If you're starting to explore the issue of Nth-party risk, our first piece of advice is to have some serious talks with your insurers and your lawyers. Frank discussions with insurers over existing policy exclusions can offer clarity as to how much risk remains on the table when you're swept up in ripple event. With that information in hand, professionals need to put their heads together with legal counsel to gain a more concrete understanding of the extent of their liabilities and to make some initial risk calculations.
Moving beyond these internal discussions now is the time to get creative about how you discuss Nth party risk with third-party vendors. If you're like many first parties, the biggest issue you'll contend with is that the majority of your third parties are usually smaller vendors that often don't even have their security affairs in order, and who most definitely don't have third-party risk programs of their own. And they'll typically lack the resources or business justification to spin one up. So what's an interested first party do to extend reach beyond these kinds of vendors?
Probably the answer is to equip third parties with education, tooling, and genuine partnership to help them get started with their third-party management with as little hassle as possible. Unfortunately, the state of third-party risk management makes that a difficult task. As things stand, there's still very much a hostile relationship between first parties and third parties when it comes to tracking and communicating cyber risks. After 10 years of ineffective and invasive questionnaires, third-parties see this as something you ask them to do and that they just go through the motions to comply with, rather than as an opportunity to elevate their security. They see it more like a mom telling you to eat your vegetables. Once you add the Nth party component, you'll be fighting a compounded lack of interest.
So, as an industry, we need to do a better job adding value to our third-parties and to give them a reason to care about their own third-party risk. That's going to come down to working to improve third-party management practices. It's also going to require technological creativity. Partnering with third-party risk management vendors, maybe first parties can start offering their vendors limited-functionality, portalized views into risk scans of their third-parties in exchange for information sharing with that first-party. As third parties populate the portal with their vendors, those companies can automatically be shared with the first party for their risk review. This kind of enablement could help a first-party start to enumerate Nth party risk while offering their third-party a helping hand toward improving their cyber risk posture.
This is just one idea for addressing the issue of Nth party risk, and the industry isn't quite there yet to provide this kind of action. If we put our heads together there are likely more to come up. The point is that now is the time to get started thinking more concretely about Nth party risk. Because the more visibility we get into third-party risk, the more we see how doing business with a vendor or partner connects organizations in concentric rings to additional outside parties carrying their risk burdens.