{"id":3836,"date":"2025-07-04T07:00:00","date_gmt":"2025-07-04T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3836"},"modified":"2025-07-04T07:00:00","modified_gmt":"2025-07-04T07:00:00","slug":"cybersecurity-in-the-supply-chain-strategies-for-managing-fourth-party-risks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3836","title":{"rendered":"Cybersecurity in the supply chain: strategies for managing fourth-party risks"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Fourth-party vendors have become a serious supply chain cybersecurity blind spot. Unlike third parties with direct contractual relationships, fourth parties \u2014 the suppliers your vendors rely on \u2014 often operate in the shadows, leaving organizations with little visibility and limited control.<\/p>\n

\u201cMost CISOs are still playing defense when it comes to fourth-party risk, treating it like a black box because they don\u2019t have direct control,\u201d says Steve Tcherchian, CISO at XYPRO. \u201cBut the truth is, if you can\u2019t name your vendor\u2019s critical dependencies, you\u2019re betting your business on blind trust.\u201d<\/p>\n

To close these gaps, security leaders are adopting layered strategies to assess, monitor, and mitigate risks stemming from these downstream relationships. Only by embedding security deep into vendor ecosystems \u2014 and empowering your primary vendorsto do the same \u2014 can enterprises reduce the risk that a distant subcontractor becomes the next weak link.<\/p>\n

The following approaches can help security teams uncover and manage risks hidden in fourth-party relationships, where visibility and control are often weakest.<\/p>\n

Start with supply chain mapping to uncover hidden dependencies<\/h2>\n

The first step in managing fourth-party risk is knowing who these vendors are. Yet many organizations struggle to identify them at all. \u201cA good best practice is to ask your direct vendors who they rely on, especially for critical services like hosting, support, data storage, or development,\u201d says Erez Tadmor, field CTO at Tufin.<\/p>\n

Tadmor says that organizations should use tools such as domain analysis or external risk scans to uncover hidden relationships. \u201cSimply put, you can\u2019t monitor what you don\u2019t know exists. Supply chain mapping tools help, but they\u2019re only as good as the data you can get.\u201d<\/p>\n

Tcherchian recommends that companies use software bills of materials<\/a>, DNS telemetry and threat intelligence<\/a> to identify the partners their vendors depend on and look for risks further down the supply chain. \u201cThe hardest problem isn\u2019t technical, it\u2019s cultural,\u201d he says. \u201cYou have to get your [primary vendors] to treat supply chain security as their problem too.\u201d<\/p>\n

Lenovo offers an example of how this approach is put into practice. Through its Trusted Supplier Program, the company requires its Tier 1 vendors to monitor and secure their own critical suppliers \u2014 Lenovo\u2019s fourth-party partners. \u201cWe mandate cascading security controls and conduct routine risk assessments across these relationships,\u201d says Doug Fisher, Lenovo\u2019s chief security and AI officer.<\/p>\n

Set clear data boundaries<\/h2>\n

The reality is that any organization consuming third-party software-as-a-service offerings and services has extremely limited control over the partners that their third parties are working with, says Curtis Simpson, CISO at Armis.<\/p>\n

\u201cThis is why it\u2019s critically important to understand the sub-processors involved in the delivery of contracted SaaS offerings and services, the outcomes that those sub-processors are responsible for, and the data required to deliver those outcomes,\u201d he says.<\/p>\n

\u201cThe first and most important step to begin enforcing security standards for fourth parties is to ensure that third parties have access only to the data required to deliver an offering and that any subset of that data being shared with their partners is equally purposeful and appropriate,\u201d he adds. \u201cContractually, it\u2019s important to ensure that an appropriate and reasonable level of liability is assigned to third parties in case their partners are breached and such data is lost.\u201d<\/p>\n

Extend cybersecurity oversight using standard risk frameworks<\/h2>\n

Once relationships are mapped, the next challenge is extending security governance beyond immediate vendors. Many organizations are adopting industry standards, such as NIST SP 800-161, ISO\/IEC 27036, and SOC 2 to apply consistent expectations to all tiers of the supply chain.<\/p>\n

\u201cNIST SP 800-161 and the updated NIST Cybersecurity Framework 2.0 treat supply chain risk management as a strategic imperative, offering structured guidance for addressing risks at all levels,\u201d Christos Tulumba, CISO at Cohesity says.<\/p>\n

ISO\/IEC 27036 specifically focuses on securing supplier relationships, while the Shared Assessments tools, such as the Standardized Information Gathering questionnaire and the Standardized Control Assessment, allow for deeper due diligence into both third and fourth parties, according to Tulumba.<\/p>\n

\u201cIn terms of practical approaches, leading organizations now require vendors to disclose their critical sub-processors and fourth parties, implement risk-tiered oversight models with continuous monitoring, and mandate adherence to established control frameworks like CIS Controls or ISO 27001 for all material vendors and their subcontractors,\u201d he notes.<\/p>\n

Use contracts to hold vendors and their suppliers accountable<\/h2>\n

Because companies rarely have direct contracts with fourth parties, they must rely on their vendors to enforce legal protections with these fourth parties.<\/p>\n

The most common mechanism is the flow-down clause, a contractual requirement for third parties to impose equivalent cybersecurity standards on their own vendors. These clauses often address data protection, breach notification, secure development practices and audit rights.<\/p>\n

\u201cTo enforce security standards downstream, companies typically build in flow-down obligations \u2014 contract clauses that require third-party vendors to impose the same, or equivalent, security requirements on all their subcontractors,\u201d says Paul Malie, a partner at Tucker Ellis.<\/p>\n

He adds that strong contracts should also include audit rights to inspect fourth-party practices, subcontractor approval clauses, and indemnification provisions that hold vendors liable for breaches caused by their suppliers.<\/p>\n

Flow-down clauses, audit rights, and change notification clauses give companies the levers they need to enforce security requirements deeper into the vendor ecosystem, says Tulumba.<\/p>\n

Balance the need for visibility with vendor confidentiality<\/h2>\n

Striking the right balance between transparency and discretion becomes even more complex when dealing with fourth-party relationships. While visibility into these indirect vendors is essential for managing risk, demanding too much disclosure can strain trust and compromise proprietary information.<\/p>\n

As businesses grow more interconnected, companies rely heavily on third-party vendors that often have their own subcontractors, creating complex layers of downstream dependencies.<\/p>\n

\u201cIt becomes a delicate balancing act of deciding how much information to share while protecting proprietary information and IP,\u201d says Mandy Andress, CISO at Elastic. \u201cThe key lies in understanding the business model, potential outcomes, planning proactively, and implementing risk mitigation strategies to protect against damaging scenarios.\u201d<\/p>\n

Achieving complete transparency across a vast and layered supply chain is often unrealistic. Instead, organizations should focus on their most critical dependencies and apply oversight where exposure is highest.<\/p>\n

\u201cMany organizations recognize this and adopt a risk-based sampling approach, prioritizing oversight based on criticality and exposure rather than attempting full control,\u201d Tulumba notes. \u201cUltimately, effective governance hinges more on fostering accountability and trust rather than enforcing granular visibility at every level.\u201d<\/p>\n

Reiko Feaver, partner at CM Law, adds that sharing of any confidential information \u2014 whether directly or passed down to contractors, agents, or representatives \u2014 should be governed by strong confidentiality obligations. She emphasizes that the direct supplier is responsible for protecting its own proprietary information and that of its vendors.<\/p>\n

\u201cI can\u2019t see how it\u2019s reasonable for the direct vendor to withhold these relationships from its customers,\u201d Feaver says. \u201cIt would be up to the direct vendor to protect that information vis-a-vis its customer. It is common to restrict disclosures of certain types of proprietary information from disclosure to or use by competitors. Of course, the more confidential information is gathered the more risk of a violation of confidentiality obligations and associated liability.\u201d<\/p>\n

Move beyond point-in-time audits<\/h2>\n

Many companies still depend on annual questionnaires or compliance attestations to assess vendor security \u2014 an approach that\u2019s dangerously outdated. Continuous monitoring is absolutely crucial when it comes to reducing risk.<\/p>\n

\u201cThe majority [of companies] continues to focus primarily on direct third-party vendors, often relying on self-attestations or point-in-time assessments that fail to capture downstream risk,\u201d says Tulumba.<\/p>\n

As a result, companies usually find out about fourth parties only after something goes wrong, such as a security breach, a service outage, or during regulatory audits, he says. And finding out about issues only after they happen shows why it\u2019s important to have constant and active monitoring in place.<\/p>\n

Adding to this view, Jim Routh, chief trust officer at Saviynt, argues that the future of risk management lies in real-time, data-driven scoring, not outdated surveys. \u201cQuestionnaires are inadequate,\u201d he says. \u201cWe need to apply data science to track risk daily and educate regulators and auditors on why that\u2019s necessary.\u201d<\/p>\n

A vulnerability discovered today could be exploited tomorrow. For that reason, relying solely on point-in-time assessments or third-party attestations isn\u2019t enough to manage fourth-party risk, Lorri Janssen-Anessi, director of external cyber assessments at BlueVoyant, says. When companies lack direct contracts with fourth parties and therefore can\u2019t enforce audits or specific controls, external intelligence becomes essential.<\/p>\n

However, putting continuous monitoring into practice becomes even more difficult in complex global supply chains.<\/p>\n

\u201cThe greatest challenge is gaining timely, accurate insight into the security posture of globally distributed, multilayered suppliers, especially those not under direct contract,\u201d says Fisher. \u201cLenovo addresses this with a layered approach: we combine geopolitical risk analytics, automated supplier scoring, and industry threat intelligence feeds with hands-on audit activity.\u201d<\/p>\n

Make fourth party risk a shared responsibility<\/h2>\n

Finally, managing fourth-party risk isn\u2019t just a security problem \u2014 it\u2019s an organizational one.<\/p>\n

The most effective shift in managing fourth-party risk has been internal alignment, this means working closely with procurement, legal, and engineering to treat fourth-party risk as a shared responsibility, says Swapnil Deshmukh, cybersecurity executive, Certus Cybersecurity Solutions.<\/p>\n

Deshmukh emphasizes the need for cross-functional coordination to embed security into every layer of the supply chain. However, that internal groundwork must be matched by external diligence, says Andress.<\/p>\n

\u201cIt all comes back to building a strong chain of trust,\u201d says Andress. \u201cThat involves carefully selecting reputable third parties and ensuring that they are also picking trusted vendors with strong protections.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Fourth-party vendors have become a serious supply chain cybersecurity blind spot. Unlike third parties with direct contractual relationships, fourth parties \u2014 the suppliers your vendors rely on \u2014 often operate in the shadows, leaving organizations with little visibility and limited control. \u201cMost CISOs are still playing defense when it comes to fourth-party risk, treating it […]<\/p>\n","protected":false},"author":0,"featured_media":3837,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3836","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3836"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3836"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3836\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3837"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}