The Complete Guide to Forth Party Vendor Risk Management: From Discovery to Mitigation (2025)

The Hidden Threat in Your Supply Chain

In May 2023, a zero-day vulnerability in MOVEit Transfer software became the catalyst for one of the most devastating supply chain attacks in history. The breach impacted over 2,800 organizations and nearly 100 million individuals worldwide, with cascading effects that continue into 2025. What made this attack particularly insidious wasn’t just its scale—it was the ripple effect through fourth-party relationships.

Colorado State University exemplifies this cascading risk perfectly. Though the university didn’t directly use MOVEit, its data was exposed six times by six different vendors. This is fourth-party risk in action: the vendors of your vendors creating exposure you never directly contracted for.

The Exponential Risk Multiplication Effect

The statistics paint a sobering picture:

• 35.5% of all breaches in 2024 were third-party related, representing a 6.5% increase from 2023
• 4.5% of breaches now extend to fourth parties
• Of organizations that experienced a third-party data breach, 38% say the breach was caused by an Nth party
• Half of organizations have indirect links to at least 200 fourth-party vendors that have suffered prior breaches

These aren’t just numbers—they represent real financial impact. Third-party vendor and supply chain compromise was the second costliest attack vector at $4.91 million per incident in 2025.

Why Traditional TPRM Frameworks Fail at the Fourth-Party Level

Traditional third-party risk management (TPRM) programs focus on vendors you contract with directly. But the reality is more complex:

1. No Direct Relationship: You have no contractual leverage over fourth parties
2. Limited Visibility: Only 10% of organizations conduct direct risk assessments of fourth parties, while 27% do not assess or monitor fourth parties at all
3. Hidden Dependencies: 60 percent of organizations work with more than 1,000 third parties, each potentially using dozens of their own vendors
4. Concentration Risk: Multiple vendors may depend on the same fourth party, creating a single point of failure

Understanding Fourth-Party Risk: Beyond the Basics

Defining the Ecosystem

Third-party vendors are organizations with whom you have direct contractual relationships. Fourth-party vendors are the subcontractors, service providers, and suppliers that your third parties rely upon to deliver their services to you.

Example: Your company contracts with a cloud-based CRM provider (third party). That CRM provider uses Amazon Web Services for hosting (fourth party) and SendGrid for email delivery (another fourth party). If either AWS or SendGrid experiences a breach or outage, your CRM service—and by extension, your business operations—are impacted.

The Six Categories of Fourth-Party Risk

Fourth-party risks extend far beyond cybersecurity:

1. Cybersecurity Threats: Cyberattacks most often target the weakest link in a supply chain, and weak security measures in fourth-party networks can lead to data breaches and supply chain attacks
2. Operational Dependencies: When multiple third-party vendors rely on the same fourth-party providers for essential services, this creates concentration risk where a disruption cascades across multiple vendors
3. Regulatory Compliance Issues: Hidden subcontractors might not comply with industry regulations such as HIPAA or GDPR
4. Financial Stability: A fourth party’s bankruptcy can disrupt your third party’s ability to deliver services
5. Reputational Risks: ESG risks where the market is increasingly looking for more transparency and regulations pressure companies to do well by doing good
6. Geopolitical Risks: Supply chain disruptions due to international conflicts, sanctions, or trade restrictions

Real-World Fourth-Party Breach Examples

Colonial Pipeline Attack (2021): Gas stations across the U.S. East Coast ran empty after a ransomware attack. Many gas stations may have never heard of Colonial Pipeline, much less realized that a cyberattack could cripple their supply chain

NotPetya Attack on Maersk (2017): International shipping company Maersk was crippled for months after its Ukrainian accounting software supplier was targeted by the Russian NotPetya virus, resulting in the loss of over 49,000 laptops and over $250 million in estimated lost revenue

Change Healthcare Breach (2024): A ransomware attack on Change Healthcare, part of UnitedHealth’s Optum division, exposed protected health information belonging to approximately 190 million individuals. The hack disrupted claim processing nationwide, and UnitedHealth spent over $2-2.45 billion responding

The Discovery Challenge: Finding Your Fourth Parties

Discovering your fourth parties is arguably the most challenging aspect of fourth-party risk management. A recent SecurityScorecard study found that 50% of organizations have indirect relationships with at least 200 breached fourth-party vendors in the last two years. Yet most organizations have no systematic approach to identifying these hidden relationships.

Method 1: Contractual Discovery Through Third-Party Agreements

What It Is: Reviewing your third-party contracts and explicitly requiring vendors to disclose their critical subcontractors.

How to Implement:

1. Add Discovery Clauses to New Contracts: Include contractual language requiring vendors to:
   • Disclose all subcontractors who handle your data or support critical services
   • Notify you within 30 days of any changes to subcontractor relationships
   • Provide quarterly updates on their subcontractor ecosystem
2. Amend Existing Contracts: For current vendors, send a formal written request asking:
   • “Which subcontractors or service providers do you use to deliver services to us?”
   • “Do any of these subcontractors have access to our data?”
   • “Which subcontractors are critical to your service delivery?”
3. Create a Fourth-Party Questionnaire: Develop a standardized questionnaire asking about:
   • Infrastructure providers (cloud hosting, data centers)
   • Software dependencies (SaaS platforms, APIs)
   • Professional services (consultants, outsourced functions)
   • Support services (customer support, technical operations)

Pros: Contractual obligation provides ongoing visibility
Cons: Vendors may be reluctant to disclose for competitive reasons; requires contractual leverage

Sample Contract Language:

"Vendor shall maintain and provide to Client upon request a current list of all 
subcontractors, service providers, and third parties ("Subservice Organizations") 
that (i) have access to Client Data or (ii) provide services that are critical to 
Vendor's performance under this Agreement. Vendor shall provide written notice to 
Client at least 30 days prior to engaging any new Subservice Organization or 
terminating any existing Subservice Organization relationship."

Method 2: Technical Discovery Using Network Mapping Tools

What It Is: Using technology to map data flows and identify where your data travels beyond your direct vendors.

How to Implement:

1. Network Traffic Analysis:
   • Deploy tools that monitor where your data is sent
   • Identify third-party domains and IP addresses accessed by your vendors
   • Track API calls and data transfer patterns
2. Cloud Access Security Brokers (CASB):
   • Monitor SaaS application usage
   • Identify shadow IT and unauthorized fourth-party connections
   • Track data movement across cloud services
3. Vendor-Provided Access Logs:
   • Request access logs from critical vendors
   • Analyze which external systems they connect to
   • Identify frequent external integrations

Tools to Consider:

• For Enterprises: Netskope, McAfee MVISION Cloud, Cisco Cloudlock
• For Mid-Market: Zscaler, Bitglass, Palo Alto Networks Prisma
• Budget-Friendly: Wireshark (open source), pfSense (firewall with logging)

Pros: Provides objective, technical evidence of relationships
Cons: May require technical expertise; limited to digital relationships only

Method 3: SOC Report Analysis (SSAE 18 Requirements)

What It Is: Leveraging audit reports that your vendors are required to produce, which now include information about their critical subcontractors.

Understanding SSAE 18 Requirements:

SSAE 18 now requires mandatory inclusion of Complementary Subservice Organization Controls when applicable. This provides additional clarity of how your vendor is addressing their own vendor management obligations. Therefore, your vendors who use vendors of their own now must identify functions and controls that prove your fourth parties are performing

How to Extract Fourth-Party Information from SOC Reports:

1. Request SOC 2 Type II Reports from all critical vendors:
   • These reports cover security, availability, processing integrity, confidentiality, and privacy
   • SSAE 18 includes new requirements for auditors to assess whether the organization evaluates and monitors risks associated with subservice organizations
2. Focus on Key Sections:
   • Section 1: Management’s Description of the Service Organization’s System – Look for mentions of subservice organizations
   • Complementary Subservice Organization Controls – Lists critical fourth parties and what controls they’re responsible for
   • Complementary User Entity Controls – May reference external dependencies
3. Ask Specific Questions:
   • “Does your SOC report identify all subservice organizations?”
   • “Can you provide the SOC reports for your critical subservice organizations?”
   • “How do you monitor compliance of your subservice organizations?”

Sample SOC Report Analysis Checklist:

• SOC report clearly identifies all subservice organizations
• Critical functions performed by subservice organizations are documented
• Vendor has a process to monitor subservice organization controls
• Subservice organizations have their own SOC reports available
• Any control gaps or exceptions are clearly noted
• Changes in subservice organizations since last report are documented

Pros: Standardized approach; auditor-verified information
Cons: SOC reports may be high-level; not all vendors have SOC reports; annual updates only

Method 4: Industry Intelligence and Public Disclosures

What It Is: Using publicly available information to identify common fourth-party relationships in your vendor ecosystem.

How to Implement:

1. Review Vendor Websites and Marketing Materials:
   • “Powered by” badges and technology partner logos
   • Integration marketplace listings
   • Technology stack documentation
2. Check SEC Filings and Annual Reports:
   • Publicly traded vendors must disclose material relationships
   • Look for mentions of critical suppliers and dependencies
3. Monitor Industry Resources:
   • Technology partner ecosystems (e.g., Salesforce AppExchange, AWS Partner Network)
   • Industry reports on common technology stacks
   • Cybersecurity vendor advisories
4. Use Supply Chain Intelligence Platforms:
   • Tools like Panorays, SecurityScorecard, and BitSight now offer supply chain mapping features
   • These platforms can automatically identify fourth-party relationships based on public data

Pros: No vendor cooperation required; good for initial research
Cons: Incomplete picture; may miss non-public relationships

Creating Your Fourth-Party Discovery Process

Step-by-Step Workflow:

1. Start with Critical Vendors (Week 1-2)
   • Identify your 20 most critical third-party vendors
   • Focus on those that process sensitive data or support business-critical functions
2. Send Discovery Requests (Week 2-3)
   • Use your Fourth-Party Questionnaire
   • Request SOC reports if not already on file
   • Set a 30-day deadline for response
3. Analyze Responses (Week 3-4)
   • Map fourth-party relationships in a visual diagram
   • Identify concentration risks (multiple vendors using same fourth party)
   • Flag fourth parties in high-risk categories
4. Validate and Supplement (Week 4-6)
   • Cross-reference vendor responses with SOC reports
   • Use technical discovery tools to validate claims
   • Research public information for any gaps
5. Create Your Fourth-Party Inventory (Ongoing)
   • Document in a central repository
   • Include: fourth party name, what they do, data access, criticality rating
   • Update quarterly or when vendors notify you of changes

Risk Assessment Framework

Once you’ve identified your fourth parties, the next critical step is assessing which ones pose the greatest risk to your organization. Not all fourth parties are created equal—some warrant intensive oversight while others require minimal attention.

The Four-Tier Fourth-Party Risk Classification Model

Tier 1: Critical (Immediate Action Required)

These fourth parties pose existential risk to your operations or data security.

• Criteria:
  • Process, store, or transmit highly sensitive data (PII, PHI, payment card data)
  • Single point of failure that would halt critical business operations
  • Direct access to your production systems or customer-facing services
  • Serve multiple critical vendors (concentration risk)
• Examples:
  • Cloud infrastructure providers (AWS, Azure, GCP) hosting your vendor’s application
  • Payment processors handling your financial transactions
  • Identity and access management providers
  • Core database or data warehouse providers
• Risk Management Actions:
  • Quarterly risk assessments
  • Real-time security monitoring
  • Direct SOC report review
  • Inclusion in business continuity planning
  • Contractual rights to audit (through your third party)
  • Cyber insurance requirements

Tier 2: High (Enhanced Monitoring)

Significant impact on operations or compliance if compromised, but alternative options exist.

• Criteria:
  • Access to moderately sensitive data or limited customer information
  • Support important but non-critical business functions
  • Required for regulatory compliance
  • Moderate impact if unavailable for extended period
• Examples:
  • Email delivery services (SendGrid, Mailgun)
  • Authentication services (Auth0, Okta dependencies)
  • Customer support platforms
  • Analytics and reporting tools
  • Backup and disaster recovery providers
• Risk Management Actions:
  • Semi-annual risk assessments
  • Quarterly security posture monitoring
  • Review of vendor’s oversight practices
  • Documented contingency plans
  • Breach notification requirements in vendor contract

Tier 3: Medium (Standard Monitoring)

Minimal direct impact but could cause operational inconvenience.

• Criteria:
  • No direct access to sensitive data
  • Easy to replace with alternatives
  • Impact limited to specific department or function
  • Short-term workarounds available
• Examples:
  • Marketing automation tools
  • Non-critical software integrations
  • Office productivity tools
  • Project management platforms
  • Content delivery networks (CDN)
• Risk Management Actions:
  • Annual risk review
  • Basic security questionnaire through third party
  • Monitor for major incidents via threat intelligence
  • Standard contract protections

Tier 4: Low (Minimal Oversight)

Negligible risk to organization.

• Criteria:
  • No data access whatsoever
  • Purely operational or administrative functions
  • Easily replaceable commodity services
  • No regulatory implications
• Examples:
  • Office supply vendors
  • Facilities management providers
  • Non-technical consultants
  • Training providers with no system access
• Risk Management Actions:
  • Awareness only
  • Monitor through third party’s general TPRM program
  • No direct assessment required

Fourth-Party Risk Scoring Methodology

To objectively determine tier placement, use this weighted scoring rubric:

Data Sensitivity (40% of total score)

Business Criticality (30% of total score)

Regulatory & Compliance (20% of total score)

Concentration Risk (10% of total score)

Scoring Guidelines:

• 60-75 points = Critical (Tier 1)
• 45-59 points = High (Tier 2)
• 30-44 points = Medium (Tier 3)
• 15-29 points = Low (Tier 4)

Twenty Red Flags: Warning Signs of High-Risk Fourth Parties

Use this checklist to identify fourth parties that warrant immediate additional scrutiny:

Security & Compliance Red Flags:

1. No SOC 2 report available or last report is >18 months old
2. Known data breaches in the past 24 months
3. Poor security ratings from platforms like SecurityScorecard or BitSight (score <700)
4. Lack of cyber insurance or inadequate coverage limits
5. No dedicated security team or CISO

Operational Red Flags:

6. Unclear or no business continuity plan
7. Single data center with no geographic redundancy
8. No documented disaster recovery procedures
9. Critical dependency on a single upstream provider
10. Frequent service outages or performance issues

Financial & Governance Red Flags:

11. Privately held with no financial transparency
12. Recent layoffs or financial distress indicators
13. Venture-funded startup with uncertain runway
14. Pending litigation or regulatory investigations
15. Rapid management turnover

Contractual & Relationship Red Flags:

16. Your vendor has no written contract with the fourth party
17. Fourth party refuses to provide information or reports
18. Located in jurisdiction with weak data protection laws
19. No audit rights in your vendor’s contract with them
20. Recent merger, acquisition, or ownership change

Industry-Specific Playbooks

Different industries face unique fourth-party risk challenges due to varying regulations, data types, and operational requirements. Here are tailored approaches for major sectors.

Financial Services: Navigating DORA and Banking Regulations

Regulatory Landscape:

The Digital Operational Resilience Act (DORA) entered into application on January 17, 2025, ensuring that banks, insurance companies, investment firms and other financial entities can withstand, respond to, and recover from ICT disruptions

Key Challenges:

• Financial services firms must regularly review critical third-party ICT provider risk strategies and have clear, written, accessible, auditable policies and processes concerning the services and functions of the third party
• Approximately 22,000 financial services companies are under DORA’s jurisdiction, and DORA overseers can levy fines up to 1% of average daily worldwide turnover
• The first Register of Information report was due by April 30, 2025, documenting all contractual arrangements with ICT service providers

Fourth-Party Risk Priorities for Financial Services:

1. Cloud Service Providers: Any fourth party providing cloud infrastructure to your vendors
2. Payment Processors: Fourth parties in the payment chain
3. Data Analytics Providers: Fourth parties analyzing customer financial data
4. Identity Verification Services: Fourth parties performing KYC/AML functions
5. Core Banking System Dependencies: Infrastructure supporting your vendor’s banking platform

DORA-Specific Requirements:

• Requirements include fourth-party mapping, continuous monitoring, compliance and risk reporting by framework or regulation, and requirements for built-in guidance
• Financial entities must maintain a register of all ICT third-party providers and services, which includes details about contracts, criticality of services, and risk assessments

Action Plan:

Month 1-2: Inventory and Classification

• Create comprehensive Register of Information for all ICT third-party providers
• Map fourth-party relationships for each critical third party
• Classify fourth parties by criticality and regulatory impact

Month 3-4: Contract Review and Amendment

• Ensure all third-party contracts include fourth-party oversight provisions
• Add notification requirements for fourth-party changes
• Include audit rights extending to critical fourth parties

Month 5-6: Monitoring Implementation

• Deploy continuous monitoring for critical fourth parties
• Set up automated alerts for cyber incidents affecting fourth parties
• Establish incident response protocols including fourth-party scenarios

DORA Compliance Checklist for Fourth Parties:

• Complete inventory of ICT fourth parties documented
• Risk assessments conducted for critical fourth parties
• Contracts include fourth-party management clauses
• Continuous monitoring in place for high-risk fourth parties
• Incident response plans cover fourth-party scenarios
• Termination and exit strategies defined
• Register of Information updated and submitted to regulator

Healthcare: HIPAA and Fourth-Party BAA Requirements

Regulatory Landscape:

Healthcare faces unique challenges because healthcare suffers from the most breaches overall (242 incidents, 24.2% of all breaches), though a smaller percentage involve third parties due to the volume of direct attacks.

Key Challenges:

• Business Associate Agreements (BAAs) must cascade through the supply chain
• Protected Health Information (PHI) requires encryption and strict access controls
• Fourth parties may be unaware they’re handling PHI
• HIPAA fines can reach $1.5 million per violation category per year

Fourth-Party Risk Priorities for Healthcare:

1. Cloud Hosting Providers: AWS, Azure, or GCP instances hosting your vendor’s EHR system
2. Email and Communication Services: Any service transmitting PHI
3. Backup and Disaster Recovery: Services storing PHI backups
4. Analytics and AI Platforms: Fourth parties processing patient data for insights
5. Medical Device Cloud Services: Backend services for connected medical devices

HIPAA-Specific Fourth-Party Requirements:

1. BAA Cascade Requirements:
   • Your third party must have BAAs with their subcontractors who access PHI
   • You must verify BAAs are in place through contract review
   • BAAs must include breach notification requirements
2. PHI Handling Standards:
   • Encryption at rest and in transit (AES-256 minimum)
   • Access controls and audit logging
   • Data retention and destruction policies
   • Physical security requirements for data centers

Action Plan:

Phase 1: Identification (30 days)

• Request list of all subcontractors from vendors who handle PHI
• Identify which fourth parties have any PHI access
• Determine if BAAs are in place for each

Phase 2: Risk Assessment (60 days)

• Review fourth-party security practices
• Verify encryption standards
• Assess access control mechanisms
• Evaluate incident response capabilities

Phase 3: Contract Remediation (90 days)

• Ensure vendor contracts require BAAs with fourth parties
• Add breach notification requirements (60-day maximum)
• Include audit rights for fourth parties handling PHI
• Define acceptable PHI uses and disclosure limits

Phase 4: Ongoing Monitoring

• Quarterly reviews of fourth-party BAA status
• Annual security assessments of critical fourth parties
• Real-time breach monitoring via threat intelligence
• Regular training on fourth-party PHI handling

Healthcare Fourth-Party Checklist:

• All fourth parties with PHI access identified
• BAAs in place for each fourth party (verified)
• Encryption requirements documented and verified
• Access controls assessed and approved
• Breach notification process tested
• Audit rights included in vendor contracts
• Annual security assessments scheduled
• Incident response plan includes fourth-party scenarios

Manufacturing: Supply Chain Resilience and Physical Dependencies

Key Challenges:

• Global supply chains with multiple tiers of suppliers
• Physical product dependencies (raw materials, components)
• Just-in-time manufacturing vulnerable to disruptions
• Increasing digitalization creating cyber-physical risks

Fourth-Party Risk Priorities for Manufacturing:

1. Logistics and Transportation: Fourth-party carriers, warehouses, and freight forwarders
2. Raw Material Suppliers: Tier 2 and Tier 3 suppliers providing critical components
3. IoT and Industrial Control Systems: Fourth-party software in manufacturing equipment
4. Quality Assurance and Testing: Labs and certification bodies used by suppliers
5. ERP and PLM System Dependencies: Backend services supporting vendor systems

Critical Concentration Risks:

• Concentration risk occurs when a significant portion of an organization’s third-party vendors rely on the same fourth-party vendor, creating a potential single point of failure

Example Scenario: If ten of your suppliers all depend on the same shipping company, a strike or cyberattack on that company could simultaneously disrupt multiple product lines.

Action Plan:

Quarter 1: Mapping and Concentration Analysis

• Create a visual map of your supply chain to the fourth-party level
• Identify single points of failure (same fourth party used by multiple vendors)
• Assess geographic concentration risks (e.g., all suppliers in one region)
• Document alternative sources for critical fourth parties

Quarter 2: Resilience Assessment

• Evaluate business continuity plans of critical fourth parties
• Assess inventory buffers and lead times
• Test supplier relationships with tabletop exercises
• Identify dual-sourcing opportunities

Quarter 3: Contract Hardening

• Add force majeure clauses covering fourth-party failures
• Require supply chain mapping from vendors
• Include notification requirements for fourth-party changes
• Establish performance guarantees with liquidated damages

Quarter 4: Monitoring and Testing

• Implement supply chain visibility tools
• Monitor geopolitical risks affecting fourth-party locations
• Conduct annual supply chain resilience exercises
• Review and update risk assessments

Technology/SaaS: Cascading Platform Dependencies

Key Challenges:

• Rapid adoption of API-based integrations
• Microservices architecture creating complex dependencies
• Open source components with unknown maintainers
• Shadow IT and unauthorized integrations

Fourth-Party Risk Priorities for Technology Companies:

1. Infrastructure-as-a-Service (IaaS): Underlying cloud providers
2. Platform-as-a-Service (PaaS): Development and hosting platforms
3. API Dependencies: Third-party APIs your vendors integrate
4. Authentication Providers: Identity services in the chain
5. CDN and Edge Services: Content delivery fourth parties
6. Open Source Dependencies: Critical libraries and frameworks

Action Plan:

Sprint 1-2: Dependency Mapping

• Use software composition analysis (SCA) tools to identify dependencies
• Request vendor software bill of materials (SBOM)
• Map all API integrations and data flows
• Identify critical open source components

Sprint 3-4: Security Assessment

• Review security ratings of critical fourth-party platforms
• Assess vulnerability management practices
• Evaluate incident response capabilities
• Check for known vulnerabilities in dependencies

Sprint 5-6: Contract and Monitoring

• Add SLA requirements for fourth-party uptime
• Require vendors to notify you of significant dependency changes
• Implement automated dependency monitoring
• Set up alerts for vulnerabilities in critical components

Contract Strategy & Legal Protections

Your contracts with third parties are your primary mechanism for managing fourth-party risk. Without proper contract language, you have no leverage to demand fourth-party information, oversight, or remediation.

Essential Fourth-Party Contract Clauses

1. Fourth-Party Disclosure and Notification Clause

Purpose: Ensures you know who your fourth parties are and receive notice of changes.

Sample Language:

SUBCONTRACTORS AND FOURTH PARTIES

(a) Disclosure Requirement. Vendor shall, within thirty (30) days of the Effective 
Date and upon Client's request thereafter, provide Client with a complete and 
current list of all subcontractors, service providers, and other third parties 
("Fourth Parties") that:
    (i) Process, access, or store Client Data;
    (ii) Support Services that are critical to Vendor's performance under this 
        Agreement; or
    (iii) Are subject to regulatory requirements applicable to Client or the Services.

(b) Prior Notice of Changes. Vendor shall provide Client with at least thirty (30) 
days prior written notice before:
    (i) Engaging any new Fourth Party meeting the criteria in subsection (a); or
    (ii) Terminating any existing Fourth Party relationship that may affect the 
        Services.

(c) Information Requirements. For each Fourth Party, Vendor shall provide:
    - Legal name and primary business address
    - Description of services provided
    - Type and extent of access to Client Data
    - Location of data processing or storage
    - Relevant certifications (SOC 2, ISO 27001, etc.)
    - Summary of security and privacy controls

Why This Matters: Your contract template should include clauses that require your vendor to notify you if they materially change these fourth-party relationships

2. Right to Audit Clause (Extending to Fourth Parties)

Purpose: Preserves your ability to assess fourth-party risks through your vendor relationship.

Including a right to audit clause in your contract obligates your vendors to disclose data and to report with your organization on request

Sample Language:

RIGHT TO AUDIT

(a) Vendor Audit Rights. Client and its designated representatives shall have the 
right, upon reasonable notice, to audit Vendor's compliance with this Agreement, 
including:
    (i) Vendor's security controls and practices;
    (ii) Vendor's management and oversight of Fourth Parties; and
    (iii) Vendor's compliance with requirements imposed on Fourth Parties under 
         this Agreement.

(b) Fourth Party Audit Rights. For Critical Fourth Parties (as defined in Section X), 
Client reserves the right to:
    (i) Review audit reports, certifications, and security documentation;
    (ii) Request Vendor to conduct specific assessments of the Fourth Party;
    (iii) With Vendor's cooperation and subject to the Fourth Party's consent, 
          conduct direct assessments of the Fourth Party's controls relevant to 
          Client Data or the Services.

(c) Audit Cooperation. Vendor shall:
    - Cooperate fully with Client's audit activities;
    - Provide requested documentation within fifteen (15) business days;
    - Facilitate communication with Fourth Parties as needed;
    - Bear the cost of