Supply Chain, Third Party Risk Management

The Uninvited Guest – Who Has Your Data?

Adjusting Contracts for Vendor Outsourcing

The day of the big event has arrived. Hopefully, all your planning will ensure that everything goes well. And it does, until uninvited guests begin to arrive. It seems that several of your guests decided (without consulting you) to pass your invitation along to a number of folks most of whom you don’t even know.  This has happened to all of us at some point in time.  Not the end of the world, but still embarrassing and frustrating when it occurs.  Unfortunately, there is quite a different impact when you replace “guests” with “vendors” and “uninvited guests” with “vendor subcontractors” (the now infamous fourth party). Now embarrassment turns into an unknown level of risk to your company’s revenue and reputation.

The simple truth is that it is highly likely your vendors will outsource an activity that includes your data and/or access to your systems. Knowing this will occur, how do you identify and manage the risk uninvited service providers present? Well, it starts with your vendor contract and requiring your vendors to have robust TPRM programs.

Among the many provisions being added to vendor contracts are expansive provisions related to vendor outsourcing.  These new provisions go beyond attempts to prevent subcontracting and instead focus on managing it by:

  • Requiring disclosure of all critical subcontractors necessary for the vendor to deliver their services to you
  • Requiring vendors to assess all subcontractors prior to providing them with access to your data and/or systems
  • Requiring vendors to maintain and execute a comprehensive TPRM program
  • Imposing responsibility on the vendor for subcontractors’ protection of your data and systems

Including these provisions in your vendor contract allows you to assess the vendor’s outsourcing activity and ensure that security controls and privacy requirements are pushed down to subcontractors.

After expanding fourth party protection in your vendor contracts, it’s time to enhance what’s included in your assessment process including:

  • Evaluation of a vendor’s TPRM program
  • Testing to determine if subcontractors are assessed prior to onboarding
  • Lists of critical subcontractors with data flow and network diagrams (updated periodically)
  • Evaluation of vendor subcontract agreements for key provisions on data protection and privacy requirements
  • Inclusion of key fourth parties in your continuous monitoring activities


Use your assessment of these factors to make any adjustments in the vendor’s risk profile, and make sure that information about vendor subcontracting is included in your vendor inventory/risk register.

Want to make sure that there are no uninvited companies in your supply chain? Enhance your contracting and assessment practices to include fourth parties.

To expand your understanding of Nth Parties, review this post Nth Party Risk – 10 Tips for Managing The Unknown or this post about Ethical Sourcing and Nth Party Providers.