The Importance of Fourth-Party Vendor Tracking
Third-party vendor breaches are on the rise, but what about fourth-party risk? A fourth party is a subcontractor to your vendor, someone your vendor relies on or subcontracts to. The effectiveness of your vendor and the risk to you increasingly depends on fourth parties as your vendors outsource and subcontract critical activities.
They go by a lot of names, including providers and strategic partners, and can provide bill pay, mobile banking, core processing, legal or other services.
Organizations are so interconnected today, it’s critical to make sure your vendors aren’t leaving your data or critical processes vulnerable through their use of vendors. The trouble is, you might not be sure where to begin to sufficiently monitor fourth parties.
So, what do you need to know about fourth-party vendors in order to track them and reduce this outside risk to your organization?
Understanding Risks at a Deeper Level
Without direct contract with fourth-party vendors, getting access to information they may have is complicated. Sharing information with a party not bound by confidentiality agreements and other legal requirements is not advisable, so you need to understand:
- Who they are in relation to you, so you can consider the potential cost of managing these relationships when comparing prices and risk
- What critical products and services they provide to your vendor
- What due diligence has been done by your vendors, that includes everything from financials to test results, cybersecurity and business continuity planning
This understanding will help you anticipate risks that may reside at a level deeper, such as how your data may need to be shared and possibly even stored in vendors’ systems where you do not have a direct contract.
Limiting Fourth-Party Vendor Risk
Even relatively small service providers can cause major disruptions or outages to the companies that rely on them. Your institution isn’t just responsible for what your vendor does, but also for the activities of its third-party vendors, especially in the eyes of your customers. The more critical these third-party vendors are to your vendor, the greater the costs and risks.
There are, however, ways to limit fourth-party vendor risk. When considering vendors:
- Routinely ask your third-party vendors for a list of their critical vendors
- Request that your third-party vendors keep you apprised of any changes or concerns with fourth-party vendors
- Require your advance approval of changes
- Review your third party’s policies around oversight of their outsourced services
- Read vendors’ SSAE 18 control audits, looking for mention of third parties
Fourth-party vendors have the potential to be a significant weakness in your enterprise’s supply chain. Fortunately, VendorInsight® can help ensure you manage and monitor your third-party vendors and their fourth-party providers. Schedule a demo today to see how our software can help automate your vendor management process and strengthen your vendor management program.