In June 2023, the California Public Employees’ Retirement System told roughly 769,000 members that their personal data had been stolen. Fourth-party risk management exists for the strange part of that disclosure: CalPERS itself was never breached. The data left through PBI Research Services, a subcontractor that ran death audits on Progress Software’s MOVEit file transfer tool.
One flaw in that tool reached more than 2,700 organizations and roughly 95 million people by the time Emsisoft’s tracking closed out in June 2024. Many victims never licensed MOVEit at all, and some were four steps removed: a vendor used a contractor that used a subcontractor that used the tool.
Assessing your vendors’ vendors takes a different toolkit than classic third-party due diligence, because you cannot question or audit a company you never contracted. The workable substitutes are dependency mapping, subcontractor clauses, concentration analysis, and a short list of KRIs. Regulators from the OCC to the EU now expect all four.
What Fourth-Party Risk Management Actually Covers
Fourth-party risk management is the discipline of identifying, assessing, and monitoring the subcontractors behind your direct vendors. A third party signs your contract; a fourth party signs theirs. You hold no agreement with the fourth party, yet its outage or breach lands on your operations and your customers all the same.
The scale problem is arithmetic. A mid-size firm with 200 vendors, each using five subcontractors, is exposed to roughly 1,000 fourth parties, and the chain keeps extending into nth parties beyond that. Nobody can assess a thousand entities a year, which is why everything in third-party risk doctrine gets ruthlessly risk-based one tier down.
| Tier | Who they are | Your visibility | Primary control |
| Third party | Vendors you contract directly | Full: contracts, audits, questionnaires | Standard TPRM due diligence |
| Fourth party | Your vendors’ subcontractors | Partial: disclosures, SOC 2 subservice lists | Mapping plus flow-down clauses |
| Nth party | Subcontractors of subcontractors | Minimal: visible mainly after incidents | Concentration analysis, scenarios |
| Shared dependency | One provider behind many vendors | Hidden until mapped | Dependency map, continuity plans |
None of this replaces the third-party risk management framework you already run; it extends the same lifecycle one contractual step further. The vendor risk assessment questionnaire grows a subcontractor section, and the vendor file grows a dependency map alongside the usual scorecards.
Chart: Fourth-Party Risk Management in Numbers

Figure 1. Four numbers that explain why fourth-party risk management moved onto the 2026 audit plan.
Why Fourth-Party Risk Management Went From Optional to Urgent
Change Healthcare was a fourth party to most of the providers it hurt. Thousands of hospitals and physician practices never signed a contract with it; they bought billing or practice management software that routed claims through Change’s clearinghouse. When BlackCat ransomware took the platform down on February 21, 2024, their cash flow stopped anyway.
UnitedHealth Group paid a $22 million ransom, spent more than $3.1 billion on the response during 2024, and ultimately notified about 190 million people. CEO Andrew Witty told a Senate hearing in May 2024 that attackers used compromised Citrix credentials on a portal with no multi-factor authentication, a detail Congress’s own research service flagged for policymakers.
The trend line behind the headlines points the same direction. Verizon’s 2025 Data Breach Investigations Report found third-party involvement in breaches doubled in a year to 30%, and roughly one in eight third-party breaches now extends onward into a fourth-party incident. Deloitte’s global TPRM survey work prices a single severe third-party incident above $50 million.
Chart: The Fourth-Party Risk Cascade

Figure 2. Vendor-chain breaches by scale, and the MOVEit victim count that kept climbing for a full year.
The Regulatory Push Behind Fourth-Party Risk Management
Europe wrote fourth parties into binding law first. DORA, applying since January 17, 2025, requires financial entities to keep a register of information covering every ICT arrangement, including the subcontracting chains behind critical services.
Article 28 makes firms assess whether long or complex chains impair their ability to monitor the contracted function, as PwC’s DORA briefings spell out.
US banking regulators reached the same place through guidance rather than statute. The June 2023 Interagency Guidance on Third-Party Relationships from the Federal Reserve, FDIC, and OCC tells banks to weigh subcontractor use during due diligence and to contract for subcontractor reporting, audit results, and notification when the chain changes.
Standards close the loop for everyone outside banking. NIST SP 800-161 builds multi-tier supplier analysis into cyber supply chain risk management, CISA’s supply chain security program pushes the same discipline for critical infrastructure, and ISO 28000:2022 gives the certifiable management system frame.
| Regime | Fourth-party requirement | Applies to / since |
| DORA (EU 2022/2554) | Register of information includes subcontracting chains; assess complex chains under Article 28 | EU financial entities, Jan 17, 2025 |
| US Interagency Guidance | Subcontractor use weighed in due diligence; contracts cover reporting, audits, notification | US banking organizations, June 2023 |
| NIST SP 800-161r1 | Multi-tier supply chain risk analysis across suppliers and their suppliers | US federal suppliers and adopters |
| SEC cyber disclosure rules | Material incidents reportable on Form 8-K even when they start at a vendor’s vendor | US public companies, Dec 2023 |
| ISO 28000:2022 | Certifiable security management system spanning the supply chain | Any organization, voluntary |
How to Map Fourth-Party Risk in Four Steps
Mapping beats boiling the ocean. The four steps below concentrate fourth-party risk management effort on the chains that can actually stop revenue or trigger notification duties, using the same risk assessment discipline the rest of the program runs on. Practitioner rule: chase the dependency behind every critical service before touching the long tail.
| Step | What you do | Output |
| 1. Tier | Rank third parties by criticality; only vendors behind critical services get fourth-party work | Short list of critical vendors |
| 2. Extract | Pull subcontractor names from contract disclosures, SOC 2 subservice-organization lists, and questionnaires | Named fourth parties per vendor |
| 3. Map | Chart which fourth parties sit behind which vendors and flag shared dependencies | Dependency and concentration map |
| 4. Assess | Directly assess the critical few; for the rest, evaluate each vendor’s own TPRM program | Risk-rated register entries |
The fastest source of fourth-party names is already in your files. Every SOC 2 report lists subservice organizations and states whether they are carved out of scope or included, and a carve-out is an unassessed dependency wearing an audited label. Contract schedules and supplier program records fill most remaining gaps.
The 2026 State of TPRM survey explains why step four is deliberately narrow. It found only 10% of organizations directly assess fourth parties, 59% instead evaluate how well each vendor runs its own third-party program, and 27% never look at all. The middle path scales; the blind spot does not.
Chart: The Fourth-Party Risk Assessment Gap

Figure 3. How organizations actually handle vendors’ vendors: the 27% who never look carry the MOVEit-shaped blind spot.
Cadence follows criticality once the map exists. Re-verify subcontractor disclosures at every contract renewal and annually for critical vendors, and treat any gap in the map the way assessment frequency guidance treats an overdue review: as a finding that needs an owner and a date.
Contract Clauses and Controls for Fourth-Party Risk Management
You cannot contract with a fourth party, so the contract with your third party has to do the work. Flow-down clauses push your security, notification, and audit expectations one tier deeper, and they are the only enforcement mechanism fourth-party risk management has. The interagency guidance expects exactly this from banks.
| Clause | What it requires | Why it matters |
| Subcontractor disclosure | Vendor names all subcontractors supporting your service, updated on change | You cannot map what nobody must disclose |
| Material-change notification | Advance notice before a critical subcontractor is added or replaced | Stops silent swaps into weaker providers |
| Flow-down requirements | Vendor imposes your core security and privacy terms on its subcontractors | Extends control one tier past your contract |
| Audit and assurance rights | Vendor supplies SOC 2 or equivalent covering subservice organizations | Carve-outs surface instead of hiding |
| Incident notification | Defined hours-based notice for incidents anywhere in the chain | You hear it from the vendor before the news |
| Exit and continuity plan | Tested plan for losing the vendor or its key subcontractor | Concentration failures need a rehearsed exit |
Controls then keep the paper honest. Wire subcontractor-disclosure checks into the risk and control self-assessment, and run the dependency map through a business impact analysis so the fourth party behind your revenue cycle gets continuity treatment, with incident response and continuity plans that name it.
Resilience work rounds out the control set. Scenario planning for supply chain failures rehearses the shared-dependency outage before it happens, and building redundancy into the supply chain is the only cure for a fourth party that no contract clause or audit right can reach.
KRIs and a Worked Example for Fourth-Party Risk Management
Picture a regional insurer mapping the subcontractors behind its 120 critical third parties. The finished map shows 68 vendors running on Amazon Web Services, 41 on Microsoft Azure, 23 clearing payments through one processor, 19 routing claims through one clearinghouse, and 15 moving files with the same managed transfer tool.
No single vendor on that list looks risky in isolation. The exposure is the overlap: one regional AWS event touches 57% of the critical vendor base at once, and the file transfer cluster is a MOVEit rerun waiting for a CVE. Concentration is what a fourth-party map exists to reveal.
Chart: A Fourth-Party Risk Concentration Map

Figure 4. The worked example’s concentration map: shared dependencies, invisible vendor by vendor, dominate the risk.
The July 2024 CrowdStrike outage made the same point without a single attacker. One bad content update reached about 8.5 million Windows devices, grounded airlines, and hit firms that had never bought CrowdStrike because their service providers ran it. Shared dependency, on its own, was the whole loss event.
Six key risk indicators turn the map into a standing report. Develop them against the risk appetite statement, and give them a row on the KRI dashboard beside the supply chain indicators the board already tracks in its quarterly pack.
| Fourth-party KRI | Warning threshold | Owner |
| Critical vendors with unmapped subcontractors | Above 10% of the critical list | Third-party risk lead |
| SOC 2 subservice carve-outs left unassessed | Any | Vendor risk analyst |
| Critical vendors sharing one fourth party | Above 15% of the critical list | Chief risk officer |
| Subcontractor-change notices overdue | Any | Contract manager |
| Chain incidents learned from news, not the vendor | Any | Security operations |
| Dependency map older than 12 months | Any critical vendor | Third-party risk lead |
Findings flow into the risk register as scored entries with owners, and the whole exercise repeats through the normal risk management lifecycle. ISO 31000 supplies the process spine here exactly as it does for the enterprise framework above it.
Fourth-Party Risk Management: Frequently Asked Questions
What is fourth-party risk management?
Fourth-party risk management is the practice of identifying and controlling risk from your vendors’ own subcontractors and service providers. You have no direct contract with these entities, so the program relies on dependency mapping, flow-down contract clauses, concentration analysis, and monitoring instead of direct oversight.
What is the difference between third-party and fourth-party risk management?
Third-party risk management covers vendors you contract and can question, audit, and exit directly. Fourth-party risk management covers the subcontractors behind them, where you control nothing directly and work through your vendor’s contract instead. The tooling shifts from questionnaires toward mapping, clauses, and concentration analysis.
How do you identify fourth parties in fourth-party risk management?
Start with what vendors already disclose: contract schedules, SOC 2 subservice-organization lists, and privacy notices name most critical subcontractors. Add a subcontractor section to the vendor questionnaire, and use external attack-surface scanning to catch dependencies nobody disclosed. Renewal is the natural checkpoint to re-verify.
Does DORA require fourth-party risk management?
Yes, in substance. DORA’s register of information must cover subcontracting chains behind critical ICT services, and Article 28 requires financial entities to assess whether long or complex chains impair monitoring. EU supervisors can also designate critical ICT providers for direct oversight, which is regulation aimed squarely at shared fourth parties.
How many fourth parties should a fourth-party risk management program monitor?
Far fewer than exist. With 200 vendors averaging five subcontractors each, the theoretical population is 1,000, so mature programs map subcontractors only behind critical vendors and directly assess only shared or single-point-of-failure dependencies. Ten to thirty entities under active watch is typical for a mid-size firm.
What KRIs belong in fourth-party risk management reporting?
Track the share of critical vendors with unmapped subcontractors, unassessed SOC 2 carve-outs, and the number of critical vendors sharing a single fourth party. Add overdue subcontractor-change notices, chain incidents you learned about from the news, and the age of the dependency map.
Pitfalls and Remedies in Fourth-Party Risk Management
Programs fail here in predictable ways, and most of the failures echo an enforcement action or an outage somebody already suffered. Six show up constantly in fourth-party risk management reviews; each pairs with a remedy that has held up in practice.
| Pitfall | Root Cause | Remedy |
| Trying to assess every fourth party | Completeness instinct applied to a 1,000-entity population | Risk-based tiering; map critical chains, assess the shared few |
| Treating SOC 2 carve-outs as coverage | Report skimming stops at the opinion page | Log every subservice carve-out as an open assessment item |
| No subcontractor clauses in contracts | Legacy templates predate fourth-party expectations | Add disclosure, notification, flow-down, and audit clauses at renewal |
| Concentration nobody has totaled | Vendor files reviewed one at a time | Build the shared-dependency view; report the top five overlaps |
| Learning about chain incidents from the news | No notification clause and no external monitoring | Hours-based notice terms plus continuous monitoring on critical chains |
| Map built once and shelved | Project mindset instead of lifecycle mindset | Refresh at renewal and annually; KRI on map age |
Looking Ahead: Fourth-Party Risk Management in 2026-2027
Regulators are about to see the concentration picture before most boards do. DORA registers of information now flow to EU supervisors, who use them to designate critical ICT providers for direct oversight, and the first designation rounds are turning shared fourth parties into named, supervised entities. Expect US examiners to borrow the lens.
AI vendors are quietly becoming the newest fourth-party layer. Nearly every SaaS product in the stack now embeds a model provider, so a handful of AI platforms are accumulating the same concentration profile cloud providers built over the last decade. Subcontractor disclosure requests should start asking about model dependencies now.
Tooling is catching up to the mapping problem. Adoption of dedicated TPRM platforms reached 64% of organizations, up 19% in a year, and continuous external monitoring is displacing the annual questionnaire on critical chains. The map that took a quarter to build by hand increasingly assembles itself from telemetry.
The 2026 to-do list is short: get subcontractor disclosure into every critical contract at renewal, finish the concentration map, and put the six KRIs in front of the board. MOVEit, Change Healthcare, and CrowdStrike each punished a blind spot somebody could have mapped a year earlier.
Infographic: The Fourth-Party Risk Management Dependency Tree

Figure 5. Fourth-party risk management as a hierarchy: your risk runs the full depth of the vendor tree, so the map must too.
Get Ahead of Fourth-Party Risk
Risk Publishing helps US risk and procurement teams build fourth-party risk management programs that survive an examiner’s questions, from the dependency map to the board KRI report. Review our services, then contact us before the next MOVEit finds the chain you have not mapped.

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.