third-party risk management, we have seen sales pitches hinge on having a SOC 2 report at the ready.

Other reporting solutions

These include options such as SOC for cybersecurity — which examines cybersecurity risk management and the effectiveness of cyber risk controls — may also be available to provide visibility into the operations and controls of your service providers and other relevant parties.

The potential value of getting these types of reports to help with vendor risk management can’t be overstated. Let’s look at a hypothetical example:

Company A uses a cloud-based model provided by Company B. An application for that model is hosted by Company C in a country that becomes subject to a geopolitical conflict. Company A has not reviewed the SOC report from Company B (which discloses the relationship with Company C — see diagram below). Company A’s management is therefore unaware of Company C, its location in a war zone, or that it is a prime target for nation-state hackers. When Company C’s environment is compromised, taking Company B’s environment down with it, Company A is unprepared.

Uncovering Nth-party risk

Assessing and addressing Nth-party risk

As our hypothetical emphasizes, potential points of vulnerability extend far beyond your organization's direct control. How can you effectively assess and protect against potential risks throughout the different levels of service provider relationships? Important steps include:

  • Third-party risk management. Analyzing procurement data for different aspects of your company’s business can give you a more holistic view of the risk landscape. Working with your legal department, you can also determine the scope of third-party contractual relationships.
  • Vendor risk assessment. Your third parties can be exposed to significant risk from their own vendors. You may even have multiple third parties that share the same fourth-party vendor — potentially elevating your risk exposure. Understanding the existence of these relationships, and risk profile, is important.
  • Determine the criticality of potential cybersecurity risks. Criticality goes beyond setting a spend threshold, which may lead you to miss a significant risk. Consider the severity of the consequences of a third- or Nth-party incident for your business. Management should consider the nature of the services provided; the impact on operations should an incident occur; and the data held and managed, which in turn could impact the assessment of other risk factors, such as operational and reputational risk.
  • Establish governance and monitoring protocols. Increased regulatory scrutiny of cyber risk, including new proposed SEC rules for incident disclosure and laws relating to incident reporting, require careful and serious attention by CISOs and boards. Given the complexity and interconnectivity of vendor relationships, internal protocols should include procedures for the monitoring and evaluation of third- and Nth-party providers.
  • Request SOC reports from third-party and Nth-party vendors. Consider whether you should look beyond SOC 1 reporting to SOC 2 reporting, which cover many key areas supporting cyber risk programs — including backups, resiliency, patch management and other security controls. This reporting will provide companies with a greater understanding of their extended control environment and allow a more thorough assessment of third- and Nth-party providers.

Are you prepared for Nth-party risk?

The cyber risk landscape is sprawling, but it can be manageable if you take the right approach. Deployed effectively, SOC reports and other tools can help you map, assess and address third- and Nth-party risks. Contact PwC for assistance evaluating your situation and developing an approach for your company.

Contact us

Mark Cornish

Cybersecurity Attestation Services Leader, PwC US

Follow us