What is Fourth-Party Risk, Why it’s Important, and How to Address It

July 02, 2019

As an information and data security professional, you’re most likely well versed in third-party risk strategy. While the modern supply chain has grown exponentially, third-party risk — aka the risk incurred by partners or vendors of your partners and vendors — has become a huge focus for security teams. Unfortunately, the supply chain is showing no signs of slowing down. And, as personal data (especially consumer data) continues to be an increasingly valuable resource, many security and risk leaders are pointing to fourth party risk as the next area of concern.

What is fourth-party risk?

Most companies already have a strong third-party vendor risk assessment process in place. Whether it’s through audits or security assessments, if a company is sharing consumer data with another organization than it needs to be properly vetted. But what is this vendor organization (aka a third-party) is also working with third parties? This new threat, known as a fourth-party risk, can infiltrate a company’s data through the third-party relationship. Fourth-party threats can be anything from financial consultants to business planners working with your third-party vendors.

Why should you be worried about fourth-party risk?

While fourth-party risk involves more layers and more players than third-party risk, it doesn’t make a company any less responsible for a data breach. The more third-party partners and vendors your team is working with, the greater the potential fourth-party risks become. All it takes is a single opening for a threat to compromise protected information. And, like any risk, there can be serious business implications. From fines to legal issues to your industry reputation, a fourth-party risk can wreak havoc on your organization if left unchecked.

There is one particular caveat to fourth-party risk. Fourth-party risk, while becoming more popular, is still incredibly hard for threats because they have to break through not one but two corporate security infrastructures. But, as security technology becomes more modern so too is the technology on the other side. Security teams should not be unconcerned or unphased by the rise of fourth-party risk.

What can you do about fourth-party risk?

There are a few ways to monitor fourth-party risk and work towards compliance. First, it’s a good idea to track the cyber-competency of partners to get a clear look at where potential risks lie. From this first competency test, you can make the initial decision on whether or not to even partner with a third-party based on the security reputation of its partners.

It’s also a good idea to have a strong contingency plan in place in case an incident does occur. According to Nigel Ng, vice president international as RSA Security, organizations who get out front of data breaches and manage the incident can get their share prices back up to the original price within a week.

And finally, transparency is key. Ask your current third-party vendors to provide the names of their vendors and partners. Your team can either work with your third-party partners to obtain security records or add these new fourth-party partners to your assessment list for a full look into potential security gaps.

Like to see how to Streamline fourth party risk? Schedule a Whistic Platform walk through.

Risk Management information security cybersecurity supply chain cloud computing

About the author


The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.