As financial services, healthcare, insurance and other organizations continue to outsource more key business processes to third-party service providers, a systems and organization controls (SOC) report is critical. It’s the primary evidence provided to communicate compliance with appropriate risk management practices to their customers and other users.
While outsourcing enables organizations to quickly implement and provide key services and capabilities, it also increases their risk profiles — underscoring the importance of an effective vendor management program.
To complicate matters, many of these third-party service providers use their own service providers to meet the needs of their customers for expanded and enhanced services. The cost-effectiveness and speed to market makes using third-parties hard to resist but also presents additional risks to the ultimate customer.
What is fourth-party risk?
While regulated organizations are often familiar with best practices for evaluating third-party risk, the need to extend that level of scrutiny one level deeper to include fourth-party risk has become apparent. In simplest terms, fourth-party risk refers to the risk that is introduced when a third-party service provider subcontracts some part of their service to an additional vendor.
Depending on the particular service being subcontracted, this could mean that a critical portion of an organization’s operations is being entrusted to a vendor they may be completely unaware of. For some “low-risk” activities, this may be acceptable, but certainly not for any “high-risk” functions where financial information, or nonpublic customer or other sensitive information is involved.
Some common examples of fourth-party vendor activities include: customer service/help desk functions, managed services, check processing and manual reviews, database cleanup, payroll, server co-location companies and outsourced printing of statements.
Given recent reports of high-profile breaches and ransomware attacks, fourth-party risk concerns have become more pronounced and are being scrutinized by a number of key stakeholders, including regulatory agencies. Since the service providers’ customer normally does not have a direct relationship with the fourth party, they don’t have access to the typical due diligence materials that would generally be available for review.
The most effective way for customers to get comfortable with fourth-party risks is for the service provider to institute a robust vendor risk-management program, which includes information about the program in the SOC system description and subjects it to testing.
Risk Mitigation criteria CC9.2 (which states that the entity assesses and manages risks associated with vendors and business partners for SOC 2 reports) and a comparable control objective in a SOC 1 report are where the vendor risk management program would be described and tested.
For service providers that have outsourced significant processes, they need to:
- Understand that the quality (or lack thereof) of their own due diligence and vendor management programs can have a direct impact on the reputation of their users and investors.
- In a competitive situation, the quality of a service providers’ vendor management program can prove to be the difference in selection.
- It is advisable to have a clearly defined road map in place (especially for early-stage organizations) that includes SOC auditing and reporting, cybersecurity, resilience testing, appropriately documented information security polices and business continuity plans.
Risk management may not be top of mind for a growing tech company but could become a significant issue when trying to close a deal with new customers, especially larger ones. The following best practices are signs of a robust and comprehensive vendor management program:
1. Be sure to have a policy that spells out the process of selecting a vendor and the necessary due diligence required to be performed and documented before signing a contract with the vendor.
2. Your monitoring of active vendors is ongoing. It’s important to check in with your vendors at least annually to spot potential risks in the vendor relationship and to make sure the company’s data is secure.
3. Thorough vendor reviews should include the following:
- Financial statements, SEC filings and other financial indicators
- SOC reports
- Business reputation
- Insurance coverage
- Business continuity management plan
- Annual BCM testing results
- Contractual service level agreement reports
- Cyber resilience
- Information security program and incident response planning
- Payment Card Industry and Data Security Standards Reports, as applicable
- Model validation reports, as applicable
4. Review frequency can be based on the criticality of the vendor.
- High-risk vendors could be reviewed at least annually
- Moderate-risk vendors could be reviewed every two years
- Low-risk vendors could be reviewed on an as-needed basis
How Wipfli can help
Today, successful due diligence of third-party vendors includes the vetting of those vendors’ own vendor management of their third-party providers. To ensure that your organization is properly assessing fourth-party risk and that your vendor management program is strong, it’s important to work with a partner that has proven SOC experience.
Wipfli specializes in working closely with financial institutions of all sizes, as well as the innovative technology companies that serve them, and that level of experience and industry perspective helps our clients better succeed in the marketplace.
Learn more about our risk advisory and tech consulting services or continue reading: