Nth Party Relationships and Supply Chain Risk Management
No person–or company–is an island.
In today’s interconnected, digital world, most, if not all, organizations rely on third parties in some capacity. Most commonly, companies rely on goods, services, or software to be successful– enter third-party and nth-party relationships.
What is an Nth Party Relationship?
An nth party relationship refers to the chain of dependencies that exists beyond the third-party in a business relationship. In other words, it describes the relationships between a company and its vendors, and the vendors of those vendors, and so on.
For example, if Company A uses Vendor B for its IT services, and Vendor B uses Vendor C for its cloud hosting services, then Vendor C is an nth party to Company A. The term "nth party" is used to describe any party beyond the third-party in a given business relationship, and it can refer to fourth parties, fifth parties, and so on, depending on how many levels of dependencies exist.
Managing nth party relationships is important because the risks associated with each party in the chain can have a cumulative effect on the overall risk exposure of a company. If one party in the chain experiences a data breach or other security incident, it can potentially affect all the other parties in the chain, including the original company. Therefore, it's crucial to have a thorough understanding of all the parties in a supply chain and their dependencies to effectively manage and mitigate risks.
However, managing dependencies can be a daunting task in any industry.
- With software consumption continually increasing, tech companies especially rely on software development tools to track versions, test performance, and debug code.
- Similarly, manufacturers compile Software Bills of Materials (SBOMs) to capture the parts, quantities, and assembly procedures needed to build an end product.
- And retailers are dependent on various suppliers for their goods and services. Remember the recent Dole cyber attack, which made select produce and salad mixes temporarily unavailable?
And many organizations, in the face of COVID-19, learned that their critical supply chains ultimately led to factories in China when quarantines disrupted them.
Nth Party Breach Sources
While disruptions to a supply chain can occur from many sources, according to the 2023 BCI Supply Chain Resilience Report, cyber attacks and data breaches are the top threat .
Additionally, in a study by McKinsey, 45% of respondents reported having no visibility into their upstream supply chain or that they can see only as far as their first-tier suppliers.
The common theme in these cases is simply that each dependency likely has dependencies of its own. Every company that provides information technology services, ships goods, or builds components relies on others for support.
Your network and interconnectivity shapes your vulnerabilities. Thus, the role of third party or customer is subjective, and each company will assume both in the interconnected web of risk analysis. This is why a third-party cyber risk management framework is so important.
Supply Chain Risk Management: A Modern Approach
Traditionally, third-party cyber risk management (TPCRM) programs are concerned with how customers (first parties) are impacted by their vendors (third parties). TPCRM programs identify, assess, analyze, and monitor the risks to which they have been exposed and push companies to improve their cybersecurity posture over time. The downside is these programs focus on the first tier relationships, and don’t take into account the interconnectedness of their third party ecosystem.
On the flipside, a more modern approach to third-party cyber risk management is to look at your third-party portfolio more holistically, and collaborate with your third parties to remediate your risks. As an example, companies in the CyberGRX Exchange can see their third-party risks using predictive data, then based on their findings, determine which third parties need deeper evaluation and begin working with those vendors. However, the Exchange is dual-sided, so not only can an organization identify, assess, and mitigate the risks coming from their third-parties, they can also share their assessment with their customers, as a third party to them. Additionally, the Exchange is not limited to first-tier suppliers; assessments can be shared multiple times over, to fourth, fifth, etc. parties.
Because the data lives in a collaborative risk Exchange platform which can be shared with other members and customers, organizations save time and resources from having to fill out custom, bespoke questionnaires that have limited reuse potential. It’s a one-to-many model, and the Exchange’s size provides a network effect that increases the value of every assessment in it. As the model grows, so does nth party visibility. As a result, you can trace how the outsourcing of assets like Data, Devices, and Applications extend outward.
Understanding Nth Party Relationships
In the image above, the diversity of company industry classifications is revealed by the colors. Technology is dark blue; healthcare is light green; industrials are orange, etc.
When a third-party relies on another company, it becomes a fourth party to the original customer. If we extend this reliance one level beyond, we’d get fifth parties. At each dependency level, the number of companies increases greatly, some of which reflect very large ecosystems. In a large enough ecosystem, many companies become fourth parties to themselves. This often occurs between different industries where, for instance, a software company relies on a telecommunications provider who, in turn, uses their software applications. CyberGRX falls into this situation often– we are a third party to you, and you rely on us for your third-party risk analysis.
The explosive nature of nth-party relationships demonstrates how interconnected company dependencies can be and the importance of supply chain risk management. Some crucial cybersecurity control gaps and associated vulnerabilities may be deeply embedded within a third party's own ecosystem and not immediately evident in a traditional cyber risk analysis, particularly in the absence of a third-party risk management framework. Not all risks will significantly propagate from a fourth or fifth party to an interested customer, but some will, and CyberGRX's risk exchange and analytics will ultimately uncover those risks. Curious to see your risks and your vulnerabilities across your portfolio? Book time with our sales team now.