Every day the news is filled with third-party data breaches and data leaks. And for a good reason, they often expose the protected health information and personally identifiable information of thousands or even hundreds of millions of people.
For context, the Ponemon Institute estimates that the average cost of a data breach is nearly $4 million globally.
Vendor risk management (VRM) has become a top priority for CISOs and other members of senior management, even at the Board level.
Beyond the raw financial costs, data breaches also face increased regulatory and reputational scrutiny due to the introduction of general data protection laws.
In the United States, California has introduced CCPA, Florida has introduced FIPA, and New York has launched the SHIELD Act. Each state wants to protect the personally identifiable information of its constituents. Outside of the United States, GDPR has been the biggest driver, and countries like Brazil, with LGPD, have followed the European Union's lead with the introduction of their general data protection laws.
Many of these laws have broadened the scope of what information is covered under the breach notification laws, significantly increasing the reputational impact of inadequate vendor and third-party cyber risk management practices.
While vendor risk management is business as usual for financial services and healthcare organizations, many other organizations still need help to get up to speed with vendor risk management best practices.
Security teams have to do more than they've ever had to. Not only are you expected to manage your security posture and information security policies, but you need to translate advanced analytics from cybersecurity risk assessments, vendor questionnaires, and vulnerability management tools into terms that non-technical stakeholders understand.
The good news is many third-party risk management tools do (UpGuard, BitSight, SecurityScorecard, Panorays, OneTrust, MetricStream, Aravo, just to name a few). The issue is there are so many that it can be hard to decide on which ones to assess, let alone what criteria to use to evaluate them.
That's why we wrote this post to provide you with a clear comparison between Prevalent, CyberGRX, and UpGuard, so you can make an informed decision and choose the tool that is right for you.
Prevalent is a Phoenix-based company that enables you to reveal and reduce vendor risk with its 360-degree third-party risk management platform.
Prevalent's cybersecurity risk rating solution helps organizations manage and monitor the security threats and risks associated with third and fourth-party vendors.
CyberGRX is a Denver-based company founded by Fred Kneip in 2015. It provides organizations and third-parties with a cost-effective, scalable approach to third-party risk management.
The CyberGRX Exchange collects standardized data and cyber risk assessments, sharing them for others to use. The exchange means assessors can access information about a vendor, and vendors no longer need to answer the same questionnaires over and over.
In December 2019, CyberGRX announced it had raised $40 million in a Series D funding round led by ICONIQ Capital.