Your vendor passed every audit. You still got breached.

Picture this. Your SaaS provider has a flawless SOC 2 report. Their ISO 27001 certificate is current. Their security questionnaire came back clean, every box ticked. And you are still sitting in an incident war-room at 2 a.m., because the breach did not come from them. It came from their vendor — a sub-processor you did not know existed until your regulator asked about it.

This is fourth-party risk, and it is the dependency most boards in Bharat cannot see.

Third party, fourth party — and why the distance matters

A third party is a vendor you chose, contracted with, and can question directly. A fourth party is your vendor's vendor — the cloud host, the payment processor, the managed-service provider, the AI tool sitting one step beyond your line of sight. You never signed a contract with them. You may never have heard their name. And yet they can take your data, your operations, and your compliance posture down with them.

The reason this is so dangerous is structural. You are, in effect, outsourcing your risk management to the very entities whose risk you are trying to manage — and trusting them to police their own subcontractors on your behalf, with no independent way to verify the result.

The incidents are no longer hypothetical

The MOVEit campaign affected more than 2,000 organisations and exposed data belonging to over 62 million people — most of them victims through a vendor, not a direct compromise. The 2024 CrowdStrike outage showed how a single update from one shared dependency can disable services across dozens of your vendors at once, with no warning. And in 2025, a half-day AWS outage reportedly drove around $581 million in insurance losses — and many of the organisations caught in it were never AWS customers at all. They were customers of vendors who were. The cascade flowed through dependencies nobody had mapped, because nobody had done the mapping.

In 2026, the Vercel breach made the point even sharper: an attacker entered through a third-party AI tool, and because Vercel hosts front-ends for thousands of organisations, the compromise instantly became a fourth-party exposure for every one of them.

This is concentration risk — and almost no one is mapping it

Most third-party risk programmes assess vendors one at a time. What they rarely ask is what those vendors have in common. When forty of your "independent" suppliers all sit on the same cloud region, the same DNS provider, or the same security MSP, you do not have forty risks. You have one — and you have multiplied it forty times without knowing.

The annual questionnaire cannot save you here. The average vendor-risk professional is now responsible for assessing around 33 vendors against an inventory of close to 286 third parties — and the questionnaire is structurally incapable of seeing past Tier 1 anyway. Your fourth party has no obligation to answer your email. By the time you learn of the exposure, you usually learn it from a news alert, not a platform alert. Industry data suggests breaches are detected in a median of about 10 days but stay publicly unnamed for an average of 117 — a long, silent window in which thousands of downstream victims have no idea they are exposed.

For Indian organisations, the liability is now explicit

This is where it stops being an operational nuisance and becomes a regulatory exposure with your name on it.

Under the DPDP Act and the 2025 Rules, accountability rests with the Data Fiduciary even when processing is carried out by a Data Processor. The Rules expressly require appropriate security provisions in fiduciary–processor agreements. Translation: when your processor's sub-processor leaks Bharat's data, the Data Protection Board does not chase the sub-processor you never hired. It looks at you.

SEBI's CSCRF already mandates that regulated entities assess, monitor, and enforce cybersecurity requirements across vendors and outsourced services — and it has moved to an evidence-based audit model where that oversight must be demonstrable, not asserted. Globally the pattern is identical: regulators from the UK's PRA to the US OCR have established that inadequate ongoing oversight of a downstream provider is the covered entity's own compliance failure — regardless of whether the entity was directly compromised.

You cannot contract this away. You can only see it — continuously.

The shift: from point-in-time to always-on, outside-in

The annual vendor review is to fourth-party risk what an annual health check-up is to a cardiac event. By the time the report lands, the exposure has already cascaded. The 2026 baseline is continuous, outside-in monitoring that discovers and maps dependencies without waiting for the vendor to cooperate — passive discovery, concentration-risk mapping, and live alerting that tells you a sub-processor is on fire before the headline does.

And critically for those of us building sovereign capability: this is a data problem before it is a vendor problem. Your regulated data does not stop at your vendor's perimeter — it flows into their hosting, their backups, their AI tools. This is exactly why I treat data security posture management as the foundation of supply-chain assurance. With Citadel DSPM, the question shifts from "did my vendor fill in the form?" to "where does my sensitive data actually live across this chain, and are the controls holding right now?" Combine that data-centric visibility with non-human-identity monitoring — because the Vercel-style entry point was an AI tool's identity, not a person's — and you start watching the supply chain the way it actually behaves, not the way the questionnaire describes it.

Five things to do this quarter

1. Map your fourth parties. Start with your most critical vendors and demand a maintained list of their material sub-processors. Make it a contractual obligation, not a favour.

2. Hunt concentration. Plot which shared dependency (cloud region, MSP, DNS, AI provider) sits under the largest cluster of your vendors. That is your single point of failure.

3. Replace the annual questionnaire with continuous signal. Outside-in monitoring catches drift the form never will.

4. Put DPDP and CSCRF liability on the board agenda. The fiduciary stays liable down the chain — make sure leadership has internalised that before the Board does.

5. Treat it as a data question. Know where your sensitive data flows beyond your walls, and monitor the controls protecting it in real time.

The breach you never signed up for is still your breach. In 2026, "we didn't know they existed" is not a defence — it is an admission.

This is one front in a larger mission: building sovereign, Made-in-India security capability that can see, and secure, the entire chain Bharat's data flows through.

#SecuringBharat #FourthPartyRisk #ContinuousCompliance #DPDP #CISO #DSPM #SupplyChainSecurity #Citadel