You're overseeing your third-party vendors, but are you thinking about fourth- and Nth-party risk?
Most financial organizations have established third-party risk management (TPRM) programs, but vendor ecosystems don't stop there. When you outsource to a vendor, you're also outsourcing a chain of dependencies — and every layer carries its own risk. According to our 2026 State of TPRM Survey Report, 26% of financial institutions don't assess fourth-party risk while others try to chase down every subcontractor in the ecosystem. Neither approach holds up to examiner scrutiny.
Let’s explore the fourth-party risk, including a framework for calibrating oversight depth and how to make it all defensible to examiners.
Table of Contents
- What is fourth-party risk?
- What regulators say about fourth-party risk
- Where fourth-party risks appear
- How to determine fourth-party oversight
- How to manage fourth-party risk
Related: Watch Joe dive deeper into all things fourth-party risk in our on-demand webinar.
What is Fourth-Party Risk?
A fourth party is any vendor, subcontractor, or service provider that your vendor relies on to deliver services. Fourth-party risk is the exposure that comes from those relationships. You don’t have a direct relationship with these entities, but their performance — or failure — still affects you.
For example, if your portfolio management platform relies on a cloud provider, or your payment processor depends on a telecommunications network, a disruption at that level can impact your organization through a party you never engaged.
And the chain doesn’t stop there. Fifth parties, sixth parties, and beyond — collectively referred to as Nth-party risk — are all part of the same ecosystem.
Related: What Are First, Second, Third, Fourth, Fifth, and Nth-Party Risks?
What Do Regulators Say About Fourth-Party Risk?
Regulatory agencies, including the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), Federal Financial Institutions Examination Council (FFIEC), and the Federal Reserve, are clear that banks are responsible for activities conducted through their third parties FINRA guidance tells organizations to “assess the risk of any fourth-party vendors handling firm data.”
The NCUA, SEC, and Fannie Mae Seller/Servicer guide, and others also address vendor management, saying that organizations are ultimately responsible for the actions of their vendors — and by extension their contractors. In other words, you don’t have to manage fourth parties directly, but you do own the risk they create.
The Role of SOC Reports in Fourth-Party Risk
SOC reports are one of the most practical ways to understand fourth-party risk because they show how your vendor’s control environment operates — including its use of subcontractors.
A System and Organization Controls (SOC) report is an independent audit of a vendor’s controls, conducted under SSAE 18, the AICPA standard for evaluating service organizations. It evaluates a vendor’s internal controls and provides visibility into how it manages key dependencies, giving you a window into how it manages fourth parties.
For financial institutions, SOC 2 Type 2 reports are the most relevant. These reports disclose subservice organizations — your vendor’s vendors — and make clear whether their controls are part of the audit. When those controls are included, they’ve been tested. When they’re excluded, they haven’t, and that gap needs to be addressed.
In those cases, the next step is to obtain the subcontractor’s SOC report or document your rationale for accepting the residual risk.
Download: SOC 1, SOC 2, and SOC 3 Reports: Know the Differences
NIST SP 800-161
NIST SP 800-161 is a supply chain risk management framework published by the National Institute of Standards and Technology, widely referenced as a best practice for managing extended vendor relationships — including fourth-party risk. It isn't a regulatory requirement, but where regulatory guidance sets the expectations, NIST SP 800-161 provides the playbook for meeting them, building on tools like SOC reports to develop real supply chain intelligence.
Related: What Bankers Need to Know About NIST 2.0: The Role of Governance and Third-Party Risk Management in Cybersecurity
Where Does Fourth-Party Risk Show Up?
Your organization may be exposed to fourth- and Nth-party risks without even knowing it.
Operational risk
Operational risk occurs when your vendor's infrastructure fails, and there's nothing your organization can do about it.
Let’s say your financial organization uses a core processor with a clean SOC 2 report and a validated business continuity plan. What isn't visible: the processor hosts all its infrastructure on a single Amazon Web Services (AWS) region with no multi-region failover. When AWS East-1 experienced a significant outage in December 2021, organizations in exactly that position saw customers locked out of online banking, mobile apps fail, and ATMs go offline — all caused by a party they had no contract with, no audit rights over, and no ability to demand remediation from.
Top tip: Ask your vendors what infrastructure they rely on and whether there’s redundancy. At a minimum, the exposure must be documented.
Related: Mastering Operational Risk: A Guide for Financial Institutions
Data risk
Most financial organizations know they're responsible for protecting customer data. What catches them off guard is how far that responsibility extends.
Imagine a loan origination vendor sending a group of borrowers’ personally identifiable information (PII) to a third-party analytics platform to power performance dashboards. Lenders contract with that platform and don’t know the data has been shared with a fourth party. When the analytics platform experiences a breach, borrower data — names, Social Security numbers, income documentation — is exposed. Under the Gramm-Leach-Bliley Act (GLBA), that's the lender's liability.
Top tip: Require vendors to disclose all subcontractors with data access, impose equivalent security standards, and provide notification of any breach. Without it, there's visibility into the relationship but no leverage over it.
Related: Creating Reliable Risk Assessments: How to Measure Data Security/GLBA Risk
Concentration risk
Many FIs don't even know they have concentration risks until something goes wrong.
In November 2025, Cloudflare experienced a major global outage caused by a configuration error in its bot management system. The outage lasted four hours, and banking apps, payment processors, and digital banking platforms went down. Over 2.1 million issues were reported to Downdetector, which itself went down because it relies on Cloudflare.
Banking apps, payment processors, and digital banking platforms weren't owned by the same company or located in the same region — but all three went down simultaneously because they shared the same underlying infrastructure. Vendor diversification doesn't eliminate concentration risk if the vendors themselves share the same dependency, and many business continuity plans (BCPs) aren't built to account for it.
Top tip: Map dependencies across your critical vendor inventory and watch for shared infrastructure across cloud providers, telecommunications backbones, payment rails, data centers, and authentication providers.
Related: TPRM 101: Top Third-Party Vendor Risks for Financial Institutions
How much fourth-party risk oversight is enough? A risk-based escalation framework
Knowing where fourth-party exposure lives is only half the equation; the other half is deciding how much oversight each risk warrants.
The biggest mistake is treating every fourth party the same, whether that means ignoring downstream risk entirely or chasing every subcontractor in the ecosystem. Tiering fourth-party oversight is essential for efficient vendor management should reflect impact.
| Visibility | Non-critical service; limited data exposure; low disruption risk | Document the fourth party, maintain an inventory, require notification of subcontractor changes, and confirm the vendor is providing adequate oversight |
| Enhanced Validation | Sensitive data is involved, or an operational dependency exists | Review SOC 2 sub-service disclosures for carved-in vs. carved-out status; assess concentration risk; require contractual flow-down; validate the vendor's oversight of the fourth party |
| Targeted Deep Oversight | Systemic risk, core infrastructure, or significant regulatory exposure | Board-level visibility, scenario testing, and resilience validation. This level is exception based. Apply it to every fourth party and the program will collapse under its own weight |
How to Manage Fourth-Party Risk
Fourth-party risk follows the TPRM lifecycle, which covers the full span of a vendor relationship from initial identification and due diligence through contracting, ongoing monitoring, and eventual offboarding, but with an added layer of visibility into your vendors' vendor relationships.
Here’s a breakdown of some of the most important steps in managing fourth-party risk:
Identification
You can't manage what you don't know exists. Start by building fourth-party questions directly into vendor due diligence questionnaires:
- Does your organization use subcontractors to deliver services to us?
- What cloud hosting or network infrastructure providers do you rely upon?
Contracts and Flow-Down
Contracts should require vendors to disclose material subcontractors before work begins, provide advance notice of any changes, flow down the same security and compliance standards, report subcontractor breaches on the same timeline as their own, and extend audit rights to material subcontractors.
When negotiating with large vendors, leverage is limited. If you can't get everything, prioritize disclosure, incident reporting, and flow-down of security standards. Those three create defensibility even when the rest is out of reach.
Related: Ghosted by a Vendor? Here’s How to Get Due Diligence Documents
Ongoing Monitoring
Ongoing monitoring is what keeps identification and contracts from becoming a one-time exercise.
During vendor reviews, ask how vendors manage their own subcontractors and request their vendor management policy and subcontractor onboarding process. Using oversight tiers as a guide, re-examine subservice disclosures in updated SOC reports each year, run a concentration risk analysis at least quarterly, and make sure fourth-party exposure is showing up in board and risk committee reporting as needed.
Related: 4 Reasons to Add Cyber Monitoring to Your Vendor Management Program
Fourth- and Nth-party risk is part of every vendor ecosystem, but it doesn't have to be unmanageable. See how Ncontracts helps FIs manage multiple vendors at every stage of the lifecycle.
