• Product
      • circleROAR Platform
      • cogwheelZenComply
      • lockZenRisk
      • globeZenGRC Platform
      • chartRisk Intellect
      • kes tagPricing
    • Solutions
      • By Industry
        • TechnologyTechnology
        • Financial ServicesFinancial Services
        • HospitalityHospitality
        • HealthcareHealthcare
        • GovernmentGovernment
        • Higher EducationEducation
        • retailRetail
        • MediaMedia
        • InsuranceInsurance
        • ManufacturingManufacturing
        • Oli & GasOil & Gas
      • By Framework
        • PopularPopular
          • ISO
          • PCI
          • SOC
          • COSO
          • SSAE 18
        • PrivacyPrivacy
          • CCPA
          • GDPR
        • HealthcareHealth Care
          • HIPAA
        • GovernmentGovernment
          • NIST
          • FedRAMP
          • FERPA
          • CMMC
          • FISMA
        • FinanceFinance
          • SOX
          • COBIT
    • Success
      • customer-successCustomer Success
    • Resources
      • Resource CenterResource Center
      • Reciprocity CommunityReciprocity Community
      • NewsroomNewsroom
      • EventsEvents
      • BlogBlog
      • Customer StoriesCustomer Stories
      • Content RegistryContent Registry
    • Company
      • About UsAbout Us
      • Contact UsContact Us
      • CareersCareers
      • Leadership
      • Trust CenterTrust Center
      • PartnersPartners
      Get a Demo

        Fourth Party Risk Management Explained

        Published January 6, 2022 • By Reciprocity • Blog
        team work process,holding contract hand,signs documents

        Most organizations use at least some (and perhaps many) external vendors in their daily operations, sometimes even to provide mission-critical services or supplies; we’ve discussed them before as third-party vendors and the risks they bring.

        Indeed, most businesses today already consider third-party risk management in their overall cybersecurity protocols. An equally pressing concern, however, is fourth-party risk – that is, the vendors that your vendors use, and the risks that those fourth parties might pass along to you.

        You can think of fourth-party vendors as friends of a friend. You know your friend has other friends, and they have activities together. But if your friend was engaging in risky behavior with those other friends – behavior that could affect you – you’d want to know, so you can take proper precautions.

        For example, your company might contract with a cloud-based provider of payroll management services. But if that vendor relies on a data storage provider with poor cybersecurity, attackers might target the data storage provider and find the payroll company’s confidential data – which would be your data.

        Your company, therefore, should know what due diligence is in place to mitigate fourth-party risks among your critical vendors, so that you can update and improve your vendor risk management protocols. For example, if your vendors have access to sensitive information that is being shared with fourth parties, then you want to prevent a data breach within that transfer the same as you would protect the transmission of that data between your organization and a third party vendor.

        Common Types of Fourth-Party Risks

        Common fourth-party risks include:

        • Data breach. Your information may be shared between your third-party vendor and its vendors. Because it’s difficult for you to know what cybersecurity risk management is in place for those fourth-party vendors, you could suffer a data breach without any ability to mitigate.
        • Outages. If a fourth-party vendor experiences an outage of its services, that can ripple back to you and your clients directly.
        • Lack of surveillance. Some fourth-party vendors may not have performed their due diligence in surveying and indexing their own cybersecurity risks, leaving them open for increased attack vectors. They pass that increase in attack vectors back up the supply chain, with your own attack vectors affected.

        Creating Your Fourth-Party Risk Management Plan

        Index existing fourth-party risks

        The first step in addressing any cybersecurity risk is to analyze what risks and threats currently exist. You most likely have already conducted an internal risk assessment for your organization. You should plan to do the same as a part of your regular vendor risk management.

        You can ask your third-party vendors for lists of their current vendors, and any security measures those vendors are taking. Asking fourth-party vendors directly for this information can be more difficult, since they’re usually not under contract with your organization the way your third-party vendors are.

        Continuous monitoring of any changes within your vendor risk management (for example, adding or removing critical vendors) allows you to stay aware of shifting attack vectors within your supply chain.

        SSAE 18

        The Statement on Standards for Attestation Engagements No. 18 (SSAE 18) is an auditing standard that forces a third-party vendor to report on its own vendors. This standard should make it simpler for you to implement rules for existing fourth-party risks and to create prioritization strategies.

        SOC

        You can also request a service organizational controls (SOC) report from your third-party vendors. This is another type of cybersecurity report that shows how your third-party vendors are engaging with cybersecurity best practices – including fourth-party risk management.

        Third-party risk management program

        Because it’s so difficult to mitigate risk with fourth-party vendors, you should assure that your organization has an airtight third-party vendor risk management program. This includes requesting the SSAE and SOC reports listed above, as well as contractually requiring certain cybersecurity best-practices from your third-party vendors. You’ll reduce your own attack vectors while looking out for your vendors as well.

        Mitigate Fourth Party Risks with ZenGRC

        ZenGRC helps you manage your potential risks within your information security ecosystem, including management of third-party and fourth-party risk.

        You can create a more efficient, less manual, risk-based approach to third- and fourth-party vendor management with vendor questionnaires. You can use ZenGRC’s tools to define actions for specific questions and assure issues are addressed. You can also implement business questionnaires, which are an efficient way of gathering documentation from your vendors. Use the weighing scale feature to apply a risk score to each third-party vendor within your organization, helping you prioritize the high-risk business relationships in your supply chain.

        Worry-free GRC is the Zen way! Schedule a demo of ZenGRC today.

        Why sign up for the Risk Insiders newsletter?

        To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.

        Thank you for subscribing to the Risk Insiders newsletter!

        Recommended

        Image
        How to Prevent Third-Party Vendor Data Breaches
        typing on keyboard, double exposure with big data storage and icons, earth sphere and cyber protection, programming. Concept of security and support
        Vendor Management

        How to Prevent Third-Party Vendor Data Breaches

        Read more
        Image
        What is a Vendor Framework?
        Young designer giving some new ideas about project to his partners in conference room
        Vendor Management

        What is a Vendor Framework?

        Read more
        Image
        Third-Party Due Diligence Best Practices
        business owner and third-party vendor shaking hands while passing paperwork
        Vendor Management

        Third-Party Due Diligence Best Practices

        Read more

        Discover the Power of the Reciprocity ROAR Platform

        Get a Demo
        Reciprocity Logo
        Product
        • ROAR Platform
        • ZenComply
        • ZenRisk
        • ZenGRC Platform
        • Risk Intellect
        • Pricing
        Solutions
        • Industries
        • Frameworks
        Success
        • Customer Success
        Resources
        • Resource Center
        • Reciprocity Community
        • Newsroom
        • Events
        • Blog
        • Customer Stories
        • Content Registry
        Company
        • About Us
        • Contact Us
        • Careers
        • Leadership
        • Trust Center
        • Partners
        Contact Us
        Contact Us

        © 2023 All rights reserved

        Privacy Policy