Third-party vendors aren’t the only service providers your organization needs to examine and audit. You should also be keeping tabs on their vendors as well.
It can be tough to know where to draw the line on your vendor’s vendors, also known as fourth-party vendors. Are you required to manage all fourth-party vendors? Well, let’s look at the following possible scenario:
If your company enlists the services of 50 vendors in your supply chain and 20 of them are utilizing a particular provider for a critical service, what happens if that critical service provider is hacked or experiences downtime?
Even small service providers can cause a major disruption to your organization’s day to day dealings. For instance, in 2016, DNS provider, Dyn, experienced a denial of service (DDoS) attack, which resulted in numerous customers, including PayPal and Amazon, going offline during the attack. If your company had used Dyn’s DNS services, you could have been impacted by the outage.
Here’s everything you need to know about fourth-party vendor risk management in order to keep your company safe.
Who are fourth-party vendors?
A fourth party vendor is a service provider with whom you do not have a direct contract. However, your vendor does have a business relationship with them for their services or products. As with your enterprise, your vendors are deeply dependent on some of their vendors, and these are the ones you need to keep an eye on. These vendors will show up in your vendor’s SOC reports and should be identified by your service provider as those classified as crucial in their own vendor management matrix.
SSAE 18 reports
With the introduction of SSAE 18 reports to the market in 2017, your third-party vendors are responsible for telling you about their critical vendors, or your fourth parties. This makes it simpler for you to know exactly which ones you should be vigilantly monitoring.
What you need to know about your fourth party vendors
You should understand the following three items about your fourth party vendors, including:
- Who they are.
- What services or products they provide to your vendor that causes them to be significant to operations.
- What your service provider has done for cybersecurity due diligence on their part for these vendors.
When you thoroughly understand these three aspects of your fourth party vendors, you can better anticipate possible threats that could be residing a level deeper. A breach to a fourth party vendor could be as impactful as a breach of your third-party service provider.
How fourth-party vendors can pose a threat to your business
Here are several ways a fourth party vendor could be a risk to your organization:
- Your company’s sensitive data is being stored or transmitted by a fourth party vendor and could be exposed if their system is breached.
- If the fourth party vendor experienced an issue, dependent services, such as payment processing, could fail on your end to your clients.
- The downtime of a fourth party vendor may be visible to your own clients.
What actions can you take to assess fourth-party vendor risks?
Here are some steps you can take to thoroughly evaluate fourth-party risks:
- If applicable, have your third-party vendor contractually commit to notifying you before forming a relationship with a fourth party vendor.
- Review your third-party vendor’s SSAE 18 report to identify fourth-party vendors.
- You probably will not have a direct contractual relationship with a fourth party vendor. This will be with your third-party vendor. You will need to request that they help you with obtaining any documents needed to perform your due diligence on the fourth party vendor.
What if a fourth party poses a threat to your business?
Most fourth-party vendors will carry some level of threat to your enterprise. If you find out that the fourth party does present a significant risk to your business, you should:
- Contact your third-party vendor and reveal your findings. You also want to fully comprehend the nature of the relationship between the third- and fourth-party vendors.
- Once you have a full picture of all of the potential risks, you will need to take the proper steps in order to mitigate them. These could include reviewing the original contract and amending some sections or creating a new contract altogether.
How SecurityScorecard can help with fourth-party vendor risks management
SecurityScorecard’s security ratings platform allows your business to create vendor profiles that provide clear visibility across 10 groups of threat factors, including network security, endpoint security, web application security, social engineering, and hacker chatter.
Despite the fact that you don’t have a working relationship with fourth-party vendors, they still can pose a real threat to your ecosystem. Continuous monitoring and due diligence are critical to keeping your business safe and sound.

