How You Should Treat Fourth-Party Vendors

Nearly all organizations depend on a network of external vendors, suppliers, and service providers to enhance and manage their business operations. Partnering with trusted third parties can enhance your organization's performance in areas such as procurement, logistics, technology, and specialized services. By utilizing their expertise and resources, organizations can often improve operations, reduce costs, and concentrate on core competencies.

However, these third-party relationships carry various risks, such as information security vulnerabilities, operational disruptions, compliance issues, financial concerns, and reputational risks. Many regulatory requirements and best practices dictate that organizations must identify and mitigate third-party risks. Organizations must also be aware of and address fourth-party risks. If you're not familiar with the concept of a fourth-party vendor or service provider, this blog will help you understand what a fourth party is and how to address fourth-party risks in your third-party risk management process.

What Is a Fourth-Party Vendor?

A fourth-party vendor is your vendor’s vendor, subcontractor, or subservice provider. Just like your organization, your vendors have their own network of third parties they utilize to run their business and to help them deliver products and services to your organization. It’s important to understand that your vendor's third parties carry the same risks as your organization’s third-party relationships, but there's one key difference: your organization doesn’t have a direct relationship with these fourth-party vendors. 

No direct relationship with fourth parties means you have no contractual or legally binding obligations and less visibility and influence over those relationships. Still, fourth-party vendors are an emerging area of significant focus, particularly if that fourth party has a critical role in the delivery of your organization’s products or services to your customer. Fourth parties can expand your cybersecurity attack surface, present regulatory compliance issues, compromise sensitive data, and result in financial losses if there’s a fourth-party incident. 

What Do You Do With Fourth-Party Vendors?

It can be challenging to manage fourth-party vendors. First, you don’t determine the risk or criticality of your fourth-party vendors, and it’s unlikely you can perform effective due diligence on those relationships. You don’t have day-to-day visibility of the fourth party’s risk or performance, and without a direct contract the fourth party has no legal obligation to your organization.

Fortunately, you don’t need to worry about all of your third parties’ vendors, but you should know about ones that are critical to your third party’s business or have access to your customer data. To ensure fourth parties are appropriately managed and risks are sufficiently mitigated, you’ll need to leverage your contract and relationship with your direct third parties instead.

Steps to Managing Fourth-Party Risk

For effective fourth-party risk management, your organization should follow the steps below:

1. Build a fourth-party inventory – Routinely ask your third party for a list of their critical vendors or any vendors that may have access to your organization’s or customers’ data. This should be done for both new and existing vendors as part of risk assessments and due diligence. This can also be made simpler with the SSAE 18 report, which requires your third-party vendors to identify subservice organization controls in SOC reports. This essentially identifies the fourth-party vendors relevant to the specific product or service you’re buying from your third-party vendor. Remember to focus on critical fourth-party vendors, as those are the ones presenting the most risk and require increased visibility and risk management.
2. Understand your third party’s due diligence process – Although you can’t perform due diligence directly on your fourth-party vendor, you can ask your third party questions about the fourth party’s risk management practices and controls. Critical fourth parties should be held to the same standard as your third parties. Here are some questions you should ask your third parties for fourth-party risk management:
   • Have you reviewed your critical third party’s business continuity and disaster recovery (BC/DR) plans? Does the BC/DR plan meet your organization’s needs? 
   • Is the fourth party’s SOC report current? What are the fourth party’s control objectives and activities?
   • Have you reviewed the past three years of the fourth party’s balance sheet, income statement, cash flow statement, and ratios?
   • Have you confirmed that the vendor is compliant with all applicable laws and regulations?
   • Were any issues identified during the due diligence process? If yes, have they been remediated or under an active remediation plan?
   • How often do you perform periodic due diligence on your critical vendors?
   • Can you provide samples of vendor risk reviews and evidence of current due diligence documentation?
3. Review your vendor’s third-party risk management practices – Beyond asking questions, your organization should also review your vendor’s third-party risk management practices. There are several key practices the third party should follow:
   • A third-party risk management policy that adheres to best practices and regulations.
   • Subject matter experts (SMEs) performing vendor risk and control reviews have the knowledge, skills, and risk domain specific credentials and certifications to provide a qualified opinion.
   • An issue management process that identifies, tracks, manages, and monitors vendor issues.
   • A critical vendor identification process, along with a list of critical vendors.
   • Robust risk assessments and due diligence that identifies vendor risks and controls. 
   • Evidence of third-party risk management processes.
4. Leverage vendor contracts – A third-party vendor contract can help your organization manage fourth-party risks. Provisions might include requiring vendors to perform due diligence and ongoing monitoring, the right to audit both the vendor and its fourth parties, non-disclosure agreements for fourth parties, and breach notification requirements. In some cases, you may require the third party to notify your organization, in writing, when they add or change critical vendors.
5. Collaborate with your vendors – Effective fourth-party risk management ultimately requires a strong partnership with your third-party vendors. Highlight the mutual benefits of managing fourth-party risks and communicate any concerns with the third party. 

It’s essential to recognize that even without direct ties to your fourth parties, your organization carries the responsibility of mitigating the risks linked to these relationships—not just for itself, but for the protection of its customers as well. To manage these risks effectively, prioritize the fourth-party relationships that are crucial for delivering third-party products and services to your organization.

Take a proactive stance and identify pivotal fourth parties and strive for a deep understanding of how your third parties manage them. Your organization can then leverage contracts strategically and urge third parties to address risks in a manner that aligns with your organization’s standards. By adopting this approach, you not only fortify your own organization’s defenses but also safeguard the interests of your customers, ensuring fourth-party risks are well managed. 

Leverage your third-party contracts to protect against fourth-party risks.

Learn key contractual provisions in this infographic.