Third parties have posed significant risks to companies for years, but perhaps more so now than ever before. Cyber threats, Russia sanctions, and a new wave of child labor in the United States are just a few risks making headlines and driving the need for companies to reassess their third-party due diligence programs.
Here we examine a few of the more significant third-party risks seen today and how they are being addressed by companies, regulators, and the White House in 2023.
Cyber risk
According to the Allianz Risk Barometer 2023, 34% of 2,712 risk management experts from 94 countries and territories ranked cyber risks – data breaches, ransomware attacks, IT outages and malware attacks – as the top concern globally for the second year in a row. The concerns are well-founded, as cyberattacks have caused significant financial and reputational damage for companies of all sizes and across all industries.
In the United States, specifically, cybersecurity threats posed to critical infrastructure are taking center stage. On March 1, the White House in its National Cybersecurity Strategy, announced it will use existing authorities to establish cybersecurity requirements in the critical infrastructure sector, focusing particularly on third-party services providers. “Administration will identify gaps in authorities to drive better cyber practices in the cloud-computing industry and for other essential third-party services and work with industry, Congress, and regulators to close them,” the White House said.
The White House said the regulations should be “performance-based, leverage existing cybersecurity frameworks, voluntary consensus standards, and guidance – including the Cybersecurity and Infrastructure Security Agency (CISA’s) Cross-Sector Cybersecurity Performance Goals and the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity – and be agile enough to adapt as adversaries increase their capabilities and change their tactics.”
From a regulatory standpoint, the Securities and Exchange Commission is also currently weighing a proposed rule “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.” The rule would require, among other things:
- Current reporting about material cybersecurity incidents and periodic reporting providing updates about previously reported cybersecurity incidents
- Periodic reporting about policies and procedures to identify and manage cybersecurity risks
- Cybersecurity risk oversight by the board of directors and annual reporting, or certain proxy disclosures about directors’ cybersecurity expertise, if any
- Management’s role and expertise in assessing and managing cybersecurity risk and implementing cybersecurity policies and procedures
That cybersecurity remains a priority for regulators means it should remain a priority for companies as well. Prudent companies will want to take a look at CISA’s guidance, its complementary checklist, and the NIST guidance, as they provide helpful frameworks against which all companies can assess the maturity of their own cybersecurity third-party risk management programs.
Child labor
Another third-party risk making headlines in the United States is child labor in the supply chain. In February, a New York Times investigation uncovered cases of more than 100 migrant children across the country in numerous industries – food packaging, hospitality, consumer goods, agriculture, construction, and more – working illegally in violation of child labor laws.
This wasn’t the only media investigation to uncover child labor in the U.S. supply chain. In December 2022, a Reuters investigation uncovered four major parts suppliers of leading automotive companies where children as young as 12 were working in U.S. manufacturing plants.
In a February 2023 letter to its shareholders, one company said it was “implementing new, more stringent workforce standards throughout its supply chain,” after an audit of its suppliers uncovered underage workers. The company pointed to third-party staffing agencies providing false documentation to suppliers.
Their response provides a case study for chief compliance officers on ways to proactively monitor third-party risk in the supply chain. Among the remedial measures they took:
- Launching multiple investigations and a broader review of its U.S. supplier network
- Conducting interviews and site visits with tier-one suppliers
- Requiring certain suppliers to submit to independent third-party audits of their operations to ensure complete compliance with underage labor laws and to implement any recommended actions
Additionally, the auto company said it has introduced a compliance training program in collaboration with the U.S. Department of Labor for suppliers on employment subjects, including a zero-tolerance policy for underage labor; validating applicant identification documents; reinforcing the company’s supplier Code of Conduct; installing anonymous tip hotlines; and discouraging the use of third-party staffing agencies.
Russia sanctions
U.S. sanctions against Russia is another area that demands enhanced third-party due diligence. On March 2, the Department of Commerce’s Bureau of Industry and Security, the Department of Justice, and the Department of the Treasury’s Office of Foreign Assets Control issued a joint compliance note providing guidance on how third-party intermediaries are commonly being used to evade Russia-related sanctions and export controls.
“One of the most common tactics is the use of third-party intermediaries or transshipment points to circumvent restrictions, disguise the involvement of Specially Designated Nationals and Blocked Persons (SDNs) or parties on the Entity List in transactions, and obscure the true identities of Russian end users,” the agencies warned.
Chief compliance officers and in-house counsel should use the alert as guidance, as it “highlights several of these tactics to assist the private sector in identifying warning signs and implementing appropriate compliance measures,” the agencies stated.
The guidance noted, “Effective compliance programs employ a risk-based approach to sanctions and export controls compliance by developing, implementing, and routinely updating a compliance program, depending on an organization’s size and sophistication, products and services, customers and counterparties, and geographic locations.”
“Manufacturers, distributors, resellers, and freight forwarders are often in the best position to determine whether a particular dealing, transaction, or activity is consistent with industry norms and practices, and they should exercise heightened caution and conduct additional due diligence if they detect warning signs of potential sanctions or export violations,” the guidance continued.
Most importantly, the alert cites 13 common red flags that potentially indicate a third-party intermediary may be evading sanctions or export controls, including:
- Use of shell companies and legal arrangements to obscure (i) ownership, (ii) source of funds, or (iii) countries involved, particularly sanctioned jurisdictions
- A customer’s reluctance to share information about a product’s end use, including reluctance to complete an end-user form
- Use of shell companies to conduct international wire transfers, often involving financial institutions in jurisdictions distinct from company registration
- IP addresses that do not correspond to a customer’s reported location data
- Last-minute changes to shipping instructions that appear contrary to customer history or business practices
- Payment coming from a third-party country or business not listed on the End-User Statement or other applicable end-user form
- Use of personal email accounts instead of company email addresses
- Operation of complex and/or international businesses using residential addresses or addresses common to multiple closely-held corporate entities
- Transactions involving a change in shipments or payments that were previously scheduled for Russia or Belarus
- Routing purchases through certain transshipment points commonly used to illegally redirect restricted items to Russia or Belarus – such as China (including Hong Kong and Macau) and jurisdictions close to Russia, including Armenia, Turkey, and Uzbekistan
Chief compliance officers and in-house counsel should turn to the alert to see the full list of red flags. “Best practices in the face of such risks can include screening current and new customers, intermediaries, and counterparties through the Consolidated Screening List and OFAC Sanctions Lists, as well as conducting risk-based due diligence on customers, intermediaries, and counterparties,” the agencies stated. “Companies should also regularly consult guidance and advisories from Treasury and Commerce to inform and strengthen their compliance programs.”
Conclusion
Environmental, social, and governance (ESG) issues, like cybersecurity and supply-chain risks, are especially vulnerable areas to the missteps of third parties. Outside the ESG landscape, sanctions threats will rage on as well, and not just limited to Russia.
Having in place robust third-party risk management practices is more important than ever. Examples of measures that mature companies have in place include automated tools for identifying all their third parties across the global supply chain – including direct and indirect suppliers, contractors, technology and service providers, manufacturers, distributors, and more.
They also perform due diligence through periodic questionnaires and onsite audits, for example, and provide enhanced due diligence on third parties that pose high risk, which are often categorized using an automated risk-ranking system.
Finally, continuous monitoring of third parties is essential, using third-party screening and monitoring software, like NAVEX’s RiskRate, which enables companies to adopt a risk-based approach to third-party due diligence that is automatically built on guiding principles of global enforcement agencies and regulators.
