Outsourcing, digitization, and globalization have made vendor risk management a top priority for CISOs and senior management alike.
These forces have led to innovative products and services, increased specialization, lower costs, and increased access for customers and organizations alike.
However, they've also introduced significant cyber risk, particularly the risk of unintended data exposure in the form of a data breach or data leak. In fact, a recent study by the Ponemon Institute and IBM put the average cost of a data breach at $3.92 million.
Our globally dispersed, highly networked economy faces unprecedented cyber threats and resiliency risks that many organizations have ignored.
Governments around the world are enacting laws and regulations that require you to establish a third-party risk cyber risk management program to better identify, assess, mitigate, and oversee risks created by third-party vendors, fourth-parties, and even customers.
This is business as usual for financial services, healthcare, energy companies who know how to operate in a regulated environment. However, the introduction of extraterritorial general data protection laws means that organizations that were loosely regulated must now invest in vendor risk management.
These laws include the EU's GDPR, Canada's PIPEDA, Florida's FIPA, New York's SHIELD Act, California's CCPA, and Brazil's LGPD.
Many of these laws also introduce mandatory data breach notification requirements that have drastically increased the reputational impact of poor vendor and cybersecurity risk management practices.
Additionally, security teams, now more than ever before, are expected to translate technical details like security postures, cybersecurity risk assessments, vendor questionnaires, and information security policies into terms non-technical stakeholders can understand, particularly board members.
The good news is this is exactly what many third-party cyber risk management tools aim to do, the issue is there are so many of them (UpGuard, BitSight, SecurityScorecard, RiskRecon, CyberGRX, MetricStream, Prevalent, OneTrust, and more).
It's hard to know where to start, let alone what criteria to assess each tool against.
As such, this post aims to provide you with a clear assessment of SecurityScorecard, CyberGRX, and UpGuard so you can make an informed decision about which tool is right for you and your organization.
SecurityScorecard overview
SecurityScorecard is a New York-based company that uses traffic and other publicly accessible data to build security ratings that can be used to evaluate vendors, price cyber insurance, among other use cases.
They also monitor "hacker chatter", social networks, and public data breach feeds for indicators of compromise.
SecurityScorecard's last funding round was a Series D from Nokia Growth Partners, Moody's, AXA Strategic Ventures, Intel, Google Ventures, Boldstart Ventures, Two Sigma Ventures, and Evolution Equity Partners.

CyberGRX overview
CyberGRX is a Denver-based company that was founded by Fred Kneip in 2015. It provides enterprises and their third-parties with a cost-effective, scalable approach to third-party risk management.
The CyberGRX Exchange collects standardized data and cyber risk assessments and then shares them for others to use. This means assessors can quickly access information about a vendor while reducing operational overhead for the assessed by reducing the number of questionnaires they need to answer.
In December 2019, CyberGRX announced it had raised $40 million in Series D funding led by ICONIQ Capital.
