Fourth party to nth party risk is evolving and there really is not much guidance on it from regulators but they do expect oversight. It really does come down to your risk appetite and tolerance within your third party oversight program. Whenever we board a new vendor, we definitely follow data to determine if we need to monitor a fourth party as a third party. Historically, we would evaluate our third parties TPRM program, gain assurance that their practice aligns to ours, and call it a day but now that has evolved. If we deem a 4th party risk high enough, we will board them into our program and review them as we would our third party. This would mean additional review than just obtaining a SOC report.
Contractually, you have to ensure you have audit rights and sharing of confidential data in your agreements. Whether it is directly with the fourth party or via the third party. We have had both scenarios where we have worked with the fourth party directly or we have asked our third party to obtain the relevant information needed to gain assurance that data is protected.
Sometimes a list of sub service providers from your third party also helps because often time they could also be part of your third party portfolio therefore you have oversight to those fourth parties.
Original Message:
Sent: 02-14-2023 04:32 PM
From: Michael Papcunik
Subject: 4th Party SOC Report
Our External Auditor's are requesting that we need to obtain our 4th Parties SOC Report. This has posed a challenge with confidentially since the 4th Party does not have a relationship with us. In evaluating 4th Parties, I have typically reviewed our third parties SOC Report to assess the controls over sub-servicers, and when applicable requested the results or a summary of the results of our third parties assessment of the vendor. My overall goal is to make sure our third party is completing the necessary due diligence to risk assess the vendor, and has a process in place should the 4th parties service fail.
Just looking to get thoughts on this situation; other 4th party experiences that you may have encountered; as well as, what steps others might be taking to monitor/assess 4th parties.
Thank you.