Last week we discussed the fourth-party risk problem where actual exposure lives in a company you never assessed — but fourth-party isn't the end of the chain.
Your vendors have vendors. And their vendors have vendors. At some point, they all converge on the same foundation.
The Convergence Problem
You look at your vendor portfolio and see diversity. Fifty vendors, different products, different companies. Feels distributed.
But trace it down a layer or two. How many of those vendors run on AWS? How many use the same authentication provider? The same payment processor? The same cloud infrastructure?
Your "diversified" vendor base funnels down to a handful of providers you never assessed, never onboarded, and might not even know exist in your ecosystem.
Fifth-Party Isn't Theoretical
Fourth-party is your vendor's vendors. Fifth-party is your vendor's vendor's vendors. That sounds like overkill until you trace the dependency chain.
Your vendor uses a payroll provider. That payroll provider uses a cloud hosting service. That cloud hosting service uses a DNS provider. One outage at the fifth-party level cascades up through layers you didn't know were connected.
The CrowdStrike outage made this real. One company, multiple layers deep in thousands of vendor relationships, takes down industries.
Nobody's Aggregating This
Even banks with mature fourth-party programs aren't mapping fifth-party convergence. And honestly? The data doesn't exist in a usable form.
Your vendor might tell you their critical subcontractors. They probably don't know their subcontractors' critical subcontractors. And even if everyone disclosed everything, no one's aggregating across the portfolio to find the convergence points.
So you can't see where your entire vendor ecosystem depends on the same three infrastructure providers. The systemic risk is invisible.
Common Convergence Points
While you may not have visibility into every layer, certain convergence points are predictable:
- Cloud Infrastructure: AWS, Azure, Google Cloud dominate the market
- Authentication: Okta, Auth0, and similar providers are everywhere
- Payment Processing: Limited options at scale
- DNS Services: Critical infrastructure with few major players
- CDN Providers: Cloudflare, Akamai, and similar services
When one of these fails, the cascade effect hits multiple vendor relationships simultaneously.
There's No Playbook for This Yet
I'm not going to pretend there's a five-step framework to solve fifth-party concentration. There isn't. The industry hasn't built the tools, the standards, or the transparency mechanisms to make this visible.
But that doesn't mean we ignore it.
"Start by acknowledging the dependency chains don't stop where our assessments stop."
Push vendors for more transparency about their own dependencies. Build the conversation at the industry level — because no single bank is solving this alone.
The Next Frontier
This is the next frontier in vendor risk management. We need:
- Better vendor transparency about subcontractor dependencies
- Shared infrastructure mapping across the industry
- Standardized disclosure of critical dependencies
- Concentration risk frameworks that account for convergence
The tools don't exist yet. The standards aren't written. But the risk is real, and it's growing as vendor ecosystems become more interconnected.
We need to figure it out together.