Robust vendor risk management practices has never been more important. It is increasingly one of the top concerns of CISOs around the world. This is because outsourcing, digitization, and globalization have changed the way we do business over the last few decades.
These forces have led to innovation in products and services, the ability to focus on core competencies, reduced costs, and new global markets. But they also introduced significant cyber risk, particularly the risk of data breaches and data leaks.
The truth is globally dispersed, highly networked and digitized businesses face new cyber threats and resiliency risks that many businesses are only beginning to address. As a result, both governments and commercial organizations are establishing third-party cyber risk management programs to better identify, assess, mitigate, and oversee the risks created by third-party vendors, fourth-parties, and even customers. These risks are known as first, second, third, and fourth-party risk.
In the past, these programs have been time-consuming and limited to highly regulated industries, such as financial services, healthcare, and energy. Today, the introduction of extraterritorial general data protection laws means the majority of organizations require a scalable and cost-efficient way to assess risk exposure across their supply chain to protect their customers, company, and to comply with regulatory requirements. Examples include the EU's GDPR, Canada's PIPEDA, Florida's FIPA, New York's SHIELD Act, California's CCPA, and Brazil's LGPD.
The increased reputational, financial, and regulatory impact of these trends and laws has led to a number of different third-party risk management solutions. Each promises to help create a more efficient process while providing greater insight into which risks need to be prioritized for mitigation.
Additionally, these tools often translate technical details like security postures, cybersecurity risk assessments, vendor questionnaires, and information security policies into terms non-technical stakeholders can understand.
However, without past experience, it can be hard to choose the right solution for your organization. That's why we wrote this post, to make it as easy as possible for you to compare CyberGRX and UpGuard.
CyberGRX is based in Denver, Colorado in the United States and founded by Fred Kneip in 2015. CyberGRX provides enterprises and their third-parties with a cost-effective and scalable approach to third-party cyber risk management.
It does this by collecting data and cyber risk assessments in a structured format and then sharing them on their information exchange platform. This allows assessors to quickly access information about a vendor while reducing the operational overhead for the vendor by reducing the number of similar questionnaires they need to fill out.
In December 2019, CyberGRX announced it had raised $40 million in a Series D funding led by ICONIQ Capital.