Fourth-party risk is rising to the top of most auditors and examiners list when it comes to evaluating financial institutions vendor management program. Fourth parties are your vendor’s third parties and subcontractors. These vendors you will not have a direct contract; however, your vendor does, and relies on these vendors to produce a product or service for them. Most of the time these vendors will be visible in your vendor’s SOC reports and should also be easily identified by your vendor as those classified as critical in their own vendor management program.
Financial Institutions should care about fourth-party vendors risk, because they are subject to the same risk as your vendors, which puts you at the same risk without having the same oversight that you have over your own vendors. Financial institutions are ultimately responsible for the protection of their customers data, sometimes a fourth-party vendor can expose the financial institution to reputational, operational or cybersecurity risk. All it takes is a single opening for a threat to compromise protected information. Like any risk, there can be serious business implications, from fines to legal issues which can negatively affect a business if the fourth-party risk is unchecked.
The most effective way to manage fourth-party risk is to build a mature, comprehensive vendor risk management program. If you have the right practices and processes in place, then incorporating fourth parties into those processes should feel manageable and mostly seamless. Your vendor management program should help you identify your most critical vendors. Once you do that you can ask them who their vendors are; what products and services do they provide to the vendor that cause them to be classified as critical to their operations; and what due diligence on the fourth-party vendor has your vendor perform on them.