U.S. companies are focusing on third-party risk programs, after the nation-state attack against SolarWinds raised serious questions about data breaches, reputational damage or other supply chain risks, experts said at the Shared Assessments third-party risk summit last week.
As part of the supply chain web, monitoring the vendors of a company's vendor, called Nth party risk, has become a critical part of protecting companies from potential threats, particularly in the cybersecurity space. BlackRock for example, keeps close watch over its vendors, in order to monitor Nth party risk.
"Some of the incidents that we have seen have not been directly from third parties, but third parties of third parties, fourth parties of BlackRock," said Michelle Evaul, managing director, third-party risk management at BlackRock, speaking on a virtual panel.
The SolarWinds attack, considered by most experts as one of the largest IT security disruptions in U.S. history, has forced a wide range of companies to take a hard look at their third-party vendor relationships, according to risk experts speaking at the 14th annual Shared Assessments conference
The attack opened up a host of questions about how closely companies evaluate and monitor third-party vendors they regularly do business with.
The growing use of technology and the dependence on the supply chain makes it important to monitor Nth party risk, according to Evaul. For example, the company monitors the third-party risk management programs that BlackRock vendors have in place.
Another question is what do third-party vendors demand in terms of reporting incidents and transparency from fourth-party vendors.
"As we've all seen the complex cyber incidents all start with the Nth party risk," she said. "And they're looking for the weak spots in the supply chain to be able to cause disruption in another firm."
BlackRock has focused continuous monitoring on critical and high-risk vendor populations, in order to identify potential problems in real time. Continuous monitoring is multi-layered, meaning it has a team of dedicated oversight teams that handle relationship monitoring. The company then has a second line of defense that works with the first-line teams to find out what the key challenges are.
"I would imagine in the remote work environment, those business engagements have been more critical," Evaul said.
The National Institute of Standards and Technology offers a series of publications — originally designed for federal agency use — to help companies develop a strong continuous monitoring program.
"If we don't know what is happening on our systems there is no way we can protect, respond and recover from these incidents," Victoria Yan Pillitteri, cybersecurity engineer at NIST said.
The gap between managing third-party risk in the manufacturing space versus the corporate space is starting to close as officials have recently taken a closer look at potential threats to the production environment.
Third-party risk in the manufacturing industry has historically taken a back seat to IT and other departments within U.S. companies, but that has begun to change in recent years, according to Ron Bradley, governance, risk & compliance leader at Bradley Consulting and a veteran IT security leader in the manufacturing space.
"Ideally we want to make sure we are protecting those assets in the manufacturing environment the same that we would inside the corporate networks," Bradley said."That trend is changing."
"The main thing is being able to get that collaboration between the two primary stakeholders, that being IT and OT," Bradley said.