Fourth Party
A fourth party is a vendor's vendor, an organization that provides services to your third parties, creating an indirect dependency for your organization. Fourth-party risk is difficult to manage because there is typically no direct contractual relationship with these entities. See also: Nth Party.
What Is a Fourth Party in Third-Party Risk Management?
A fourth party is your vendor's vendor. It's any supplier, subcontractor, or service provider a direct vendor relies on to deliver its product or service. Your organization has no contract with a fourth party and no visibility into it, yet its outage, breach, or security failure can reach your data just as directly as a failure at your own vendor.
How Is a Fourth Party Different from a Third Party?
A third party and a fourth party differ in one way. You have a direct relationship with one and not the other. A third party is the company your organization contracts with directly, the vendor whose security questionnaire you sent, whose SLA you negotiated, whose access to your systems you approved. A fourth party is one step removed, a company you never chose and, in most cases, never even see.
Think of:
- The cloud host your payroll vendor runs on.
- The API provider your CRM depends on.
- The file-transfer tool your law firm uses to send you documents.
You chose the third party. You had no say in the fourth party, and in most cases you don't even know its name.
That gap is the entire problem fourth-party risk exists to describe. Standard vendor due diligence evaluates the company you signed with. It rarely asks, and even more rarely verifies, what that company is built on.
Why Does Your Organization Inherit Risk from Companies You've Never Heard Of?
Your organization inherits fourth-party risk because modern vendors are themselves built on other vendors, and that dependency doesn't show up in a contract. Think of a single sign-on provider, a payment gateway, or a managed file-transfer platform. These fourth parties often sit underneath dozens of your direct vendors at once. When one of them fails, the damage doesn't stay contained to a single relationship. It surfaces everywhere that fourth party was quietly load-bearing, usually all at the same time and usually without warning.
This is why fourth-party risk gets treated as inherently third-party in nature rather than an internal IT problem, and why it's really one specific tier inside the broader Nth party problem. SaaS vendors sometimes call this same relationship a sub-processor in a data processing agreement. The label depends on who's writing the contract. The exposure originates entirely outside your organization's walls either way, which is exactly the territory supply chain cyber risk management exists to cover, not just the vendor relationship you can see.
How Do Fourth-Party Relationships Create Concentration Risk?
Fourth-party relationships create concentration risk when a large share of your vendor ecosystem turns out to depend on the same small set of underlying providers. You might assess twenty direct vendors and feel diversified, only to discover that twelve of them run critical functions through the same cloud region or the same identity provider. That shared fourth party becomes a single point of failure hiding behind twelve separate vendor relationships, and no amount of third-party diligence alone will surface it. When that shared fourth party fails, the damage travels through every vendor built on top of it at once, the domino effect known as cascading risk.
What Real Breach Shows the Danger of Fourth-Party Blind Spots?
Cl0p's exploitation of Cleo's managed file-transfer software is a direct illustration. Cleo wasn't a household name to most of the organizations ultimately affected. It was the fourth party quietly moving files on behalf of vendors those organizations had actually contracted with. When Cl0p compromised Cleo, the fallout reached companies that had never evaluated Cleo, never questioned it, and in many cases never knew it existed in their supply chain until the breach notification arrived.
What Does It Actually Take to Discover Your Fourth Parties?
Discovering your fourth parties takes more than asking your direct vendors to disclose them. Some vendors list subprocessors in a data processing agreement, which covers data handling but rarely covers infrastructure dependencies like hosting, DNS, or content delivery. Others don't disclose fourth parties at all, either because their own contracts don't require it or because the list changes too often to keep current. A vendor that switches cloud providers or swaps a file-transfer tool this quarter has no obligation to tell you, and most don't.
That's why fourth-party discovery increasingly relies on outside-in techniques rather than self-reported vendor disclosures. Passive DNS records, certificate transparency logs, and infrastructure fingerprinting can reveal what a vendor's technology stack actually depends on, independent of whether that vendor chooses to disclose it. This is also why fourth-party risk sits closer to continuous monitoring than to a one-time questionnaire. A dependency that didn't exist at onboarding can appear six months later, and a point-in-time assessment has no way to catch it.
How Does Black Kite Map Fourth-Party Exposure?
Black Kite identifies fourth-party dependencies through Nth-party visibility, tracing the infrastructure and service providers your direct vendors rely on rather than stopping the assessment at the contract boundary. Because there's no contract to anchor a fourth-party assessment to, Black Kite Extend works from outside-in intelligence instead of vendor self-reporting. In practice, that means Black Kite:
- Maps the cloud hosts, identity providers, and file-transfer platforms sitting underneath your direct vendors, using digital footprint discovery, subdomain detection, and website technology fingerprinting rather than waiting on vendor disclosure.
- Flags when multiple vendors in your portfolio share the same fourth party, surfacing concentration risk before it becomes a single point of failure.
- Applies FocusTag® alerts to system-monitored fourth parties and lets you set workflow triggers for new FocusTags associated with a 4th-party vendor, so a dependency's security posture doesn't go unwatched between assessment cycles.
The scale of what's at stake backs this up. Black Kite's 2026 Third-Party Breach Report found that today's vendor breaches cascade to an average of 5.28 downstream victim organizations, across 136 major breach events that together exposed more than 433 million records. A meaningful share of those downstream victims are organizations discovering, often for the first time, that a fourth party they'd never assessed was sitting underneath a vendor they trusted.