Most organizations use at least some (and perhaps many) external vendors in their daily operations, sometimes even to provide mission-critical services or supplies; we’ve discussed them before as third-party vendors and the risks they bring.

Indeed, most businesses today already consider third-party risk management in their overall cybersecurity protocols. An equally pressing concern, however, is fourth-party risk – that is, the vendors that your vendors use, and the risks that those fourth parties might pass along to you.

You can think of fourth-party vendors as friends of a friend. You know your friend has other friends, and they have activities together. But if your friend was engaging in risky behavior with those other friends – behavior that could affect you – you’d want to know, so you can take proper precautions.

For example, your company might contract with a cloud-based provider of payroll management services. But if that vendor relies on a data storage provider with poor cybersecurity, attackers might target the data storage provider and find the payroll company’s confidential data – which would be your data.

Your company, therefore, should know what due diligence is in place to mitigate fourth-party risks among your critical vendors, so that you can update and improve your vendor risk management protocols. For example, if your vendors have access to sensitive information that is being shared with fourth parties, then you want to prevent a data breach within that transfer the same as you would protect the transmission of that data between your organization and a third party vendor.

Common Types of Fourth-Party Risks

Common fourth-party risks include:

  • Data breach. Your information may be shared between your third-party vendor and its vendors. Because it’s difficult for you to know what cybersecurity risk management is in place for those fourth-party vendors, you could suffer a data breach without any ability to mitigate.
  • Outages. If a fourth-party vendor experiences an outage of its services, that can ripple back to you and your clients directly.
  • Lack of surveillance. Some fourth-party vendors may not have performed their due diligence in surveying and indexing their own cybersecurity risks, leaving them open for increased attack vectors. They pass that increase in attack vectors back up the supply chain, with your own attack vectors affected.

Creating Your Fourth-Party Risk Management Plan

Index existing fourth-party risks

The first step in addressing any cybersecurity risk is to analyze what risks and threats currently exist. You most likely have already conducted an internal risk assessment for your organization. You should plan to do the same as a part of your regular vendor risk management.

You can ask your third-party vendors for lists of their current vendors, and any security measures those vendors are taking. Asking fourth-party vendors directly for this information can be more difficult, since they’re usually not under contract with your organization the way your third-party vendors are.

Continuous monitoring of any changes within your vendor risk management (for example, adding or removing critical vendors) allows you to stay aware of shifting attack vectors within your supply chain.


The Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is an auditing standard that forces a third-party vendor to report on its own vendors. This standard should make it simpler for you to implement rules for existing fourth-party risks and to create prioritization strategies.


You can also request a service organizational controls (SOC) report from your third-party vendors. This is another type of cybersecurity report that shows how your third-party vendors are engaging with cybersecurity best practices – including fourth-party risk management.

Third-party risk management program

Because it’s so difficult to mitigate risk with fourth-party vendors, you should assure that your organization has an airtight third-party vendor risk management program. This includes requesting the SSAE and SOC reports listed above, as well as contractually requiring certain cybersecurity best-practices from your third-party vendors. You’ll reduce your own attack vectors while looking out for your vendors as well.

Mitigate Fourth Party Risks with ZenGRC

ZenGRC helps you manage your potential risks within your information security ecosystem, including management of third-party and fourth-party risk.

You can create a more efficient, less manual, risk-based approach to third- and fourth-party vendor management with vendor questionnaires. You can use ZenGRC’s tools to define actions for specific questions and assure issues are addressed. You can also implement business questionnaires, which are an efficient way of gathering documentation from your vendors. Use the weighing scale feature to apply a risk score to each third-party vendor within your organization, helping you prioritize the high-risk business relationships in your supply chain.

Worry-free GRC is the Zen way! Schedule a demo of ZenGRC today.