What is Fourth-Party Risk?

Every company outsources parts of its operations to multiple suppliers. Those suppliers, in turn, outsource their operations to other suppliers. This is fourth-party risk. The risk to your company posed by suppliers' suppliers.

Digital transformation has extended to the supply chain, meaning organizations, especially those in banking and financial services, are now dealing with more third parties than ever. In fact, Gartner research shows that 60 percent of organizations work with more than 1,000 third parties. 

While an organization may have effective cybersecurity practices in place, its vendors may not. A Third-Party Risk Management program helps to mitigate the digital risks associated with this ever-growing attack vector. 

However, it is important to remember that your organizations' fourth parties also contribute to the attack surface and should also be incorporated into your cybersecurity risk management practices.

If you understand fourth-party risk and want to know how to monitor your fourth-party risk, click here to skip ahead.

What is a Fourth Party?

Fourth parties are your organization's vendors' vendors. Most organizations do not have any direct contact with entities beyond third-party vendors. 

Your information security team still remains just as responsible for fourth-party risk management as they are for third-party risk management (TPRM). 

You can identify your organization's fourth parties from your own vendor's System and Organization Control (SOC) reports. It is important that your third parties have a robust vendor risk management program in place to ensure fourth parties are vetted appropriately. 

‍

SOC Reports

SOC reports include information on how your vendors protect sensitive data and personal information from unauthorized access. There are two types of SOC reports:

• Type 1 SOC Report: Details that an organization has appropriate cybersecurity risk management controls in place on the date of issue. 
• Type 2 SOC Report: Focuses on the effectiveness of the controls outlined in the Type 1 report. Type 2 SOC reports usually cover a timeframe of six months to a year to assess if the controls are operating effectively in practice.
  

The SSAE 18 Standard

The introduction of Statement on Standards for Attestation Engagements (SSAE) 18 has made fourth-party identification and prioritization more transparent. 

SSAE 18 is an audit standard that aims to improve the functionality and quality of SOC reports. The standard came into effect on May 1, 2017, superseding both SSAE 16 and SAS 70. 

It states that third parties are now obliged to inform your organization of their critical vendors - your fourth parties - in their SOC reporting.

SSAE 18 aims to ensure that organizations are:

• Taking more ownership of internal controls and compliance monitoring to identify and classify risk.
• Appropriately managing third-party risk and vendor relationships.
  

Why is Fourth-Party Risk Important?

Your organization inherits all the risk in its ecosystem or supply chain. While third parties are more directly connected to your organization than fourth parties, it is still just as important to monitor your vendors' suppliers, subcontractors, and service providers.

If a fourth party suffers a data breach, the associated third party may offer an additional layer of security, but this is not sufficient protection. 

Regardless of where the breach occurs, your organization is wholly responsible for implementing comprehensive attack surface management. This responsibility means that your organization is still liable for any regulatory, financial, or reputational consequences a fourth party may bring to your organization.   

It's also important to note that provided an organization can easily have upwards of 1,000 third-party relationships, this number multiplies exponentially when fourth parties are also taken into account. Security teams must acknowledge the significant increase fourth parties bring to an organization's total attack vectors.

How Fourth-Party Vendors Pose a Threat to Your Business

Fourth parties do not have a direct contract with your organization, or you may not even be aware of who your fourth-party vendors are. This lack of documentation means your organization also does not know the cybersecurity risk management practices your fourth parties have in place. 

This poses a threat to your organization in the event one of your critical vendors' vendors experiences a security incident, as you will not be aware of the fourth party's business continuity plan — if any. 

For example, if your vendor is forced to cease operations due to a data breach, cyber attack, or other security incident affecting one of their critical vendors, this will directly impact your organization's operations. 

Even worse, if a fourth-party vendor has access to any of your organization's sensitive data, then you will also be at risk of being compromised in the event of a security incident. In such an instance, your organization could also fail to comply with regulations like GDPR, HIPAA, and PCI-DSS.

Aside from cybersecurity risk, other potential risks posed by fourth-party vendors can include:

• Operational risk
• Legal, regulatory, and compliance risk
• Reputational risk
• Financial risk
• Strategic risk
  

Gaining visibility over your fourth parties is the first step to mitigating these risks. The discipline of managing fourth-party security risks is known as Fourth-Party Risk Management (FPRM)

Learn about Fourth-Party Risk Management >

What Do You Need to Know About Your Fourth-Party Vendors?

Your organization should prioritize identifying who its critical vendors' vendors are. These fourth parties are the most likely to pose operational and cybersecurity risks to your organization, especially if they are also critical to your vendors. 

Understanding the services these fourth-party vendors provide and other information about their business relationship with your vendors will help your organization to respond accordingly during a security incident. 

You also need to ensure your vendors have performed due diligence with their third-party services as per the standards of proper Vendor Risk Management.

Identify Fourth-Party Risks From Your Supply Chain

After identifying your organization's most critical fourth parties, it is also important to find out who your vendors' mutual vendors are. For example, many vendors will have Amazon and Microsoft services as common fourth parties. 

These vendors may not pose a great risk to your organization on their own. However, the combination of all vendors experiencing business disruption due to a mutual fourth party's security incident is certainly a reason for concern. 

Learn how to track fourth-party security risks >

Should Vendor Assessments Include Fourth Parties?

Your organization likely has thousands of fourth-party relationships, which would be impossible to assess independently. 

Your third parties should be responsible for performing risk assessments and must have an effective third-party risk management framework in place.

A defined TPRM program ensures your vendors are performing their due diligence and tracking your fourth parties through appropriate cybersecurity metrics.

Detecting Fourth-Party Security Risks

Before fourth-party risks can be tracked, they need to be detected, and this effort begins with discovering all of your fourth-party vendors. An attack surface monitoring solution like UpGuard can automatically detect all your fourth-party vendors. These results should then be confirmed and broadened with risk assessment.

Because your third-party vendors have contractual relationships with their vendors, they’re in an ideal position to collect data about your fourth-party vendors and their associated inherent risks. This is best achieved through risk assessments (or security questionnaires) that have been modified to include questions about the potential risks of fourth-party data processes. With a customizable questionnaire builder, these questions can very quickly be incorporated.

Learn about UpGuard’s customizable questionnaire builder >

Fourth-party risks can be detected with questionnaires such as the SSAE 18, SOC reports, and even the GDPR.

Note: Not all fourth-party risks are created equal. During the risk discovery process, fourth-party vendors should be ranked by decreasing criticality, where the most critical vendors correspond to fourth parties processing highly-sensitive data and parties that will significantly impact your business continuity if they are compromised. The same principle of third-party vendor tiering applies to fourth-party criticality ordering.

Learn more about vendor tiering >

To streamline this effort moving forward, questions about fourth-party cybersecurity risks should be incorporated into the vendor due diligence processes.

Monitoring Fourth-Party Risks

With all of your critical fourth-party vendors identified and due diligence processes updated to feed fourth-party vendor discovery efforts, you’re now in a position to track all critical fourth-party vendor risks. This effort is the same as risk tracking/management across third-party relationships in a TPRM program. Fourth-party risk management is essentially a broadening of your TPRM program to include an additional dimension - your vendor's TPRM program. Each vendor keep you informed of the state of your fourth-party attack surface by tracking the risks of their own vendors.

For this symbiotic relationship to be most effective, your vendors should follow the standards of proper Vendor Risk Management for tracking security threats in business relationships. This will ensure complete coverage of risk discovery from each vendor’s perspective. If your vendors don’t have a VRM in place, UpGuard Vendor Risk is an excellent VRM solution that could use.

To ensure the most comprehensive process of fourth-party risk discovery from the perspective of your IT ecosystem, risk assessments should be augmented with automated scanning tools (such as security ratings). This will ensure your risk management teams have complete visibility into the state of your third-and fourth-party attack surface at all times, even outside of your risk assessment schedule.

If you and all of your vendors are using UpGuard Vendor Risk, this continuous attack surface monitoring strategy will extend from inside your ecosystem to your fourth-party vendor attack surface, creating a wide coverage of efficient security risk tracking.

By beginning risk management efforts at the fourth-party attack surface, you’ll establish a significant buffer between your sensitive data and any potential data breach events involving your third and fourth-party vendors. This will significantly reduce any impacts on your sensitive data should any third- and fourth-party vendors fall victim to a data breach.

Refer to this whitepaper to learn how to establish a resilient data breach prevention strategy.

What is Fourth-Party Risk Management?

Fourth-party risk management is the process of identifying, assessing, and mitigating the cybersecurity risks posed by the vendors of your third-party vendors (your vendor’s vendors). With digital transformation compressing the boundaries between IT ecosystems, any of your vendors could be transformed from trusted suppliers to critical data breach attack vectors if they’re compromised.

While the importance of managing third-party security risks is now widely understood in the cybersecurity industry, few organizations consider the impact of fourth-party risks.

Why is Fourth-Party Risk Management Important?

Fourth-party risk management is important because a compromised fourth-party vendor could result in your organization suffering a data breach.

To understand the pathway that makes these events possible, consider a scenario where your company partners with an online transaction processor. This platform might, in turn, outsource all of its credit card processing to its own third party (your fourth party

If this credit card processor has insufficient security measures in place, cybercriminals could exploit them, resulting in the transaction processor’s sensitive data also being breached.

Because your business also shares sensitive internal information with the transaction processor to support its services, when they get compromised, your business also gets breached.

Digital transformation has an undesirable and unavoidable effect of combining attack surfaces with every established vendor relationship. Now, not only do the vulnerabilities of your third-party vendors impact your security posture, but your fourth-party risks also play a critical role in influencing your risk appetite.

Data breach protection initiatives are incomplete unless third-party and fourth-party risks are addressed in Vendor Risk Management programs.

Difference Between Third-Party Risk Management and Fouth-Party Risk Management

While third-party risk management focuses on the security risks posed by your direct vendors, fourth-party risk management extends this scrutiny to the vendors' partners. Because of a lack of a direct business relationship with your fourth-party vendors, external monitoring solutions, such as attack surface monitoring tools and Vendor Risk Management platforms, become essential in filling the visibility gaps caused by these offset relationships.

1. Identify all Critical Fourth-Party Vendors

With the average organization partnering with 11 third-party vendors, mapping your sensitive data flow across this network is a considerable effort. But when you zoom in further and consider the network of fourth parties branching off each third-party node, the process becomes a logistical nightmare.

Thankfully, a fourth-party risk management program doesn’t require all fourth parties to be monitored equally. The principle of prioritization that characterizes efficient third-party risk management programs also applies to an FPRM.

In third-party risk management programs (also referred to as Vendor Risk Management programs), vendors are tiered so that critical vendors - those that process a higher degree of sensitive data, are prioritized in risk mitigation efforts.

Learn more about vendor tiering >

The first step to establishing an FPRM is to identify all of your critical fouth-parties. Criticality isn’t necessarily only determined by the degree of sensitive data being processed - though this should be a primary determining metric. Criticality can also be influenced by the degree of the potential impact on your business operations, should a vendor’s own vendor be forced offline - either because of a cyber attack or any other form of business disruption.

Identifying your critical vendors is still a considerable hurdle that needs to be overcome. The easiest way to do this is to ask those that know your fourth parties better than you do - your third-party vendors. Risk assessments or security questionnaires are the ideal tools to use. Because an industry-standard fourth-party risk questionnaire doesn’t exist, you will generate a more accurate reflection of each fourth-party relationship by custom-designing a security questionnaire for this purpose.

Custom questionnaire builders, such as the one offered on the UpGuard platform, allow risk management teams either customize existing regulatory-standard questionnaires or build completely bespoke designs from a blank canvas.

Here are some questions to ask to help you gauge the criticality of each fourth-party vendor:

• Is the vendor critical to your ability to provide my company with your promised products/services?
• Will the vendor suffering an outage activate your business continuity plan?
• Does the service provider have any access to any of my sensitive data? If so, what type of data is shared with them, and what is the reason for this access?
• What security measures are in place to protect my sensitive data if the vendor is compromised?
• Is the vendor’s service availability contingent on your ability to comply with any data security regulations, such as the GDPR?

The responses to these questions will allow you to tier your fourth-party vendors by degree of criticality, making it easy to identify the entities that need to be prioritized in monitoring efforts. As mentioned earlier, your choice of tiering strategy depends on your unique information security requirements. If you’re not sure which metric to use to inform this structure, an objective and widely adopted security posture metric you can use is security ratings.

‍

Learn more about security ratings >

Though customized security questionnaires will help you map most of your critical fourth-party vendors, there’s still a risk of some being overlooked due to inaccurate or incomplete responses. To fill these gaps, an attack surface monitoring solution should be used in conjunction with security questionnaires.

Vendor Risk Management platforms, like UpGuard, automatically discover all of the fourth-party vendors in your network, helping you track all of the fouth-parties being queried during this phase. After establishing a baseline of your fourth-party relationships, additional fourth-party vendors can be added as you become aware of them to simplify the effort of fourth-party vendor mapping moving forward.

The risk of overlooked attack vectors is always prevalent when point-time assessments, such as security questionnaires, are used alone. This is why the best Vendor Risk Management platforms standardize the augmentation of risk assessments and security rating solutions to produce real-time security posture tracking.

2. Incorporate Fourth-Party Risk Management in Your Due Diligence Processes

After identifying all of your current critical fourth-party service providers, new fourth-party vendor discovery should be added to due diligence processes to simplify this effort moving forward.

This process should involve custom assessments querying each new vendor’s third parties and subcontractors. Here are some questions to help you assess fourth-party vendor risks during the due diligence phase:

• Do you have any contracts with third-party service providers and contractors?
• Will these entities have any access to your data?
• What is the degree of sensitivity of all data being accessed?
• Will any of your third-party contracts process data overseas?
• What is the degree of sensitivity of all outsourced data processing?
• What due diligence have you performed with each of your third-party contracts?
• What concentration risks have you discovered from your third-party relationship, and what is your process of discovering these risks?
• How many of these risks were remediated?
• How do you measure the success of each remediation?

Some security risk assessments that can be used to assess a fourth-party vendor's security posture include:

• Vendor security questionnaires.
• Penetration testing.
• Security audits.
• Compliance assessments.‍
• Statement on Standards for Attestation Engagements (SSAE 18).
• Security certifications, such as ISO 27001 or SOC 2.

3. Continuously Monitor Critical Fourth-Party Vendors

With all of your critical fourth-party vendors grouped separately and new fourth-party vendor discovery embedded in your due diligence process, the groundwork for a fourth-party risk management program has been laid. Now, the focus is on ensuring your hard work doesn’t go undone by monitoring your critical fourth-party vendors for emerging security risks.

Continuous monitoring is the third stage of this risk management lifecycle, leading to a cyclical effort of improving fourth-party security risk resilience.

Newly discovered risks from monitoring efforts are scrutinized in greater detail with risk assessments that inform the design of targeted remediation responses. The efficacy of these remediation efforts, and the emergence of new risks, are then monitored, and the cycle continues. With each turn of the cycle, the fourth-party risk management program becomes more optimized and better equipped to discover, remediate and manage fourth-party risks.

Learn how to track your fourth-party risks >

Because there’s no clear line of communication between your risk management teams and your fourth-party vendors, monitoring the fourth-party attack surface shouldn’t only fall on your shoulders. Your third-party vendors should be encouraged to take ownership of their vendor risks by implementing a VRM program with attack surface monitoring capabilities.

Before trusting that your vendors will effectively monitor their third-party suppliers, it’s essential first to confirm two things:

1. That they have a Vendor Risk Management program in place.
2. This VRM program is capable of effectively monitoring emerging third-party cybersecurity risks.

Both of these queries can be confirmed with vendor risk assessments.

If your vendors aren’t yet addressing the potential risks of their third parties, UpGuard is an excellent solution to recommend to them.

Encouraging your vendors to improve their supply chain security will reduce your risk of suffering third-party breaches.

Types of Fourth-Party Risks You Should be Monitoring

Some common fourth-party risks to monitor include:

1. Data breaches and data leaks: Unauthorized access to sensitive data can have significant financial, legal, and reputational consequences for your organization. Data leaks are an important attack vector to monitor since they expedite the data breach process.
   
2. Inadequate access controls: Poorly managed access controls can expose your organization's data to unauthorized users, increasing the likelihood of data breaches.
3. ‍Insufficient encryption and security measures: Weak or outdated security measures can make it easier for cybercriminals to access sensitive information.
4. ‍Non-compliance with regulations: Failure to comply with applicable regulations, such as GDPR or HIPAA, can result in fines, penalties, and reputational damage.
5. ‍Software vulnerabilities and outdated systems: Unpatched vulnerabilities and outdated systems can expose your organization to a wide range of cybersecurity threats.
6. ‍Insider threats and human errors: Insider threats, intentional or unintentional, can compromise the security of your organization's data and systems.

Read this whitepaper to learn how to implement a resilient data breach protection program.

How UpGuard Can Help You Track and Manage Your Fourth-Party Risks

The UpGuard platform contains a fourth-party module that gives you complete visibility into the following essential fourth-party risk metrics:

• The list of fourth parties in your network.
• The number of third-party vendors using each fourth-party product.
• Real-time security posture tracking for each fourth-party vendor.

Customers use UpGuard’s fourth-party risk module to support their fourth-party risk management program by:

• Keeping track of emerging fourth-party risks to detect third-party and subcontractor breach threats.
• Continuously monitoring fourth-party security ratings to predict changes to reputational risks.
• Grouping vendors into vendor portfolios to prioritize critical risks most likely to facilitate breaches.