Most third-party risk management programs focus on the direct relationship between the organization and its vendors. But modern technology supply chains are deeply interconnected. Your vendors have their own vendors, who have their own vendors. When multiple vendors in your portfolio share the same underlying cloud provider, identity platform, CDN, or software dependency, you face concentration risk that a standard vendor assessment will never reveal. The events of 2023 and 2024 demonstrated, in spectacular fashion, what happens when that concentration risk materializes.
The CrowdStrike Outage: Concentration Risk in Action
On July 19, 2024, a faulty content update to CrowdStrike's Falcon sensor caused an estimated 8.5 million Windows devices worldwide to crash with a Blue Screen of Death (BSOD). The impact was immediate and sweeping: airlines grounded flights, hospitals delayed procedures, banks experienced outages, and emergency services were disrupted. Delta Air Lines alone estimated losses exceeding $500 million.
This was not a cyberattack. It was a software quality failure in a single endpoint detection and response (EDR) product. But because CrowdStrike had achieved enormous market penetration — particularly among large enterprises and critical infrastructure operators — the failure cascaded across industries. For organizations whose TPRM programs assessed each vendor individually, the risk was invisible. Each vendor's use of CrowdStrike was a reasonable security decision. The systemic risk emerged from the fact that dozens or hundreds of vendors all made the same reasonable decision, creating a single point of failure across the supply chain.
MOVEit: When a Shared Vendor Becomes a Shared Vulnerability
In May 2023, the Clop ransomware group exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer file transfer application. The attack affected over 2,600 organizations and exposed the personal data of more than 90 million individuals worldwide, according to tracking by security researcher Brett Callow and Emsisoft. Victims included the U.S. Department of Energy, Shell, British Airways, the BBC, and hundreds of other organizations across government, healthcare, finance, and education.
Many of the affected organizations did not use MOVEit directly. They were affected because their vendors, payroll providers, benefits administrators, or other third parties used MOVEit to process or transfer their data. This is the essence of fourth-party risk: your data can be compromised through a vendor's vendor that you may not even know exists. A standard vendor questionnaire asking "Do you use secure file transfer?" would have received an affirmative answer from organizations using MOVEit. The risk was not in the vendor's choice of tool but in a zero-day vulnerability in a widely shared dependency.
| Incident | Root Cause | Cascade Impact |
|---|---|---|
| CrowdStrike Outage (July 2024) | Faulty content update to Falcon sensor | 8.5 million devices crashed; airlines, hospitals, banks disrupted globally |
| MOVEit Exploit (May 2023) | Zero-day SQL injection in file transfer tool | 2,600+ organizations and 90+ million individuals affected |
| Snowflake Credential Campaign (2024) | Stolen credentials targeting cloud platform accounts | 165 organizations affected including AT&T, Ticketmaster |
Understanding the Layers of Nth-Party Risk
The terminology can be confusing, so it helps to define the layers clearly:
- First party: Your organization.
- Third party: Your direct vendors and service providers.
- Fourth party: Your vendors' vendors — the companies and platforms your third parties depend on.
- Nth party: Any entity further down the supply chain whose failure could ultimately affect your organization.
Technology concentration risk occurs when multiple third parties share the same fourth-party dependency. If five of your critical vendors all use AWS for hosting, a major AWS outage affects all five simultaneously. If ten vendors use the same identity provider, a breach of that provider potentially compromises access to all ten. The risk is not in any single vendor relationship but in the aggregate concentration across the portfolio.
Why Standard TPRM Misses Concentration Risk
Standard vendor assessments evaluate each vendor in isolation. The questionnaire asks about the vendor's own controls, certifications, and practices. It rarely asks the vendor to enumerate its critical subprocessors, cloud providers, or shared dependencies. Even when subprocessor lists are available (as required under GDPR for data processors), they are typically reviewed in the context of data protection compliance, not technology concentration analysis.
The result is that the TPRM team may know that Vendor A uses AWS, but they do not systematically track that Vendors B, C, D, and E also use AWS. Without aggregating this information across the portfolio, the concentration risk is invisible. It only becomes apparent when the shared dependency fails and multiple vendors are affected simultaneously.
"Organizations cannot manage risks they cannot see. Fourth-party risk and technology concentration are among the most significant blind spots in vendor risk management today." — Gartner, Market Guide for IT Vendor Risk Management
Building a Technology Concentration Risk Program
Addressing concentration risk requires extending TPRM beyond individual vendor assessments to portfolio-level analysis. The following practices are essential:
Map Technology Stacks Across Vendors
For each vendor, capture the key technology dependencies: cloud provider(s), identity provider, CDN, DNS provider, key software platforms, and critical open-source dependencies. Aggregate this data across the vendor portfolio to identify concentration points. This does not need to be exhaustive — focus on the dependencies most likely to cause cascading failures.
Identify Single Points of Failure
Once the technology map is built, look for dependencies where a single failure would affect multiple critical vendors simultaneously. These are the concentration risks that require mitigation strategies: architectural redundancy, alternative vendor options, or enhanced business continuity planning.
Monitor Shared Dependencies
Apply the same continuous monitoring approach used for direct vendors to critical fourth-party dependencies. If AWS, Azure, or a major SaaS platform experiences an outage or security incident, the TPRM team should immediately assess the downstream impact on all vendors that depend on that platform.
Include Concentration in Risk Quantification
FAIR risk quantification can model concentration risk by estimating the annualized loss expectancy of a correlated failure across multiple vendors sharing the same dependency. This converts an abstract portfolio risk into a dollar figure that executives can use for decision-making.
Protect Your Organization from Third-Party Risk
Fair TPRM is a free, open-source platform for vendor risk management, GRC compliance, and FAIR risk quantification.
Free Demo Download SourceSources & References
- Helping Our Customers Through the CrowdStrike Outage - Microsoft Blog, July 20, 2024
- Technical Details: Falcon Update for Windows Hosts - CrowdStrike Blog, July 2024
- Unpacking the MOVEit Breach: Statistics and Analysis - Emsisoft, 2023
- CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability - CISA Advisory, June 2023
- Gartner Market Guide: IT Vendor Risk Management - Gartner