Looking beyond third parties: Tackling “Nth party risk” with the help of technology

• “Nth party risk” extends the traditional concept of third-party risk management in supply chains to include fourth, fifth and even sixth parties.
• It’s an increasing focus for regulators with mandated requirements.
• Use of leading technologies, including artificial intelligence (AI) are key to unlocking true value.

The supply chain ecosystem has evolved into a complex network of interconnected technologies and relationships. This complexity is driven by the increasing reliance on an expanding supplier landscape for the delivery of critical business operations.

While these interconnections create opportunities for efficiency and innovation, they also introduce potential risks and threats. Organisations and regulators across sectors have identified the significant role of suppliers, particularly where the use of consistent suppliers across a geography, supply chain or industry create significant concentration risks. Common risks include information security vulnerabilities, operational disruptions, compliance issues, financial loss and reputational risks This trend has identified a need for organisations to consider the concept of ‘Nth party risk’, extending the traditional concept of third-party risk management. In this article, we will explore exactly what it is, some examples of real-world disruptions and how you can better manage the risk and why.

What is Nth party risk?

Nth party risk refers to the broader risk landscape that lies beyond an organisation’s direct (third-party) suppliers – extending deeper into the supply chain to include fourth, fifth and even sixth parties. Managing Nth party risk involves gaining visibility into these extended relationships to identify potential vulnerabilities and implement the right mitigation strategies. This approach enables organisations to reduce the overall risk profile of their supply chain and build greater resilience against disruption.

This topic has become an increasing focus for regulators with mandated requirements both here in Ireland and further afield. In Ireland, organisations are guided by the General Data Protection Regulation (GDPR), the European Union’s Digital Operational Resilience Act (DORA) and the Network and Information Systems Directive 2 (NIS2), which are indicative of a broader EU initiative to enhance digital security standards. These regulations aim to hold organisations accountable for managing downstream risks within their extended supply chain networks, thereby ensuring enhanced operational resilience and data protection. Such legislative frameworks mark a significant step in reinforcing Ireland’s commitment to digital security and operational integrity across various sectors.

Examples: Real-world impacts of Nth party risk

Cloud hosting providers continue to be high-value targets for threat actors due to the scale and centralisation of sensitive data. In a recent incident, attackers targeted a provider’s infrastructure to exfiltrate authentication credentials.

This breach facilitated unauthorised access to the third party customer environments, potentially compromising data associated with over 560 million individuals. The stolen data included full contact details and financial information, such as credit and debit card records. This exposure significantly increases the risk of secondary attacks including credential stuffing, phishing campaigns, identity fraud, and other vectors commonly exploited in cybercrime.

What are the key challenges?

As organisations begin to build capability to apply Nth party risk management practices, we’ve noticed the following challenges:

• Achieving visibility of organisations deeper in the supply chain (e.g. fourth and fifth parties).

• Developing a fit-for-purpose approach, including the right level of depth of assessment and oversight.

• Understanding the dependencies between your Nth party relationships and the impact of a disruption event such as a cybersecurity breach or a technology outage.

• Maintaining accurate and relevant information can be resource intensive and timely.

How can organisations approach Nth party risk management?

Below, we list some of the better practice approaches that are emerging across the globe:

• Leverage advanced technology: Use technologies, such as artificial intelligence, to gain real-time insights and enhance transparency across the entire supply chain. These technologies can automate monitoring processes, identify anomalies and enhance reporting capability to proactively address potential risks.

• Develop an Nth party risk management framework: Create a framework to provide governance and guardrails for your Nth party risk management processes. Define the assessment approach for fourth and fifth parties across the lifecycle of your suppliers.

• Identify critical suppliers further down the supply chain: Conduct assessments to pinpoint which suppliers, beyond your immediate third-party partners, play a key role in your operations (fourth, fifth and even sixth-party suppliers). AI-based capabilities can help execute additional supplier risk assessments and questionnaires, allowing valuable human effort to be spent analysing key data.

• Identify potential concentration risks: Through assessment and consideration of your critical suppliers, consider the risks cohorts of suppliers may present to your organisation. Increasing availability of AI capability in this field can identify where you have areas of concentration risk.

• Uncover dependencies of your key suppliers: Map out the dependencies your primary suppliers have with other entities within the supply chain. This involves identifying their key suppliers to ensure that you are aware of potential vulnerabilities and can implement safeguards against disruptions. Data feeds and discovery features from industry-leading technology platforms can support the identification of key dependencies.

• Gather meaningful data points: Collect and analyse data from all levels of the supply chain to build a comprehensive risk profile, to allow for informed decision-making and prioritisation.

What is the value of managing Nth party risk?

• Improved supply chain efficiency: Understanding and managing the risks with Nth parties can improve efficiency and reliability through better delivery times, reduced disruptions and optimised operations.

• Long-term cost savings: Proactively managing risks associated with Nth parties can prevent costly, disruptive incidents. By identifying and mitigating risks early, organisations can avoid significant financial losses.

• Potential competitive advantages: Strong risk management practices can be a differentiator by enhancing customer trust and loyalty – making you a more attractive partner or supplier.

Final thoughts

Ultimately, managing Nth party risk in today’s complex supply chain environment requires a strategic approach that combines governance, technology and collaboration.

Organisations must extend oversight beyond direct suppliers to ensure a comprehensive understanding of their risk landscape and implement effective risk management practices. In doing so, they can safeguard their operations, enhance resilience and maintain compliance in an ever-evolving regulatory environment.