Third party risk, fourth party risk, maybe even fifth party risk? There’s a lot of potential risk to know and understand. In this blog, we thought it’d be helpful to focus on one that seems to be increasingly important to regulators – fourth party risk.
So, what do you need to know? Let’s break down the basics:
What is a fourth party?
A fourth party is your vendor’s vendor. It’s a vendor that your organization doesn’t have a direct contract with but your vendor (third party) does.
When should you require due diligence on a fourth party?
If the fourth party vendor is providing a critical product or service to your third party vendor, then it’s time to dig further. This means if they have access to your customer’s information or your organization’s confidential data.
What steps can you take to evaluate the fourth party risk?
Take these 3 steps:
- If you can, require that your third party contractually commits to notifying you prior to contracting with a fourth party vendor.
- Review your fourth party’s SSAE 18 report to identify fourth party vendors. As of May 2017, your third parties should now be disclosing any of their significant fourth party providers. You should ask your third party vendor to provide you with the due diligence you require.
- Likely, you won’t have a direct contractual relationship with the fourth party vendor. Any contractual relationship will be with your third party vendor. You will have to request that your third party assist you with obtaining any documentation you need to perform your due diligence on your fourth party. If your third party vendors want to maintain a positive partnership with your organization then they should be more than willing to help.
What if you find out that the fourth party presents risk to your organization?
All fourth parties present some level of risk to your organization. If you knew, before you signed the contract with your third party, that a fourth party would be involved, the fourth party should be part of your original risk assessment. If the fourth party is new to the relationship, between you and your third party vendor, you will have to will have to reassess the risk associated with the additional player.
If the fourth party has access to your infrastructure, your data or your customer’s data, the risk can be significantly higher for your organization. The risk assessment you performed on your third party should be augmented to account for the fourth party. You will have to go through your due diligence process for the fourth party.
If you discover that the fourth party does indeed present a significant risk to your organization, you should take the following steps:
- Contact your third party and review your findings. You always want to make sure you completely understand the nature of the relationship between the third party and the fourth party.
- Next, once you have a complete picture of the risk a fourth party presents to your organization, you can begin to take steps to mitigate the risk. You need to know what additional steps, if any, you will have to take to mitigate the level of risk the fourth party poses to your organization. These steps may include going back to the original contract and amending some parts of the contract or creating a new contract all together.
Examiners will expect your organization to have fourth party due diligence and documented findings on file. When a fourth party is involved, the risk should be analyzed as extensively as it would be when reviewing a third party.
Monitoring a fourth party is a unique challenge and can be tricky. Download this infographic to help.