Fourth-party risk is the exposure you inherit from your vendors’ vendors – the sub-processors, subcontractors, and nested dependencies your data passes through but you never contracted with, assessed, or even named. You remain accountable for that layer even though you cannot audit it: UK GDPR Article 28(4) keeps your processor “fully liable to the controller for the performance of that other processor’s obligations”. This post explains where the questionnaire chain breaks, why audit rights expire before liability does, and what surfaces the layer your risk register ignores.
Why does your data end up with companies you never assessed?
Your data ends up with companies you never assessed because every supplier you contract with subcontracts in turn. Almost none of that layer appears on your risk register. The Tier-1 vendor you audited runs on nested APIs, open-source components, an outsourced development shop, and a regional sub-processor spun up for data residency. Each is a fourth party you approved by approving the vendor, and never saw.
The volume is the first shock. In a SecurityScorecard and Cyentia study of 235,000-plus organisations, for every third party in your supply chain you carry 60 to 90 times that number of fourth-party relationships. The layer you don’t assess is, by population, the largest one you have. The NCSC sets the scope at the whole chain: “a vulnerability that exists anywhere within the supply chain, whether in your direct suppliers, or the suppliers that they sub-contract out to, could impact your organisation”. Your obligations do not stop at your contract.
Why can’t a security questionnaire find your vendors’ sub-processors?
A security questionnaire cannot find your vendors’ sub-processors because it captures a static disclosure, not a live read of the chain. A vendor’s published sub-processor list is an artefact – refreshed quarterly at best – that names who they used when they last updated the page, not which of those sub-processors is exposed or breached this week. The questionnaire describes what your vendor says it does, not what its suppliers actually do.
This is the gap the whole series is built on: a point-in-time attestation cannot keep pace with a continuously changing attack surface. You audited your direct supplier against a fixed snapshot. That supplier’s sub-processors changed the following month, and nothing in your questionnaire was built to catch it. The NCSC’s own remedy is contractual – build the terms to “provide visibility cascading down their supply chains” into your contracts – but a contract clause is a promise, not a measurement.
Past it, your leverage is gone but your accountability is not: your right to audit ends at your direct vendor; your liability does not.
Can you be held liable for a breach caused by your vendor’s supplier?
Yes. Under UK and EU GDPR, accountability flows down the chain even where your audit rights do not. Where a processor engages a sub-processor, Article 28(4) states that “the initial processor shall remain fully liable to the controller for the performance of that other processor’s obligations”, a position the ICO confirms. A sub-processor you have never heard of mishandles your data, and the liability still lands on you.
Finance is held to the same logic. DORA’s 2025 subcontracting rules – Commission Delegated Regulation (EU) 2025/532 – state at Article 3(3) that relying on a provider’s own assessment of its subcontractors “shall not limit the final responsibility of financial entities” to meet their DORA obligations. Recital 1 goes further, requiring those entities to “identify the overall chain of subcontractors” supporting critical or important functions. UK prudential rules agree: PRA SS2/21 requires firms to oversee material sub-outsourcing on an ongoing basis, and NIS2 Article 21(3) tells entities to account for the cybersecurity practices of their suppliers’ suppliers. None of these regimes lets you stop looking at your direct vendor.
What does a fourth-party breach look like?
A fourth-party breach looks like an incident at a company you never contracted with, reaching your data through a supplier you did. In the June 2023 Zellis chain, British Airways, the BBC, and Boots had staff data exposed by software none of them used.
British Airways didn’t use MOVEit. They used Zellis for payroll – their third party. Zellis used Progress Software’s MOVEit Transfer – the fourth party. When Cl0p exploited MOVEit, BA’s data went with it. In BA’s own words, it was “impacted by Zellis’ cybersecurity incident which occurred via one of their third-party suppliers called MOVEit”. That gap never appeared in any questionnaire BA sent Zellis. You audited Zellis. You could not have audited MOVEit.
The numbers say this is the norm, not an outlier. Across the SecurityScorecard and Cyentia population, 50% of organisations had indirect relationships with at least 200 fourth parties breached in the prior two years. No questionnaire surfaced that exposure. External monitoring did.
Questionnaire vs. Reality
- Questionnaire Says: “We have a vendor management programme for our sub-processors.”
- Reality Shows: “Vendor X relies on 14 sub-processors. 3 of them host your data on infrastructure shared with organisations breached in the last two years, and none of the 14 appeared on the list returned with the questionnaire. The programme exists on paper; the exposure exists in production.”
How do you identify your vendors’ sub-processors?
You identify your vendors’ sub-processors from the outside, by mapping the chain rather than asking for it. Elasticito uses Black Kite Extend to auto-discover third-, fourth-, fifth-, and sixth-party suppliers from TLS-certificate chains and technographic signals – no vendor-side agent, no dependence on a self-reported list. Put any vendor at the centre and the ecosystem behind it appears, including breaches at that vendor’s own suppliers. VendorMap then shows where your suppliers share the same fourth-party infrastructure – the concentration that turns one sub-processor’s bad day into many organisations’ incident – and Supply Chain GeoMap locates sub-supplier assets by country. This is the layer past the audit horizon, made visible.
Threatplane’s predictive threat modelling sits on top of those signals: for any vendor it enumerates the full set of threat vectors – including, in Andrew’s words, “the third party’s third parties” – and weights each one, so the exposure Elasticito surfaces is ranked by how much it matters. You cannot put a right-to-audit clause past the audit horizon, but you can put a sensor there.
FAQ
What is fourth-party risk and why should I care about it?
Fourth-party risk is the exposure your organisation inherits from your vendors’ vendors – the sub-processors and nested suppliers your data passes through with no direct contract between you and them. It matters because the layer is enormous and unmanaged: organisations carry 60 to 90 times more fourth-party relationships than third-party ones, and your breach liability reaches into it under GDPR Article 28(4) even though your right to audit does not.
What is a sub-processor in data protection and GDPR?
A sub-processor is a second processor that your processor engages to carry out specific processing on the controller’s behalf – your vendor’s vendor, in data-protection terms. Under GDPR Article 28, engaging one requires the controller’s prior authorisation, the same obligations must flow down to it, and the original processor “shall remain fully liable to the controller for the performance of that other processor’s obligations.” The contractual chain follows the data, even where your audit access does not.
Can I be held liable for a data breach caused by my vendor’s supplier?
Yes. Under UK and EU GDPR, your processor stays fully liable to you for its sub-processor’s failures, and as the controller you remain accountable for the processing throughout the chain. In financial services, DORA goes further: relying on a provider’s own assessment of its subcontractors “shall not limit the final responsibility of financial entities”. Liability flows down even where your right to audit stops at your direct vendor.
How does fourth-party risk differ from third-party risk?
A third party is a supplier you contract with directly, so you can assess, audit, and hold it to terms. A fourth party is that supplier’s supplier – you have no contract, no right to audit, and usually no record that it exists. The practical difference is leverage: at the third-party layer you can demand evidence and enforce controls; past the audit horizon you can only observe from the outside. The risk does not shrink with each layer down – the population grows as your visibility falls away.
Conclusion: why your liability outlives your right to audit
Your right to audit ends at your direct vendor; your liability does not – so the layer you cannot contract with is the one you most need to see.
See what sits below your contracted vendors when you join Elasticito on 15 July 2026 for Your Questionnaire Won’t Save You: Discover the Vendors Most Likely to Breach You Next.
Created: 2026-06-04 / Reviewed: 2026-06-04
