Explore the hidden dangers of fourth-party supply chain breaches and how they can put your organisation at risk. Learn about the growing need to identify and manage fourth-party cyber risks, with real examples and insights on evolving regulatory requirements.
Supply chain cyber attacks are the number one cyber threat facing organisations today. To harden your supply chain security, however, ensuring that your immediate suppliers have appropriate security postures in place is no longer enough. To secure our supply chains and enhance organisational as well as sectoral operational resilience, we need to broaden our approach from third-party risk management to also include fourth-party risks. Unfortunately, as of today, according to UK Government research, only 13% of organisations review their immediate suppliers, and just 7% investigate risks in fourth-parties.
This article will discuss the importance of fourth-party risks, and what your organisation can do to reduce them, as well as how you can gain greater visibility over your extended supply chain ecosystem. Specifically, in this article you will learn:
Imagine it is 1pm on a Friday and you learn that a widely-used file sharing platform has been breached by threat actors that are actively exploiting a zero-day vulnerability in the software. As a senior cyber security professional at a large financial services firm, responsible for keeping your company’s systems and data safe, your mind switches to response mode.
This seems to be a fast evolving situation, so you better check whether your organisation is using this file transfer software, too. You call procurement and ask them to confirm whether the software provider is among your third-parties, and you also check your own list of supplier organisations that you have run security assurance against, just to make sure.
You breathe a sigh of relief when you find out that, luckily, your organisation is not using the software. So you are safe, you think, at least this time your concerns could quickly be alleviated.
A week later, however, you find out that while your organisation has not used the affected file transfer software itself, one of your suppliers, which handles large volumes of personally identifiable information of your customers for you, used this software and has had client data exfiltrated by the threat actors. This included data from your firm’s customers. You are shocked, but were unaware of your suppliers’ use of this software. If you had known, you might have been able to alert them in good time of the emerging threat, and ensure they would have responded more swiftly and remediated the problem, and thus kept your customers’ data safe.
What came as an even greater shock was to learn that one of your customers, whose data had been leaked, had filed a class-action complaint against the provider of the file transfer software, but also against your supplier and your own financial institution for negligence.
This scenario, while imaginary, is not too far off from what actually happened to a range of financial services institutions, and from many other industries, during the MOVEit Transfer breach. When threat actors exploited a zero-day vulnerability that was discovered in the software, they also exfiltrated large amounts of data handled by a company called PBI Research Services, a leading research service provider used by many financial institutions to determine whether their account holders are still alive, or to find beneficiaries. This research provider had used MOVEit Transfer to process its clients’ customer data.
Another example of fourth-party impacts during the MOVEit attack is the case of Zellis, a UK payroll services provider. Only days after Progress Software had published its notice about the discovery of a zero-day vulnerability in its MOVEit Transfer software, it began to emerge that Zellis had confirmed a data breach through their use of the software. Zellis also announced that eight of their clients had been affected as well. The affected parties included the BBC, British Airways, Boots and DHL, among others.
Given the verified threat of unauthorised access to files and opportunities for data exfiltration during cyber attacks, any of your data, or your customers’ data, handled by your direct vendors, but also by subcontractors or third-parties of theirs, i.e. fourth-parties to you, may be at risk of being breached, resulting in the loss of confidential information.
In addition to the risk of data exfiltration, in some attacks, there is also the potential for an attacker to move onward into connected systems for further malicious activities such as additional data harvesting, establishing a persistent presence for the purpose of a future exploitation, or for the deployment of ransomware.
So your suppliers’ suppliers may in fact present the weakest link in your organisation’s supply chain. This is why the fallout from the MOVEit Transfer attack was so huge, reportedly affecting over 2,000 organisations worldwide and exposing the data of over 62 million people.
Risks beyond your immediate third-parties are of course much harder to spot and address. The inability to approach supply chain security much more holistically, and to identify risks beyond third-parties is therefore a fundamental flaw with more traditional Third-Party Risk Management (TPRM) programmes. They just can’t identify risks in the wider supply chain.
Despite this difficulty in identifying potential fourth-party risks, regulators are increasingly demanding just that, increasingly extending the risk management requirements they expect organisations to implement and demonstrate to subcontractors of direct suppliers and other fourth-parties.
Under Article 29 point 2., the EU’s Digital Operational Resilience Act (DORA), for example, states that:
“Where the contractual arrangements on the use of ICT services supporting critical or important functions include the possibility that an ICT third-party service provider further subcontracts ICT services supporting a critical or important function to other ICT third-party service providers, financial entities shall weigh benefits and risks that may arise in connection with such subcontracting, in particular in the case of an ICT subcontractor established in a third-country.”
EBA’s Guidelines on outsourcing arrangements also states that entities should demonstrate awareness of “the risks associated with sub-outsourcing, including the additional risks that may arise if the sub-contractor is located in a third country or a different country from the service provider” and of “the risk that long and complex chains of sub-outsourcing reduce the ability of institutions or payment institutions to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them.”
Meanwhile in the UK, the Bank of England (BoE), Financial Conduct Authority’s (FCA) and Prudential Regulation Authority’s (PRA) Operational Resilience Framework—especially the PRA’s SS1/21 Operational resilience: Impact tolerances for important business services and SS2/21 Outsourcing and third party risk management as well as the FCAs PS21/3Building Operational Resilience—very much demand the same of their regulated entities.
In the supervisory statement SS2/21, for example, the PRA requests that firms “take reasonable actions to manage…concentration risks or vendor lock-in at the firm or group due to…fourth party/supply chain dependencies, for instance where multiple otherwise unconnected service providers depend on the same sub-contractor for the delivery of their services.” The PRA also expects firms to “have visibility of the whole firm’s or parent’s material sub-outsourced service providers and supply chain by internal control functions and, if applicable, other areas such as technology” as well as for service providers to facilitate this visibility “by maintaining up-to-date lists of their sub-outsourced service providers.”
These are just some examples of regulators’ increasing awareness and emphasis on supply chain risks beyond immediate third-party suppliers.
The biggest challenge organisations face in meeting these regulatory requirements and in responding to supply chain attacks more generally is that they rarely have sufficient visibility beyond their first degree suppliers. It is one thing to be able to investigate internally to see if your own organisation uses a vulnerable software, but it can take days (often weeks or months) before your suppliers, or your suppliers’ suppliers have concluded their own investigations and notified downstream customers who may have already been impacted by the incident.
This is exactly what happened in the case of the MOVEit Transfer breach. It is highly likely that companies like Boots, the BBC, British Airways, Aer Lingus and other affected Zellis customers were unaware that the MOVEit software was used by Zellis, and therefore unaware that their data was at risk of compromise from the ongoing attack.
Gaining visibility over all critical third-parties is the first step. But do you also have visibility over their third-parties? This is what’s required to fully understand the impact of a supply chain incident.
This is where Risk Ledger can help with its holistic approach to supply chain security. We combine a Third-Party Risk Management platform with a secure social network. Similar to a social network like LinkedIn, each organisation has a profile on Risk Ledger, which contains information about their business, their security controls and other relevant risk areas, including ESG and financial risk. This profile is then shared with their clients and customers. Clients can set requirements against the framework, so they can compare suppliers against criteria which matter most to them, using policies and tags.
Organisations can use Risk Ledger in the capacity as both a supplier and as a client in their own right, meaning they can simultaneously show their security posture to their clients and monitor the security posture of their own suppliers, all on the same platform. This reveals many connections in both directions. Because of these connections, the network can provide a unique visualisation of an organisations’ wider supply chain ecosystems and uncover interdependencies and risks past immediate suppliers, into fourth, fifth, sixth and n-th parties.
This allows not just for the mapping of an organisation’s wider supply chain ecosystem, but also enables Risk Ledger to map the potential blast radius of incipient supply chain attacks like the MOVEit Transfer attack. Crucially, it also provides organisations with the ability to better prevent such fallouts in the first place by proactively identifying such concentration risks and potential single points before they become a problem.
In addition to supporting individual organisations with the mapping of their own extended supply chain dependencies and risks, Risk Ledger also facilitates enhanced collaboration between industry peers for advanced concentration and systemic risk identification, supporting organisations in their efforts to demonstrate to regulators how they are actively hardening not only their operational resilience, but the wider resilience of their sectors.
By pooling supply chain data in a secure, trusted environment, organisations can collectively map their shared direct suppliers and extended dependencies, and identify shared vulnerabilities and systemic risks that would remain invisible in isolation.
This new ethos to Defend-as-One yields tangible results, as the following data from the Risk Ledger platform demonstrates.
In one such instance, Risk Ledger brought together a group of financial services clients to form a community of peers on its platform. By utilising Risk Ledger, the institutions gained unprecedented visibility into their extended supply chains, identifying not just shared direct suppliers but also 4th, 5th, and nth-party dependencies.
Based on an aggregate total of only 98 direct third party supplier connections between 8 financial services organisations, the platform was able to identify the following nth party dependencies and shared systemic concentration risks:
and most importantly:
This visibility and network dependency mapping has greatly enhanced the cohorts ability to collaborate on mitigating the most important risks, share insights and best practice on the suppliers in questions, and support their operational resilience and incident response planning processes.
While Risk Ledger has long helped organisations and critical sectors map and gain greater visibility into their extended supply chains. Fourth Parties on Risk Ledger takes the mapping of critical fourth parties and sub-processors to the next level.
This extension to our Network Visualisation tool allows your suppliers to share their own critical vendors with you directly on the platform, providing a live and structured view of your entire fourth party supply chain ecosystem.
This is how it works: your suppliers add their own critical vendors directly to their profiles on the Risk Ledger platform. This information is then instantly shared with all their clients. This creates a scalable, shared intelligence solution that helps organisation proactively identify hidden concentration risks and shared service providers, giving them a clear picture of their true risk exposure. By seeing these dependencies in real time, security teams can make more informed, strategic decisions and improve their incident response planning and overall operational resilience.
To learn more about how this feature can transform your supply chain risk management, read our full blog post on Fourth-Party Visibility here.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
