Software

Gain a 360-degree view of third-party risk by using our SaaS software to centralize, track, automate, assess and report on your vendors. 

Managed Services

Let us handle the manual labor of third-party risk management by collaborating with our experts to reduce the workload and mature your program. 

Overview
Document Collection
Policy/Program Template/Consulting
Virtual Vendor Management Office
Vendor Site Audit


Ongoing Monitoring

Let us handle the manual labor of third-party risk management by collaborating with our experts.

VX LP Sequence USE FOR CORPORATE SITE-thumb
Venminder Exchange

As Venminder completes assessments for clients on new vendors, they are then made available inside the Venminder Exchange for you to preview scores and purchase as you need.

CREATE FREE ACCOUNT

Use Cases

Learn more on how customers are using Venminder to transform their third-party risk management programs. 

Industries

Venminder is used by organizations of all sizes in all industries to mitigate vendor risk and streamline processes

Why Venminder

We focus on the needs of our customers by working closely and creating a collaborative partnership

1.7.2020-what-is-a-third-party-risk-assessment-FEATURED
Sample Vendor Risk Assessments

Venminder experts complete 30,000 vendor risk assessments annually. Download samples to see how outsourcing to Venminder can reduce your workload.

DOWNLOAD SAMPLES

About

Venminder is an industry recognized leader of third-party risk management solutions. 

Our Customers

Over 800 organizations use Venminder today to proactively manage and mitigate vendor risks.

Get Engaged

We provide lots of ways for you to stay up-to-date on the latest best practices and trends.

Gartner 2020
Venminder received high scores in the Gartner Critical Capabilities for IT Vendor Risk Management Tools 2020 Report

READ REPORT

Resources

Trends, best practices and insights to keep you current in your knowledge of third-party risk.

Webinars

Earn CPE credit and stay current on the latest best practices and trends in third-party risk management.  

See Upcoming Webinars

 

Community

Join a free community dedicated to third-party risk professionals where you can network with your peers. 

Weekly Newsletter

Receive the popular Third Party Thursday newsletter into your inbox every Thursday with the latest and greatest updates.

Subscribe

 

Venminder Samples

Download samples of Venminder's vendor risk assessments and see how we can help reduce the workload. 

Join the thousands of risk and compliance professionals who subscribe to Venminder

Fourth Party Vendors: How Far Do You Need to Go?

3 min read
Featured Image

Just when you thought you had your arms around your vendor management program, auditors and examiners have been requesting information about your “vendor’s vendors” as of recent years.

It’s understandably confusing to figure out where to draw the line on your vendor’s vendors, aka fourth parties. Are you responsible for “managing” all of your fourth party vendors? What about your fourth party’s vendors, referred to as fifth parties? That may be something we see more emphasis on in 2019. What’s next?

Who Are Fourth Party Vendors?

A fourth party vendor is one whom you don’t have a direct contract with; however, your vendor does have a contract with them for a product or service. Like you, your vendors are deeply reliant on some of their vendors, and these are the ones you need to concern yourself with to some extent. These vendors show up in your vendor’s SOC reports and should also be easily identified by your vendor as those classified as critical in their own vendor management matrix.

The SSAE 18 Report

Thankfully, with the introduction of the SSAE 18 report in May 2017, your third party vendors are now required to identify their significant vendors aka your fourth parties. This makes it much easier for you to know which fourth party vendors you should actively monitor.

3 Things to Understand About Your Fourth Party Vendors

You need to understand the following three things about your fourth party vendors:

  1. Who they are
  2. What products and services they provide to your vendor that cause them to be classified as critical to their operations
  3. What your vendor has done as part of their due diligence on these vendors

The idea is that through this understanding, you can better anticipate risks that may reside a level deeper, such as how your data may need to be shared and possibly even stored in a vendor’s systems where you don’t have a direct contract. A breach at this level can be every bit as impactful as a breach of your third party vendor.

Since you don’t have a direct contract with the fourth party vendors, getting access to information about controls they may have in place is difficult, for obvious reasons. None of us would share this sort of information with a party not bound by confidentiality agreements, etc. and without a solid “need to know.”

So, how do you do what regulators expect of you without the same information you use to assess your third party vendors?

To get started, begin with your own critical vendors. Let them know that you’re working toward the next level of your vendor management program and that fourth party vendors are your focus. 

Ask Third Party Vendors for This Information

Ask your third party vendor to provide you the following pieces of information:

  • A copy of their own vendor management policy
  • A complete list of all vendors they classified as critical and/or high risk
  • Copies of their most recent annual review of each of these vendors
  • The fourth party vendor's SOC report (your third party vendor can typically get you a copy of it, but you’ll need to sign the fourth party vendor’s confidentiality agreement)

Once you have this information, review it and formulate your opinions of the risk these fourth party vendors pose to you (not your third party vendor). If needed, ask additional questions to ensure you understand the products or services being provided and how they can impact you. 

Where Fourth Party Vendors Pose Risk to You

Here are a few common areas where a fourth party vendor may pose a risk to you:

  • Your sensitive data is being transmitted or stored by a fourth party vendor and could be exposed if the vendor’s system is breached
  • Payment processing or other dependent services for your own customers may fail if the fourth party vendor experiences a failure
  • Downtime of the fourth party vendor may be visible to your own customers depending on the integration method

You don’t need to be concerned about fourth parties who pose incidental risk (e.g., the third party’s vending machine company).

Remember to Track Findings

Most importantly, document your review thoroughly and repeat annually. It’s also a good idea to monitor news headlines for any public information that may alert you of a breach or other potential issue with these vendors. 

Find out more information about when fourth parties require your attention. Download the eBook.

DOWNLOAD NOW

 

Subscribe to Venminder

Get expert insights straight to your inbox.

Ready to Get Started?

Schedule a personalized solution demonstration to see if Venminder is a fit for you.

Request a Demo