Fourth-Party Risk

Vendor's vendors.

Overview

Third-party risk is the vendors you sign with directly. Fourth-party risk is the vendors your vendors depend on, which you inherit silently. The CrowdStrike outage of 2024 taught the industry that fourth-party risk is real risk; the discipline is to track it before the next time it bites.

• Sub-vendor inventory per vendor. Ask every critical vendor for a list of their critical sub-vendors. The good ones already have this; the bad ones learn fast.
• SOC2 and compliance pass-through. Confirm sub-vendor coverage in SOC2 reports rather than assuming the parent's controls extend.
• Incident-notification chain. When a sub-vendor has an outage, you should learn within hours, not from the news.
• Quarterly risk review. The dependency chain drifts; reviewing it on a fixed cadence catches new sub-vendors before they become incidents.

The approach

Treat fourth-party risk like third-party risk: documented inventory, named owner, scheduled review. The work scales with critical-vendor count, not total vendor count.

• Critical-vendor scope. Limit fourth-party tracking to vendors whose outage would page on-call; do not boil the ocean.
• Sub-vendor inventory per vendor. Required artefact before contract signature for every critical vendor.
• Incident-notification clauses. Negotiate disclosure timelines into the contract; "we'll let you know" is not a clause.
• Documented dependency map. One diagram per critical vendor showing the sub-vendors that ride underneath.

Why this compounds

Fourth-party tracking keeps paying back: when a CDN you have never heard of takes down five vendors at once, you already know which of your critical paths are affected.

• Risk posture. Knowing what is downstream of every critical vendor narrows uncertainty during major outages.
• Faster incident response. A pre-built dependency map shortens the time from outage to "is this us."
• Compliance evidence. Auditors increasingly ask for sub-vendor coverage; tracking it pre-emptively is cheaper than answering during audit.
• Decision trail for the next quarter. The dependency log becomes the input to the next risk review, not a cold start.