Nth Party Relationships and Cyber Risk Management

by Michelle Krasniak

Dependencies are a challenge to audit and manage in any industry. Information technology companies must control external software requirements, track versions, and test changes.  Manufacturers compile Bills of Materials (BOMs) to capture the parts, quantities, and assembly procedures needed to build an end product. And many organizations, in the face of COVID-19, learned that their critical supply chains ultimately led to factories in China when quarantines disrupted them.  

The common theme in these cases is simply that each dependency likely has dependencies of its own.  Every company that builds components, ships goods, or provides information technology services also relies on others for support. The role of third party or customer is just a matter of perspective, and each company will assume both in the interconnected web of risk analysis.  This is why a third-party risk management framework so important.

As CyberGRX continues to build the world’s largest cyber risk exchange platform, it becomes better positioned to assess how risk conveys across these tangled ecosystems. Traditionally, third-party cyber risk management (TPCRM) programs are concerned with how customers (first parties) are impacted by their vendors (third parties). They identify, assess, and mitigate the risks to which they have been exposed and push companies to improve their cybersecurity posture over time.

On the flipside, companies in the CyberGRX exchange can also have multiple customers (second parties) to which they would like to share their assessment. This reduces the time and resources spent having to fill out custom questionnaires with limited reuse potential. The exchange’s size provides a network effect that increases the value of every assessment in it.

Since the CyberGRX Exchange is modeled as an interconnected graph of linked companies, it is possible to trace how third party relationships and their attendant risk via outsourcing of assets like Data, Devices, and Applications extend outward.

CyberGRX nth party relationships

In the image above, the diversity of company industry classifications is revealed by the colors. Technology is dark blue; healthcare is light green; industrials are orange, etc.

When a third-party itself relies on another company, it becomes a fourth party to the original customer. If we extend this reliance one level beyond, we’d get fifth parties. At each dependency level, the number of companies increases greatly, some of which reflect very large ecosystems in their own right as witnessed by the size of the circles.  In a large enough ecosystem, many companies become fourth parties to themselves. This often occurs between different industries where, for instance, a software company relies on a telecommunications provider who, in turn, uses their software applications. CyberGRX itself falls into this situation often when our third parties rely on us for their own risk analysis.

The explosive nature of nth-party relationships reveals just how interconnected company dependencies can be. It stands to reason that some critical cybersecurity control gaps and related vulnerabilities may be buried deeply in a third party’s own ecosystem and not immediately obvious to a traditional cyber risk analysis, especially when a third-party risk management framework is absent. Not every risk will meaningfully convey from a fourth or fifth party to an interested customer. But some will, and CyberGRX’s risk exchange and analytics will ultimately make it possible to discover those that may.

Joe Marques
Director, Advanced Analytics