The recent global hack of a Salesforce-affiliated third‑party app connection resulted in data from hundreds of tenants being compromised. This incident demonstrates how easily risk can propagate beyond your direct third-party vendors and underscores the importance of robust oversight across the entire digital supply chain.
Add to that the ripple effects of recent high profile, large‑scale cloud service provider outages, and it is clear that resilience and security must extend beyond first‑tier suppliers to their downstream providers and integrations.
This is the essence of “fourth‑party” risk - the entities your suppliers rely on, such as subcontractors, managed service partners, marketplace integrations, API‑connected tools and cloud dependencies.
1. Contract for flow‑down security obligations - don’t stop at first‑tier suppliers
Your contracts should do more than set expectations for your direct counterparty. They should require your suppliers to impose risk‑appropriate security controls on their own suppliers and technology integrations. Flow‑down obligations are critical where vendors connect your environment to third‑party applications, rely on subcontractors for support or host data on major cloud platforms.
At a minimum, ensure your supplier is required to:
- bind its subprocessors, subcontractors and integrated third‑party tools to security and confidentiality standards that match your agreement, including organisational, physical and technical measures, such as mandatory training and awareness, access controls, encryption, antimalware, vulnerability management and incident response capabilities;
- maintain an accurate inventory of its critical fourth‑party dependencies and notify you in advance of material changes to that list or to the risk posture of those dependencies;
- perform due diligence and ongoing monitoring of those dependencies, including security questionnaires, certifications, testing and remediation projects for identified weaknesses; and
- accept responsibility for the acts and omissions of its downstream providers, so accountability does not dissipate in the chain.
These protections close the gap revealed by incidents where the “core” platform remains secure, but a connected app or downstream service creates systemic exposure.
2. Actively manage suppliers and refresh terms to track evolving best practice
Contract language cannot be “set and forget”. Attack techniques evolve quickly, and cloud reliance adds complexity. Review and update security schedules and annexes regularly to reflect current best market practice, regulatory changes and lessons from recent incidents.
In practice, this means:
- building regular service‑review cadences with your critical vendors, including discussion of their fourth‑party landscape, recent incidents, audit results and control enhancements;
- refreshing security addenda to align with current frameworks and norms, such as comprehensive security and risk governance, secure development practices, sound identity, authentication, authorisation and access (IAAA) management, robust data protection and handling and recurring independent reviews;
- tightening resilience and continuity expectations in light of cloud service outages, including multi‑region architectures, tested failover plans, recovery time and point objectives, and clear degradation procedures backed by reporting and test evidence - not just policy statements; and
- conditioning renewal and price uplifts on demonstrable control maturity and timely remediation of high‑risk findings.
Making security performance a living, reviewable obligation reduces the gap between what the contract says and what the supplier does as their ecosystem evolves.
3. Strengthen incident notification and engagement - timely, specific and sustained
When something goes wrong in a complex supply chain, you need speed, substance and ongoing engagement. Your incident clauses should require notification not only for the supplier’s own security incidents but also for material incidents affecting its fourth‑party providers where your data, systems, integrations or service continuity could be impacted.
Effective provisions typically require:
- prompt initial notice on discovery within a defined window, with an obligation to provide concrete, decision‑useful details: what happened, systems and data affected, preliminary root cause, observable indicators, containment steps taken and immediate customer actions recommended;
- ongoing updates at agreed intervals (for example, every 4–8 hours during active response, then daily until containment, then weekly through remediation), with clear points of contact and escalation paths;
- cooperation duties, including access to relevant logs and artifacts, participation in joint incident calls, alignment on public communications where your stakeholders are affected and preservation of evidence for forensic review; and
- post‑incident obligations such as a written incident report within a defined period, a remediation plan with owners and timelines and verification of closure through attestations or independent assessment where appropriate.
These engagement mechanics help you make timely risk decisions, meet your own regulatory reporting duties and avoid being left in the dark when the impact originates from a downstream provider or connected app rather than your direct vendor.
The takeaway
Fourth‑party risk is now a first‑order issue. Use your contracts to extend security standards and accountability across the entire delivery chain. Manage those relationships actively with periodic refreshes to reflect current best practice and harden your incident engagement clauses so you receive the right information fast - and keep getting it as the situation evolves.
Recent events have shown that even when the core platform stands, weak links at the edges or in underlying cloud services can still create material exposure. Your contracts need to anticipate that reality and your governance needs to enforce it.
This article includes contributions from Kim Hoskin, Russell McVeagh’s Cybersecurity Specialist with X years of experience in cybersecurity risk management and incident response.