Just when you thought you had your arms around your vendor management program, auditors and examiners have been requesting information about your “vendor’s vendors” as of recent years.
It’s understandably confusing to figure out where to draw the line on your vendor’s vendors, aka fourth parties. Are you responsible for “managing” all of your fourth party vendors? What about your fourth party’s vendors, referred to as fifth parties? That may be something we see more emphasis on in 2019. What’s next?
Who Are Fourth Party Vendors?
A fourth party vendor is one whom you don’t have a direct contract with; however, your vendor does have a contract with them for a product or service. Like you, your vendors are deeply reliant on some of their vendors, and these are the ones you need to concern yourself with to some extent. These vendors show up in your vendor’s SOC reports and should also be easily identified by your vendor as those classified as critical in their own vendor management matrix.
The SSAE 18 Report
Thankfully, with the introduction of the SSAE 18 report in May 2017, your third party vendors are now required to identify their significant vendors aka your fourth parties. This makes it much easier for you to know which fourth party vendors you should actively monitor.
3 Things to Understand About Your Fourth Party Vendors
You need to understand the following three things about your fourth party vendors:
- Who they are
- What products and services they provide to your vendor that cause them to be classified as critical to their operations
- What your vendor has done as part of their due diligence on these vendors
The idea is that through this understanding, you can better anticipate risks that may reside a level deeper, such as how your data may need to be shared and possibly even stored in a vendor’s systems where you don’t have a direct contract. A breach at this level can be every bit as impactful as a breach of your third party vendor.
Since you don’t have a direct contract with the fourth party vendors, getting access to information about controls they may have in place is difficult, for obvious reasons. None of us would share this sort of information with a party not bound by confidentiality agreements, etc. and without a solid “need to know.”
So, how do you do what regulators expect of you without the same information you use to assess your third party vendors?
To get started, begin with your own critical vendors. Let them know that you’re working toward the next level of your vendor management program and that fourth party vendors are your focus.
Ask Third Party Vendors for This Information
Ask your third party vendor to provide you the following pieces of information:
- A copy of their own vendor management policy
- A complete list of all vendors they classified as critical and/or high risk
- Copies of their most recent annual review of each of these vendors
- The fourth party vendor's SOC report (your third party vendor can typically get you a copy of it, but you’ll need to sign the fourth party vendor’s confidentiality agreement)
Once you have this information, review it and formulate your opinions of the risk these fourth party vendors pose to you (not your third party vendor). If needed, ask additional questions to ensure you understand the products or services being provided and how they can impact you.
Where Fourth Party Vendors Pose Risk to You
Here are a few common areas where a fourth party vendor may pose a risk to you:
- Your sensitive data is being transmitted or stored by a fourth party vendor and could be exposed if the vendor’s system is breached
- Payment processing or other dependent services for your own customers may fail if the fourth party vendor experiences a failure
- Downtime of the fourth party vendor may be visible to your own customers depending on the integration method
You don’t need to be concerned about fourth parties who pose incidental risk (e.g., the third party’s vending machine company).
Remember to Track Findings
Most importantly, document your review thoroughly and repeat annually. It’s also a good idea to monitor news headlines for any public information that may alert you of a breach or other potential issue with these vendors.
Find out more information about when fourth parties require your attention. Download the eBook.