Due to increased outsourcing, digitization, and globalization, vendor risk management has become a top concern for CISOs and senior management around the world.
These three forces have led to better products and services for consumers while giving organizations the ability to focus on core competencies while reducing costs and accessing new, global markets.
The unfortunate truth is a globally dispersed, highly networked, digitized organization faces an unprecedented number of cyber threats and resiliency risks that many businesses have chosen to ignore. This has resulted in governments establishing laws and regulations that require the establishment of third-party cyber risk management programs to better identify, assess, mitigate, and oversee the risks created by third-party vendors, fourth-parties, and even customers. These risks are known as first, second, third, and fourth-party risk.
Organizations that operate in highly regulated industries, such as financial services, healthcare, and energy have experience running these programs at scale. However, the regulatory scope has increased with the introduction of extraterritorial general data protection laws. Examples include the EU's GDPR, Canada's PIPEDA, Florida's FIPA, New York's SHIELD Act, California's CCPA, and Brazil's LGPD.
These laws mean that organizations in what were traditionally loosely regulated industries must now develop the expertise required to run a scalable and cost-effective risk assessment program across their supply chain to protect their customers and company.
Additionally, these laws often introduce data breach notification requirements which have increased the reputational and financial impact of poor vendor and cybersecurity risk management.
Today, more than ever before, security teams need to be able to translate technical details like security postures, cybersecurity risk assessments, vendor questionnaires, and information security policies into terms non-technical stakeholders can understand.
And that's exactly what many of these third-party risk management tools do, the issue is without past experience, it can be hard to choose the right solution for your organization. That's why we wrote this post to make it as easy as possible for you to compare BitSight, CyberGRX, and UpGuard.
BitSight is a Cambridge-based company that aims to quantify the external cybersecurity posture of an organization using publicly accessible data. Its FICO-like BitSight security rating is used by underwriters for pricing cyber insurance, 3rd party research for third-party risk teams, and due diligence research for private equity and M&A activities, and more.
Additionally, these security ratings are used for security performance management and the assessment of third and fourth-party risk.
CyberGRX is based in Denver, Colorado in the United States and founded by Fred Kneip in 2015. CyberGRX provides enterprises and their third-parties with a cost-effective and scalable approach to third-party cyber risk management.
It does this by collecting data and cyber risk assessments in a structured format and then sharing them on their information exchange platform. This allows assessors to quickly access information about a vendor while reducing the operational overhead for the vendor by reducing the number of similar questionnaires they need to fill out.
In December 2019, CyberGRX announced it had raised $40 million in Series D funding led by ICONIQ Capital.