This message was posted by a user wishing to remain anonymous
We ask about any sub-service providers our vendors use and how they are ensuring these sub-service providers are meeting the vendor's control environment (compliance, privacy, cybersecurity, BCP, etc.). We are only concerned about their critical or significant sub-service providers. If they have a SSAE 16 report, we look specifically for sub-service providers. If vendor is not cooperative, we treat the fourth-party as a third-party to us.
Original Message:
Sent: 03-31-2020 09:23 AM
From: Denise Dalrymple
Subject: Fourth Party
I was recently made aware that one of our vendors is using a vendor (so a fourth party for us) that it appears our third party did not review. We are attempting to collect due diligence docs on our own and self- review.
Has anyone run into this before? Did you include it in your vendor management program in order to review it?