Fourth-party risk is risk brought on by your vendors’ vendors. An organization’s cybersecurity practices can become obsolete if its vendors do not have a robust third-party risk management (TPRM) program in place to manage fourth-party risk. Beyond third-party risks, information security teams should also account for fourth parties to create a comprehensive vendor risk management (VRM) framework.
Why is Fourth-Party Risk Important?
Fourth parties form part of an organization’s attack surface and significantly increases the number of attack vectors to which the organization is exposed. Regardless of where in the supply chain a security incident occurs, an organization is always fully responsible for enacting an appropriate incident response plan.
Despite third parties offering an added layer of protection during a fourth-party security incident, such an occurrence still exposes organizations to a significant level of cybersecurity risk.
For example, if a fourth party suffers a data breach affecting a third party, the threat actor could access an organization’s sensitive data through the third party. Ensuring third parties are performing vendor due diligence is crucial to mitigating this risk.