The Importance of Fourth-Party Vendor Tracking
Third-party vendor breaches are on the rise, but what about fourth-party risk? A fourth party is a subcontractor to your vendor — someone your vendor relies on or subcontracts to. The effectiveness of your vendor and the risk to you increasingly depends on fourth parties as your vendors outsource and subcontract critical activities.
Fourth-party vendors go by a lot of names, including providers and strategic partners, and can provide bill pay, mobile banking, core processing, legal, or other services.
Organizations are so interconnected today that it’s critical to make sure your vendors aren’t leaving your data or critical processes vulnerable through their use of vendors. The trouble is, you might not be sure where to begin to sufficiently monitor fourth parties.
So, what do you need to know about fourth-party vendors to track them and reduce this outside risk to your organization?
Understanding risks at a deeper level
Without direct contract with fourth-party vendors, getting access to information they may have is complicated. Sharing information with a party not bound by confidentiality agreements and other legal requirements is not advisable, so you need to understand:
- Who they are in relation to you, so you can consider the potential cost of managing these relationships when comparing prices and risk.
- What critical products and services they provide to your vendor.
- What due diligence has been done by your vendors, that includes everything from financials to test results, cybersecurity, and business continuity planning.
This understanding will help you anticipate risks that may reside at a deeper level, such as how your data may need to be shared and possibly even stored in vendors’ systems where you do not have a direct contract.
Limiting fourth-party vendor risk
Even relatively small service providers can cause major disruptions or outages to the companies that rely on them. Your organization isn’t just responsible for what your vendor does, but also for the activities of its own vendors —especially in the eyes of your customers. The more critical these fourth-party vendors are to your vendor, the greater the costs and risks.
There are, however, ways to limit fourth-party vendor risk. When considering vendors:
- Routinely ask your third-party vendors for a list of their critical vendors.
- Request that your third-party vendors keep you apprised of any changes or concerns with fourth-party vendors.
- Require your advance approval of changes.
- Review your third party’s policies around oversight of their outsourced services.
- Read vendors’ SSAE 18 control audits, looking for mention of third parties.
Turning to VRM to police vendor risk
So it’s obvious, as it wasn’t before, that fourth-party vendors have the potential to be a significant weakness in your enterprise’s supply chain. Monitoring and mitigating any of the risks they present can be an almost impossible task using traditional means. Technology rides to the rescue, since organizations can now utilize vendor risk management (VRM) solutions that can help ensure they manage and monitor third-party vendors and their fourth-party providers.
As risks proliferate and regulators create more regulations, exposures increase. So, too, must the measures you take to combat them, including managing your supplier ecosystem more stringently than before, because their failures could become your business disasters.