If third-party cyber risk is keeping CISOs awake at night…
Fourth-party risk should terrify the board.
Because the fastest-growing source of data breaches today isn’t your vendor.
It’s your vendor’s vendor.
(Or their vendor. Or their cloud provider. Or their offshore subcontractor.)
🎬 Think of it like The Six Degrees of Kevin Bacon
Remember the game?
The idea that any actor in Hollywood can be linked to Kevin Bacon within six steps?
Fourth-party cyber risk works the same way:
Your data is always closer to risk than you think.
Example chain:
“Your CRM vendor uses a payment vendor…
that uses a SaaS plugin…
that runs on a cloud platform…
that uses a subcontractor…”
And somewhere in those degrees of separation is the weak link.
❓ What Is Fourth-Party Risk?
Fourth-party risk refers to the suppliers your vendors rely on.
You don’t select them.
You don’t assess them.
You often don’t even know they exist.
🔎 Companies have 60×–90× more fourth parties than direct third parties.
— SecurityScorecard
Meaning:
If you manage 500 vendors, your real exposure may be:
30,000+ fourth-party relationships
…without any visibility.
And the more digital you become — APIs, SaaS integrations, automation —
the more invisible risk you accumulate.
⚠️ Why Fourth-Party Risk Is More Dangerous Than Third-Party Risk
You likely have NO:
Visibility
Contractual rights
Breach notification requirements
Ability to audit or approve subcontractors
Yet those unseen subcontractors may be:
Storing your customer data
Hosting critical systems
Processing confidential product files
Here’s the kicker:
84% of financial institutions have already been exposed to a fourth-party breach.
— SecurityScorecard (2024)
🧨 Case Study: MOVEit — The Perfect Fourth-Party Breach
In 2023, attackers exploited a zero-day in MOVEit file transfer software.
2,700+ organizations compromised
93.3M individuals impacted (Wikipedia)
Most organizations never used MOVEit directly
Example:
Colorado State University was breached six separate times
because six different vendors they worked with used MOVEit.
— Cybersecurity Dive
That’s not a breach —
👉 that’s a supply-chain avalanche.
Reality Check for Boards
You can outsource operations.
You cannot outsource accountability.
When a fourth-party vendor gets breached:
Your customers don’t blame the vendor.
They blame you.
✅ The Top 6 Things Every Board Should Require in Third-Party Risk Management
(to reduce exposure to fourth-party risk)
These turn vendor management from a checkbox to a governance function.
✅ 1. Subcontractor disclosure
Vendors must list every subcontractor with access to data or systems.
If a vendor has a third-party program, this should be easy.
✅ 2. Right to approve (or reject) subcontractors
If they add someone new that touches your data, you get a vote.
✅ 3. Continuous real-time monitoring — not annual assessments
Annual questionnaires = false security.
You need live vendor risk ratings, not a PDF from last year.
✅ 4. Concentration risk reporting
Identify where multiple vendors rely on the same provider (e.g., AWS, Azure).
One outage = many failures.
✅ 5. Exit + portability plan
If a critical vendor fails, you should be able to:
Move your data within 72 hours — not 6 months into negotiations.
✅ 6. Contract flow-down language
Your requirements must flow from you → to your vendor → to their vendors.
Security doesn’t end at the first contract boundary.
Ken’s Take
Fourth-party risk is the Six Degrees of Cyber Exposure.
Your systems may be secure.
Your vendor may be secure.
But two hops…
three hops…
five hops down the chain?
There’s the weak link.
And when they fall —
You take the hit.
