Just when you thought you had your arms around your vendor management program, auditors and examiners have been inquiring about your “vendor’s vendors”.
It’s understandably perplexing to figure out where to draw the line. Are you responsible for “managing” all of your vendor’s vendors? What about your vendor’s vendor’s vendors? What’s next?
Who are 4th Party Vendors?
We’ll fondly refer to these vendors of your vendors as "4th party vendors" for purposes of this discussion. Like you, your vendors are deeply reliant on some of their vendors, and these are the ones you need to concern yourself with to some extent. These vendors show up in your vendor’s SOC reports and should also be easily identified by your vendor as those classified as critical in their own vendor management matrix.
You need to understand:
- Who they are
- What products and services they provide to your vendor that cause them to be classified as critical to their operation
- What your vendor has done in the way of due diligence of these vendors
The idea is that through this understanding, you can better anticipate risks that may reside a level deeper, such as how your data may need to be shared and possibly even stored in a vendor’s systems where you do not have a direct contract. A breach at this level can be every bit as impactful as a breach of your 3rd party vendor.
Since you don’t have a direct contract with the 4th party vendors, getting access to information about controls they may have in place is difficult, for obvious reasons. None of us would share this sort of information with a party not bound by confidentiality agreements, etc. and without a solid “need to know.”
So, how do you do what regulators expect of you without the same information you use to assess your 3rd party vendors?
To get started, begin with your own critical vendors. Let them know that you are working toward the next level of your vendor management program and that 4th party vendors are your focus.
Ask your 3rd party vendor to provide you the following pieces of information:
- A copy of their own vendor management policy
- A complete list of all vendors they classified as critical and/or high risk
- Copies of their most recent annual review of each of these vendors
- The 4th party vendor's SSAE-16 report (your 3rd party vendor can typically get you a copy of it, but you’ll need to sign the 4th party vendor’s confidentiality agreement)
Once you have this information, review it and formulate your opinions of the risk these 4th party vendors pose to you (not your 3rd party vendor). If needed, ask additional questions to ensure you understand the products or services being provided and how they can impact you.
A few common areas where a 4th party vendor may pose a risk to you:
- Your sensitive data is being transmitted or stored by a 4th party vendor and could be exposed if the 4th party system is breached
- Payment processing or other dependent services for your own customers may fail if the 4th party vendor experiences a failure
- Downtime of the 4th party vendor may be visible to your own customers/members depending on the integration method
Most importantly, document your review thoroughly and repeat annually. It’s also a good idea to monitor news headlines for any public information that may alert you of a breach or other potential issue with these vendors.