Fourth-Party Risk Management

Fourth-Party Risk Management: The blind spot in Third-Party Risk Management.

As organizations, we’ve made real progress in managing third-party risk, assessing vendors, signing NDAs & DPAs, and running due diligence checks. But there’s a quieter, deeper layer we may overlook: fourth-party risks.

Fourth-Party Risks is the exposure we inherit from our vendors’ vendors; their cloud providers, subcontractors, and invisible dependencies woven into our digital supply chains.

Why fourth-party risk should be a source of concern for us:

• We have limited visibility into who our vendors rely on.
• Their security posture impacts us; even when we have no contract with them.
• We’re accountable for compliance failures tied to someone two degrees removed.
• An outage or breach downstream can take us down, too.

Some notable examples? The 2021 Kaseya ransomware attack. Thousands of companies downstream were impacted; many of whom didn’t even know they were connected (Kaseya VSA ransomware attack). Also, the 2025 Workday's breach that exposed business contact detail which could be used further to conduct social engineering scams (Workday Hit by Social Engineering Attack, Third-Party Data Exposed).

What are we doing, and what should we be doing, as information security leaders?

• Asking vendors to share who they rely on (think: SBOMs and transparency).
• Including fourth-party controls in contracts and SLAs.
• Using tools to monitor not just vendors, but their ecosystems.
• Practicing zero trust and preparing for breakdowns beyond our direct control.

Supply chain trust is no longer linear; it's layered, and it’s inherited. If we don't go beyond third-party risk, we will not be able to see the full map.

If Third-Party Risk Management is of interest to you, you may also read: Understanding Third-Party Risk Management (TPRM) in Cybersecurity and SBOM: Software Bill of Materials.