How SOC reporting can help assess cybersecurity risk management in third-party relationships — and beyond

Gaining visibility into these relationships and their potential weaknesses can be challenging, particularly for large, complex organizations. Consider a company that is aggressively acquiring new entities. If the sales team has a mandate to move fast, operations, controllers, third-party risk management and IT may struggle to keep up with the vendor risk management from the stream of new vendors and subcontractors. Far too often, assessments of third- and Nth-party risk may be ad hoc, incomplete or non-existent.

Responding to PwC’s 2022 Global Digital Trust Survey, 75% of executives reported their organizations are overly complex, leading to “concerning” cyber and privacy risks. Our survey also found that many organizations have a blind spot arising from third parties and the supply chain. Only 31% said their understanding of Nth-party risk was based on formal enterprise-wide assessments. The remainder had a limited, ad hoc understanding or none at all. The organizations with industry-leading cybersecurity outcomes, however, often have a strong understanding of cyber and privacy risks from third parties.

The potential value of getting these types of reports to help with vendor risk management can’t be overstated. Let’s look at a hypothetical example:

Company A uses a cloud-based model provided by Company B. An application for that model is hosted by Company C in a country that becomes subject to a geopolitical conflict. Company A has not reviewed the SOC report from Company B (which discloses the relationship with Company C — see diagram below). Company A’s management is therefore unaware of Company C, its location in a war zone, or that it is a prime target for nation-state hackers. When Company C’s environment is compromised, taking Company B’s environment down with it, Company A is unprepared.

Assessing and addressing Nth-party risk

As our hypothetical emphasizes, potential points of vulnerability extend far beyond your organization's direct control. How can you effectively assess and protect against potential risks throughout the different levels of service provider relationships? Important steps include:

• Third-party risk management. Analyzing procurement data for different aspects of your company’s business can give you a more holistic view of the risk landscape. Working with your legal department, you can also determine the scope of third-party contractual relationships.
• Vendor risk assessment. Your third parties can be exposed to significant risk from their own vendors. You may even have multiple third parties that share the same fourth-party vendor — potentially elevating your risk exposure. Understanding the existence of these relationships, and risk profile, is important.
• Determine the criticality of potential cybersecurity risks. Criticality goes beyond setting a spend threshold, which may lead you to miss a significant risk. Consider the severity of the consequences of a third- or Nth-party incident for your business. Management should consider the nature of the services provided; the impact on operations should an incident occur; and the data held and managed, which in turn could impact the assessment of other risk factors, such as operational and reputational risk.
• Establish governance and monitoring protocols. Increased regulatory scrutiny of cyber risk, including new proposed SEC rules for incident disclosure and laws relating to incident reporting, require careful and serious attention by CISOs and boards. Given the complexity and interconnectivity of vendor relationships, internal protocols should include procedures for the monitoring and evaluation of third- and Nth-party providers.
• Request SOC reports from third-party and Nth-party vendors. Consider whether you should look beyond SOC 1 reporting to SOC 2 reporting, which cover many key areas supporting cyber risk programs — including backups, resiliency, patch management and other security controls. This reporting will provide companies with a greater understanding of their extended control environment and allow a more thorough assessment of third- and Nth-party providers.