The Executive's Guide to Managing Fourth-Party Risk: When Your Vendors' Vendors Become Your Problem
Your supply chain risk extends beyond direct vendors to their suppliers and subcontractors. Learn how to identify, assess, and manage fourth-party risks before they become compliance headaches or security breaches.
Your supply chain risk extends far beyond the vendors you know. It reaches into the vendors your vendors rely on, the cloud platforms they host on, and the subcontractors they never told you about. Until one of them gets breached, and your regulators, customers, and board want answers.
This is the reality of fourth-party risk. And most organizations are dangerously underprepared.
Fourth-party breaches now account for 4.5% of all breaches, creating cascading downstream failures
(SecurityScorecard). That may sound small until you realize
12.7% of third-party breaches extended into fourth-party incidents
. Meanwhile,
only 10% of organizations conduct direct risk assessments of fourth parties
, and
27% do not assess or monitor fourth parties at all
(Venminder). That gap between exposure and oversight represents a material risk to your business.
The Breach Data Has Changed the Conversation
The numbers from 2025 should concern every executive.
Verizon's 2025 DBIR found that breaches involving a third party jumped to 30%, up from roughly 15% the previous year
SecurityScorecard's 2025 Global Third Party Breach Report points in the same direction: 35.5% of breaches are linked to third-party access
The financial impact is equally striking.
Supply chain compromise accounts for 15% of breaches at an average cost of $4.91 million
.
These supply chain attacks take the longest to detect and contain, 267 days on average, because they exploit trust relationships between organizations and their vendors
(IBM Cost of a Data Breach 2025).
And the fourth-party dimension makes this exponentially worse.
96% of Europe's top 100 financial institutions experienced at least one third-party breach in the past year, and 97% had a breached entity within their fourth-party ecosystem, up from 84%
(SecurityScorecard Europe Financial Report 2025).
79% of organizations lack visibility into their nth-party ecosystems
.
**Board Brief:** Your organization's breach exposure is no longer limited to the vendors you directly contract with. Nearly one in three breaches now originates through a third party, and fourth-party risk is the fastest-growing blind spot in enterprise security. If your board isn't discussing this, you're behind.
Regulatory Pressure Is Accelerating
Regulators have moved from suggestions to mandates. Multiple frameworks now explicitly require organizations to understand and manage risk beyond first-tier vendors.
DORA: Financial Services Under the Microscope
DORA has made Third Party Risk Management one of the main pillars of the model
(DORA).
The provision of ICT services to financial entities often depends on a complex chain of ICT subcontractors whereby ICT third-party service providers may enter into one or more subcontracting arrangements with other ICT third-party service providers
.
DORA formalises detailed obligations on outsourcing, due diligence, monitoring, and exit planning; financial entities must maintain an up-to-date register of all ICT service providers and assess concentration risk across their supply chain
.
Individuals can face fines of up to €1 million for noncompliance with DORA requirements
.
NIS2: Broadening the Scope
NIS2 calls out "Security around supply chains" as one of its 10 Minimum Measures
.
NIS2 broadens the categories of "important" and "essential" entities subject to the regulation and imposes new requirements for supply chain security, risk assessments, incident reporting, and third-party risk management
Non-compliance penalties under NIS2 can reach up to €10 million or 2% of turnover, whichever is higher
.
NIST CSF 2.0: The Global Blueprint
NIST CSF 2.0 highlights the incorporation of supply chain and third-party risk management as part of the new GOVERN (GV) Function
(NIST CSF 2.0).
The controls within the GV.SC category guide organizations in establishing processes to ensure that critical third parties consistently maintain appropriate cybersecurity standards. It is the most detailed category, comprising 10 subcategories, more than any other in the framework
.
Third-Party vs. Fourth-Party Risk: What Executives Must Understand
Fourth party risk management is the process of identifying, assessing, and mitigating cybersecurity and operational risks posed by your vendors' vendors. While you contract directly with third parties, fourth parties operate in the background, often invisible until something goes wrong
.
Fourth party risk management isn't about managing fourth parties directly, because you can't. It's about making certain your third parties have solid TPRM programs of their own and that they're cascading your risk standards down the supply chain. You're managing risk through influence and contractual requirements, not through direct control
.
| Dimension | Third-Party Risk | Fourth-Party Risk |
|---|
| Contractual Relationship | Direct contract with your organization | No direct contract; managed through your vendor |
| Audit Rights | Enforceable through contract terms | Limited or none without contractual flow-down clauses |
| Visibility | Discoverable through assessments and questionnaires | Often unknown until a breach occurs |
| Breach Frequency | 30% of all breaches (Verizon DBIR 2025) | 4.5% of all breaches; 12.7% of third-party breaches cascade (SecurityScorecard) |
| Average Breach Cost | $4.91M for supply chain compromises (IBM 2025) | Higher due to extended detection time and complexity |
| Regulatory Requirement | Established across DORA, NIS2, SEC, NIST CSF 2.0 | Increasingly mandated; DORA explicitly requires subcontractor due diligence |
| Management Approach | Direct assessment, monitoring, and contractual enforcement | Indirect: validate vendors' own TPRM programs and cascade requirements |
| Industry Adoption | Mature in regulated sectors; growing elsewhere | Only 10% conduct direct fourth-party assessments (Venminder 2025) |
The KPMG Wake-Up Call
Third-party risk continues to evolve rapidly, with regulatory compliance and cyber risk now the primary drivers shaping TPRM strategies across the globe. As organizations face an unprecedented pace of change and increasing threats, the 2026 KPMG Global TPRM Survey explores how leaders are responding to these challenges
Regulatory compliance (48%) and cyber risk (37%) are the top drivers of TPRM strategies
. Yet Nth-party visibility remains a critical gap for most organizations surveyed.
The Concentration Risk Problem
A small group of third-party providers supports much of the world's technology and infrastructure, creating an extreme concentration of risk. When even one of these providers is compromised, the ripple effects can disrupt thousands of organizations simultaneously
. Think about how many of your vendors rely on the same handful of cloud providers, identity platforms, or payment processors. That shared dependency creates a fourth-party concentration risk that few boards are measuring.
The Cyber Insurance Factor
Cyber insurance carriers are tightening requirements. Insurers increasingly ask about vendor risk management maturity during underwriting and may deny claims if fourth-party risks weren't assessed. The message is clear: if you can't demonstrate that you understand your extended supply chain, you're on your own when something breaks
.
Framework Alignment: Building a Fourth-Party Risk Program
The good news: you don't need to start from scratch. Established frameworks provide a solid foundation. The NIST CSF 2.0 GV.SC category offers a comprehensive blueprint.
GV.SC-07 requires that risks posed by suppliers, their products and services, and other third parties are understood, recorded, prioritized, assessed, responded to, and monitored. GV.SC-05 requires that cybersecurity risk requirements are established, prioritized, and integrated into contracts and other types of agreements with suppliers
.
Aligning with ISO 27001 Control A.5.19 (Supplier Relationships) and mapping to DORA's subcontracting requirements creates an integrated governance model that satisfies multiple obligations simultaneously.
The risk for most organizations isn't non-compliance but inefficiency: duplicating effort across DORA, ISO 27001, NIS2, and GDPR compliance rather than taking an integrated approach
.
Your Fourth-Party Risk Readiness Checklist
Use this assessment to identify gaps in your current program:
If you checked fewer than five items, your organization has material gaps in fourth-party risk governance. Every unchecked box represents potential regulatory exposure, financial liability, and operational disruption.
**Key Insight:** Fourth-party risk management isn't about boiling the ocean. It's about ensuring your critical vendors cascade your risk standards through their own supply chains. Start with your top 20 vendors. Validate their TPRM programs. Require subcontractor disclosure in contracts. Build from there.
How I Help
Managing fourth-party risk requires strategic leadership that bridges security, compliance, procurement, and the board. With 20+ years of experience advising organizations on supply chain security and regulatory compliance, I help executives translate this complexity into pragmatic, measurable programs.
Here's how my services align to the challenges outlined above:
Virtual CISO Services: I design and lead fourth-party risk programs, building governance structures, vendor assessment frameworks, and board reporting cadences that give you visibility into your extended supply chain.
Compliance Advisory: I map your current TPRM practices against DORA, NIS2, SEC disclosure requirements, and NIST CSF 2.0, identifying gaps and building integrated compliance strategies that avoid duplicated effort.
Board Advisory: I translate fourth-party risk into language your board understands, connecting technical exposure to financial impact, regulatory liability, and strategic risk appetite.
Security Architecture: I help design vendor tiering models, continuous monitoring architectures, and contractual frameworks that make fourth-party oversight scalable and sustainable.
AI Governance: As vendors increasingly embed AI into their services, understanding how your supply chain uses AI, and the risks that introduces, becomes an essential extension of fourth-party risk management.
Struggling to map your extended supply chain or meet evolving regulatory demands for Nth-party risk? Let's build a pragmatic, compliant fourth-party risk management program that protects your bottom line.
Adil Karam
Security & AI Governance Advisor
Helping organizations navigate security leadership and AI governance challenges.
Ready to Put These Insights Into Action?
Whether you need AI governance, security leadership, or compliance guidance—let's discuss how to apply these strategies to your organization.