How technology service providers can manage fourth-party risk
Is third-party outsourcing a smart move or risky business?
It could be either, depending on how robust your vendor risk-management program is.
As financial services, healthcare, insurance and other organizations continue to outsource more key business processes to third-party service providers, a systems and organization controls (SOC) report is critical. It’s the primary evidence provided to communicate compliance with appropriate risk management practices to their customers and other users.
Outsourcing to third-party providers can help organizations stand up key services and capabilities very quickly — but it also increases risk. To complicate matters, many service providers outsource to their own service providers to deliver expanded or enhanced services. The cost-effectiveness and speed to market makes using third parties hard to resist but also presents additional risks to the ultimate customer.
What is fourth-party risk?
While regulated organizations are often familiar with best practices for evaluating third-party risk, the need to extend that level of scrutiny one level deeper to include fourth-party risk has become apparent. In simplest terms, fourth-party risk refers to the risk that is introduced when a third-party service provider subcontracts some part of their service to an additional vendor.
Depending on the particular service being subcontracted, this could mean that a critical portion of an organization’s operations could be entrusted to a vendor they didn’t vet — or weren’t even aware of.
This may be acceptable for some “low risk” activities, but not for any functions that involve financial information, nonpublic customer data, or other sensitive information.
Fourth-party risk elevates the importance of your systems and organization controls (SOC) report — it’s the primary evidence to customers and users that you’re taking appropriate steps to follow risk management practices.
Examples of fourth-party activities
Common examples of fourth-party vendor activities include: customer service/help desk functions, managed services, check processing and manual reviews, database cleanup, payroll, server co-location companies and outsourced printing of statements.
Fourth-party risk has become more pronounced because of cybersecurity breaches and ransomware attacks. Fourth-party arrangements are being scrutinized by a number of key stakeholders, including regulatory agencies, because customers typically don’t have a relationship with the fourth party. That means customers don’t have access to due diligence materials that would generally be available for review.
Fourth-party risk considerations for tech companies
Risk management may not be top-of-mind in a growing tech company, but it could become a significant issue when they try to close deals with new or large customers.
The most effective way to manage fourth-party risks is to institute a robust vendor risk management program.
Information about the program should be incorporated in the SOC system description and it should be subjected to testing. (Risk Mitigation criteria CC9.2, which states that the entity assesses and manages risks associated with vendors and business partners for SOC 2 reports, and a comparable control objective in a SOC 1 report, are where the vendor risk-management program would be described and tested.)
Tech companies and other service providers that outsource significant processes need to understand:
- The quality of their due diligence and vendor management programs (or lack thereof) can directly impact their users’ and investors’ reputations.
- In a competitive situation, the quality of a service provider’s vendor management program can be the deciding factor in a selection.
- It’s critical to have a clearly defined road map in place to address SOC auditing and reporting, cybersecurity and resilience testing. Companies also need to document information security polices and business continuity plans. This is especially true for early-stage organizations.
Best practices to mitigate fourth-party risk
The following best practices are signs of a robust and comprehensive vendor management program:
1. Define due diligence policies and procedure
Spell out the process you use to select vendors. Include all the due diligence that’s required (and how it should be performed and documented) before a contract can be signed with a vendor.
2. Continuously monitor vendor activity
Monitor vendor activities on an ongoing basis. Check in with vendors at least annually to spot potential risks in the relationship and to make sure the company’s data is secure.
3. Conduct thorough vendor reviews
A thorough vendor review should include the following:
- Financial statements, SEC filings and other financial indicators
- SOC reports
- Business reputation
- Insurance coverage
- Business continuity management plan
- Annual business continuity management testing
- Contractual service level agreement reports
- Cyber resilience
- Information security program and incident response planning
- Payment Card Industry and Data Security Standards Reports, as applicable
- Model validation reports, as applicable
4. Match vendor reviews to the level of risk
Establish a cycle for vendor reviews based on the criticality of the vendor or service. For example:
- High-risk vendors could be reviewed annually, at a minimum
- Moderate-risk vendors could be reviewed every two years
- Low-risk vendors could be reviewed on an as-needed basis
How Wipfli can help
Today, due diligence includes vetting your vendors’ vendor management. Make sure your organization is properly assessing fourth-party risk.
Wipfli can help you build a strong vendor management program. We have proven SOC experience, and we work with financial institutions and the innovative technology companies that serve them. Our experience and industry perspective can help you manage risk and win in a competitive marketplace.
Learn more about our risk advisory and tech consulting services or continue reading:
