Businesses are reevaluating their third-party risk management strategies

In the rapidly evolving digital landscape, the management of third-party risk has become a critical concern for businesses across various sectors. This is particularly true in the cybersecurity space, where monitoring vendors and their vendors (Nth party risk) has become essential.

Ron Bradley, a governance, risk & compliance leader at Bradley Consulting, emphasizes the importance of this issue. He suggests that assets in the manufacturing environment should be protected the same as corporate networks, a trend that is starting to take shape.

This shift in focus is also being driven by recent events, such as the SolarWinds attack, which has forced companies to reevaluate their relationships with third-party vendors. U.S. companies are now focusing on developing robust third-party risk programs to mitigate such threats.

Experts at the Shared Assessments third-party risk summit have discussed the importance of these programs, highlighting the need for continuous monitoring and a multi-layered approach. BlackRock, for instance, has implemented a continuous monitoring program that involves dedicated oversight teams and a second line of defense.

BlackRock also closely monitors its vendors to manage Nth party risk. Michelle Evaul, managing director of third-party risk management at BlackRock, discussed incidents not directly from third parties but from third parties of third parties, fourth parties of BlackRock. She emphasized the need for transparency and reporting incidents from these parties.

Victoria Yan Pillitteri, a cybersecurity engineer at NIST, agrees. She emphasizes the importance of knowing what is happening on systems to protect, respond, and recover from incidents. This knowledge is crucial in managing third-party risk, as collaborations between IT and Operational Technology (OT) become increasingly crucial.

However, there is still a question about what third-party vendors demand in terms of reporting incidents and transparency from fourth-party vendors. This is a gap that needs to be addressed as the trend continues towards protecting assets in the manufacturing environment the same as corporate networks.

The growing use of technology and dependence on the supply chain make it important to monitor Nth party risk. Corporate stakeholders are focusing on understanding the risk calculus of their technology stacks, and resources like the publications offered by the National Institute of Standards and Technology can help companies develop a strong continuous monitoring program.

Despite these efforts, no specific recent company efforts to understand and minimize risks from N-tier suppliers in production environments are detailed in the available search results. This underscores the need for continued vigilance and investment in third-party risk management.

In conclusion, the management of third-party risk is no longer a secondary concern for U.S. companies. The gap between managing third-party risk in the manufacturing space versus the corporate space is starting to close, and businesses are taking proactive steps to protect their assets and mitigate potential threats.