6 minutes read

Third and Fourth-Party Cyber Risks

Renowned cyber and privacy attorney shares advanced tips on protecting sensitive data in the digital supply chain.
Visualizing upstream and downstream third and fourth-party cyber risks

Stu Panensky is a Founding Partner at Pierson Ferdinand, specializing in cyber risk privacy and data security. He has extensive experience in teaching cyber insurance professionals about regulatory issues, cyber claims handling, and cyber litigation trends. Following his highly popular Masterclass on Digital Supply Chain Cyber Risks, Stu shares his insights and best practices on handling third and fourth-party cyber risks.

Following his highly popular Masterclass, Stu shares his insights and best practices on handling third and fourth-party cyber risks.

All organizations face cybersecurity and data privacy risks associated with third-party vendors and other business partners in their digital supply chain. Some of these risks potentially involve fourth or even fifth parties that are digitally connected, but otherwise unknown to the company. When formulating the appropriate information security and data privacy policies, businesses must consider and employ best practices for mitigating risks from both upstream and downstream digital connectivity.

Visualizing upstream and downstream cyber risks

Imagine all digital connectivity as river waters. Your policyholder sits somewhere in the middle of the river connected to other entities both upstream and downstream.

Visualizing upstream and downstream third and fourth-party cyber risks
A visualization of upstream and downstream cyber risks.

Your policyholders ’distributors, retailers or even consumers sit downstream. The digital assets – (the systems and data) flow from the policyholder to its downstream consumers. Upstream from the policyholder sits the vendors and suppliers that your policyholder relies on for its digital operations. Sometimes this includes the processing of sensitive electronic data. This article explores the risks posed by this connectivity.

Upstream Third-Party Cyber Risks

Businesses routinely entrust sensitive data, like employee or customer personally identifiable information, financial information, and corporate trade secrets to third-party vendors, suppliers, and business partners. A security breach or privacy incident at any of these entities potentially affects this sensitive data. This exposes the organization to risk including financial loss, compelled legal compliance and reputational damage relating to what is essentially someone else’s breach.

Upstream cyber risk refers to the potential for a security breach or privacy incident at a third-party vendor, supplier, or business partner to expose a policyholder’s sensitive data.

Upstream Third and Fourth-Party Cyber Risks
A visualization of upstream cyber risks.

Let’s consider the mountain river scenario. Weak security practices of a policyholder’s vendors are like polluted tributaries. These polluted streams can introduce contaminated or compromised data into your policyholder’s system, even if their own security is strong.

To mitigate these upstream risks, we advise companies to perform a risk assessment of vendors’ security practices as part of their overall governance, risk management and compliance (GRC) programs. This includes evaluating vendors’ security and data privacy controls, policies, and procedures for the collection and use of the data at issue. Companies can monitor their own vendor privacy policies and data security agreements ensuring clear data protection obligations are understood and accepted by all parties.

Negotiating Security and Data Privacy Terms

Contractual agreements with third parties should clearly define expectations regarding cyber security and data privacy. We advise our clients to address these issues upfront as part of the bargaining process. Key provisions include:

  • Data Security Standards: These outline the vendor’s obligations to safeguard sensitive data, encompassing security controls, breach notification procedures, and liability for data breaches and attending legal and regulatory obligations.
  • Privacy Policies: These define how the vendor collects, uses, and shares sensitive data, ensuring transparency and alignment with the policyholder’s own privacy practices.
  • Audit Rights: A reservation of the right to audit vendor security practices to ensure ongoing compliance. What is inspected is expected.
  • Indemnification: Vendors should indemnify companies for any damages arising from security incidents.
  • Cyber Insurance: Vendors should maintain adequate cyber and other insurance limits to offset any potential liabilities. We advise our clients to keep a record of the cyber insurer and the limit for each vendor. Also consider requiring fidelity or commercial crime insurance.
  • Limitation of Liability: While vendors may seek limitations on liability, organizations should carefully negotiate these terms to manage risk exposure.

Monitoring Third-Party Compliance

Obtaining commitments from upstream third parties is important. Regularly monitoring performance and compliance to ensure vendors adhere to security and data privacy standards is equally important in a company’s security program. This can involve:

  • Security Audits: Regular audits by qualified third parties assessing the effectiveness of the vendor’s security program.
  • Vendor Reports: Reviewing vendor-provided security reports helps identify potential gaps in their security posture.
  • Vendor System Access: In some cases, organizations may request access to vendor systems for independent security assessments.
  • Media Monitoring: Staying informed of any security incidents involving the vendor helps identify potential risks.
  • Communication: Regular communication with vendors regarding security practices strengthens the relationship and fosters a culture of security awareness.

Downstream Third-Party Cyber Risks

Sensitive data can also be exposed through vulnerabilities in downstream third parties, such as distributors, retailers, and consumers. If these entities are hacked, the organization’s own data may be compromised.

Downstream cyber risk arises from vulnerabilities present in a policyholder’s distribution channels, retailers, or even consumers. These entities, further down the supply chain, can be compromised, potentially exposing the policyholder’s own sensitive data that resides within their systems.

Downstream Third and Fourth-Party Cyber Risks
A visualization of downstream cyber risks.

If we revisit the mountain river scenario, cracks in the riverbed might cause water to steer off course. Similarly, weaknesses in the security practices of your policyholder’s downstream partners can allow your data to leak or be compromised.

To effectively mitigate these downstream risks, policyholders should first establish clear contractual expectations about data privacy and cyber security. First, outline minimum data security standards expected between the parties; for example, transferring data using only encrypted channels. Next, businesses should establish notification obligations between the parties in the event of a security or privacy event.

Finally, consider other data security principles such as data minimization, consumer control over their own sensitive information, and how both parties handle security and privacy issues with relevant upstream third parties (i.e., vendors).

Data minimization is a principle in corporate data privacy that emphasizes collecting only the essential data an organization needs for a specific purpose. This means avoiding unnecessary data collection, defining a clear purpose for each data point obtained, and secure deletion protocol and documentation when data is no longer required.

To further mitigate downstream risks, policyholders must routinely communicate with their consumers. We advise organizations to create learning opportunities for consumers and partners about cyber hygiene practices. For example, companies can offer security awareness programs to downstream entities that cover topics like phishing scams, malware, and social engineering.

Collaboration in Incident Response

When cyber or privacy incidents occur – and they always do – and there are impacts to third or fourth parties, effective communication and collaboration between the relevant parties is crucial. It is very common that affected organizations will need to share information and even potentially to share one another’s resources. We counsel our clients to:

  • Establish clear communication channels for information sharing.
  • Define roles and responsibilities for all parties involved in the incident response.
  • Coordinate investigation and remediation activities.
  • Determine notification obligation and procedures for affected individuals and regulatory bodies.
  • Addressing liability allocation related to the incident.

There are many examples of digital supply chain risks that illustrate the impact of third and fourth-party cyber risks beyond data breaches. Consider the following list of hypotheticals (this is obviously not an exhaustive list):

  • Physical Supply Chain Disruption: A cyberattack on a supplier can disrupt operations and cause revenue loss for a dependent business.
  • Cloud Service Outage: A cloud service provider’s attack can disrupt a company’s data storage and applications, impacting operations.
  • Payment Processor Failure: A cyberattack on a payment processor can disrupt a company’s ability to process online transactions.
  • Cyber Attack on “Major Consumers”: An attack on a key customer or partner can disrupt a business’ ability to provide services or fulfill orders.


In conclusion, a business’ digital supply chain introduces complex cyber risks both upstream and downstream. Understanding and managing third and fourth-party cyber risks is essential for protecting sensitive data and safeguarding an organization’s financial well-being and reputation. By implementing a comprehensive risk management strategy that assesses and mitigates upstream and downstream considerations, policyholders can further safeguard sensitive data and minimize the impact of potential cyber incidents, which will also bolster their overall cybersecurity and data privacy posture.

Why Choose
Cyber Insurance Academy?

We are the global standard for accredited cyber insurance certification, with +4,000 Members from +40 countries.

Reach Out to Us

Can’t find what you’re looking for? Leave your details and we’ll get back to you shortly