Fourth-Party Risk: When Your Vendor's Vendor Becomes Your Problem

TL;DR

• Fourth-party risk is your vendor’s subcontractor risk — and regulators expect you to manage it, not ignore it.
• The June 2023 interagency guidance (OCC Bulletin 2023-17) explicitly addresses subcontractors and concentration risk as fourth-party concerns.
• Change Healthcare (Feb 2024) is the case study for fourth-party catastrophe: 190M people affected, $872M in UnitedHealth Q1 losses, and an entire healthcare clearinghouse layer offline for nine months.
• You don’t have to assess every fourth party directly — but you do need to evaluate your vendor’s process for overseeing them, with deeper scrutiny on critical activities.
• Practical fourth-party program: identify critical paths, require vendor disclosure of material subcontractors, contract for flow-down terms and audit rights, and monitor concentration exposure.

Your vendor risk register has 400 entries. Your business has roughly 4,000 fourth parties. Most of your TPRM program pretends those 3,600 don’t exist.

That worked until February 21, 2024, when a single Citrix portal at Change Healthcare — a clearinghouse most patients had never heard of — got compromised. Within 72 hours, hospitals couldn’t process insurance claims, pharmacies couldn’t verify prescriptions, and 80% of physician practices were losing revenue. Most of those organizations had no direct contract with Change Healthcare. They were two or three hops away. But the operational hit was the same.

That’s fourth-party risk. And if you’re a compliance, risk, or vendor management practitioner, regulators are now explicitly expecting you to have a point of view on it.

What “Fourth-Party Risk” Actually Means

Fourth parties are your third party’s subcontractors. The interagency Final Guidance on Third-Party Relationships: Risk Management, issued by the Federal Reserve, FDIC, and OCC in June 2023 (OCC Bulletin 2023-17), explicitly equates “subcontractor” with “fourth party.”

In plain terms:

Most material risk lives at the third- and fourth-party layers. Beyond that, you’re rapidly into “everyone uses them and you can’t avoid them” territory — but the obligation to identify the critical fourth parties is real.

Why fourth parties got hot in 2023–2026

Three forces converged:

1. The interagency guidance retired OCC 2013-29, FDIC FIL-44-2008, and the Fed’s SR 13-19 in favor of one unified rule that explicitly addresses subcontractors and concentration risk.
2. DORA went live January 17, 2025 in the EU, with explicit subcontracting requirements for ICT third-party providers and a 19-firm critical-third-party regime that any US institution serving EU customers must understand.
3. Real fourth-party incidents — Change Healthcare, SolarWinds, MOVEit, CrowdStrike — proved that subcontractor failures cascade in ways no single-vendor TPRM program detects.

What the Interagency Guidance Actually Says About Fourth Parties

Read OCC Bulletin 2023-17 carefully. The guidance was deliberately scoped to avoid making banks responsible for every subcontractor. The regulators’ language:

“The agencies recognize concerns that banking organizations are expected to assess or oversee all subcontractors of a third party, and have revised the guidance to focus on a banking organization’s approach to evaluating its third party’s own processes for overseeing subcontractors.”

Translation: you don’t have to audit every fourth party. You do have to audit your vendor’s process for managing them.

That distinction matters. Examiners will not ask “show me your due diligence on every fourth party.” They will ask:

• Do you know which third parties use material subcontractors?
• Do you evaluate how the third party selects, monitors, and terminates subcontractors?
• Do your contracts give you visibility and recourse when subcontractors change?
• Where concentration exists, do you know about it and have a contingency plan?

Concentration risk is the sleeper

The guidance also formalizes concentration risk: “concentration risk is an issue that takes place when an organization holds many business relationships with very few or particular third parties.” This includes:

• Vendor concentration — most of your critical vendors are one company (or its subsidiaries)
• Sub-vendor concentration — most of your critical vendors all rely on the same fourth party (AWS, Salesforce, one core processor, one KYC provider)
• Geographic concentration — most of your providers run in the same AWS region or data center

The CrowdStrike Falcon outage on July 19, 2024 was a concentration-risk event playing out in real time: a single endpoint security vendor’s update grounded thousands of flights, hospitals, banks, and broadcasters. Not a fourth party for everyone, but for many companies their vendor’s vendor used CrowdStrike.

Three Fourth-Party Failures That Should Be in Your Tabletop Library

1. Change Healthcare ransomware (February 2024)

Change Healthcare is a clearinghouse — the plumbing between providers, pharmacies, and payers. UnitedHealth Group acquired it in 2022 and integrated it into Optum Insight. For the median hospital, Change Healthcare wasn’t a contracted vendor — it was a fourth party sitting behind their EHR or revenue cycle vendor.

What happened, per the OFR brief on the cyberattack and UnitedHealth’s own disclosures:

• February 21, 2024: BlackCat/ALPHV deployed ransomware via a Citrix remote-access portal that lacked MFA
• First three weeks: $6.3 billion drop in submitted claim values across 1,850 hospital and 250,000 physician customers
• Q1 2024: UnitedHealth posted $872M in losses tied to the attack
• Ransom paid: ~$22M; data was leaked anyway after a second extortion attempt by RansomHub
• Final tally (per UnitedHealth’s January 2025 update): 190 million people affected — the largest US healthcare data breach ever
• Recovery: Full operations didn’t resume until November 2024

The fourth-party lesson: thousands of providers had no direct contract with Change Healthcare. They had no notification rights, no audit rights, and limited operational alternatives because the clearinghouse layer of US healthcare is concentrated to a handful of providers.

2. SolarWinds SUNBURST (December 2020)

SolarWinds Orion was IT monitoring software used by ~18,000 customers, including federal agencies and Fortune 500 companies. APT29 compromised the build pipeline and pushed a trojanized update through Orion versions 2019.4 to 2020.2.1.

For a regional bank using a fintech vendor that ran SolarWinds Orion for monitoring, SolarWinds was a fourth party. There was no obvious contractual relationship, no notification entitlement, and most fourth-party inventories of the era didn’t capture monitoring tools.

3. MOVEit (May 2023)

Progress Software’s MOVEit Transfer was used by thousands of organizations to move sensitive files. The Cl0p ransomware group exploited a zero-day in May 2023 and exfiltrated data from over 2,700 organizations and 90+ million individuals — including customers of organizations that had never heard of MOVEit but used a vendor (BDO, Deloitte, payroll providers, state agencies) that did.

If you needed proof that fourth-party software supply chain risk is more than a hypothetical, MOVEit was the receipt.

A Practitioner’s Fourth-Party Program (That Doesn’t Boil the Ocean)

You will not — and should not — try to inventory every fourth party in your supply chain. The realistic scope is your critical and high-risk third parties, typically the top 10–20% of your vendor population. For a bank with 400 vendors, that’s roughly 40–80 third parties whose subcontractors you actually need to understand.

Step 1: Tier your third parties for fourth-party scrutiny

Apply your existing vendor tiering, but flag for fourth-party deep-dive any vendor that meets ≥1 criterion:

• Provides a critical or high-impact business service
• Stores, processes, or transmits sensitive data (PII, PHI, NPI, payment data)
• Has direct access to your network or production systems
• Their failure would create a regulatory or reputational incident on its own

For background on vendor tiering itself, see our vendor risk tiering framework.

Step 2: Require disclosure in due diligence and renewals

Update your vendor risk assessment to require disclosure of:

A baseline questionnaire is in our vendor risk assessment template.

Step 3: Get the contract right

Most vendor risk programs fail at the contract layer. Negotiate for:

• Right to know. Vendor must list material subcontractors at signing and disclose changes in advance.
• Right to object. You can refuse a new subcontractor that doesn’t meet your security standards.
• Flow-down obligations. Vendor must contractually require subcontractors to meet the same security, privacy, and breach notification terms you negotiated.
• Audit rights extending to subcontractors. Either direct audit rights or pooled-audit / SOC 2 with subservice organizations explicitly in scope.
• Breach notification window. 24 hours for material incidents; 72 hours absolute maximum. Aligns with NYDFS Part 500, GDPR, and DORA.
• Service exit and portability. If a subcontractor failure disrupts the vendor, your exit rights are not contingent on the vendor’s recovery.

Step 4: Monitor concentration exposure

Once a year, run a concentration analysis:

1. Pull the fourth-party list from your top 40–80 third parties
2. Group by fourth party (one cell can be on many vendor inventories — that’s the signal)
3. Identify the fourth parties that appear across ≥5 critical vendors
4. For each, document: what they do, what would happen if they failed, what your contingency is

The output is one slide for your risk committee. Not a 200-page spreadsheet.

Step 5: Read the SOC 2 — actually read it

Most TPRM programs collect SOC 2 reports and never open them. The SOC 2 contains two things that matter for fourth-party risk:

1. Subservice organizations — listed in Section III. These are your fourth parties.
2. Complementary User Entity Controls (CUECs) — listed at the end. These are responsibilities the auditor pushed back to you.

If your vendor’s SOC 2 carves out AWS as a subservice organization (very common), the auditor explicitly disclaimed any opinion on AWS. You’re now responsible for forming a view on AWS — which usually means relying on AWS’s own SOC 2 and SOC 3 reports.

Implementation Roadmap (90 Days)

Days 1–30 — Inventory the critical layer

• Identify your top 40–80 third parties using existing tiering
• Add a fourth-party disclosure section to your VRA (start with renewals)
• Pull current SOC 2 reports and extract subservice organization listings
• Document any vendor that has refused to disclose subcontractors — that’s a finding

Days 31–60 — Contract gap analysis

• Sample 10 critical-vendor contracts; check for the six contract terms above
• Build a redline checklist for legal to use on renewals and new vendors
• Update your VRA template to include subcontractor questions
• Define your breach notification window (24 / 48 / 72 hours) and standardize

Days 61–90 — Concentration view + reporting

• Build a fourth-party concentration analysis from disclosed subcontractors
• Identify top 3 concentration risks (the AWS region, the one KYC provider, the shared payment processor)
• Document a contingency posture for each (alternative provider, manual fallback, contractual SLAs)
• Brief the risk committee with one slide per concentration risk

So What?

Fourth-party risk used to be a concept you wave at in the interagency third-party guidance and forget about until an examiner asked. After Change Healthcare, examiners are asking. They want to see that you know which of your third parties depend on subcontractors that matter, that your contracts give you visibility, and that you’ve identified concentration risk where five vendors all sit on the same back end.

The trap is treating this as a 4,000-vendor inventory problem. It isn’t. It’s a top-of-the-house risk identification problem applied to the 40–80 vendors that actually move the business. Get those right and the rest follows.

If you’re standing up or rebuilding your TPRM program, our Third-Party Risk Management (TPRM) Kit includes the vendor inventory, tiering rubric, VRA template, contract redline checklist, and concentration risk template you need to put a fourth-party layer on top of an existing program in a quarter.

For deeper dives on related topics:

• Vendor Risk Management: The Complete Process from Onboarding to Offboarding
• DORA Third-Party ICT Risk: Contracts, Concentration Risk, and the 19 Critical Providers
• GenAI Supply Chain Risk: Third-Party Model Dependencies and NIST AI 600-1 Controls