Security ratings and automated third-party risk assessment help to scale their vendor risk management program.
First State Super was established in 1992 and today, is one of Australia’s largest superannuation funds with more than 750,000 members. The majority of its members are employed in the public sector, education, health and community services, police and emergency services. They are a ‘profit to members’, public offer fund.
In June 2016, First State Super acquired 100% of StatePlus – an acquisition that created the largest member-owned financial advice network in Australia with over 25 locations and over 200 financial advisors.
Following the Stateplus acquisition, First State Super are the custodians of an asset pool of over $90bn, combining superannuation and retirement savings.
Headquartered in Sydney, Australia with offices throughout New South Wales, the Australian Capital Territory, Victoria and Western Australia, First State Super have a team of more than 460 employees servicing the needs of its members. StatePlus employs a further 410 employees.
First State Super’s underlying philosophy is ‘members first’ and its mission is ‘to build a better future for all Australians’.
With today’s increasing exposure to third-party risks, and the upcoming release of Australian financial services regulator APRA’s CPS 234 “Information Security” standard, First State Super wanted to understand how their third-party vendor security was performing from an external perspective. Additionally, First State Super recognised the limitations of traditional, spreadsheet-based vendor security questionnaires, which often result in fewer vendors being monitored due to cumbersome workflows and manual process inefficiencies.
First State Super chose UpGuard to get visibility into the risks of their own systems, as well as those of their vendors and partners. First State Super turned to UpGuard CyberRisk for continuous risk monitoring, security ratings, and automated vendor questionnaires. UpGuard’s risk monitoring capabilities provide assurance that First State Super’s own internet-facing properties were securely configured and gave them the technical information to guide their vendors toward reducing risk to an acceptable level. Vendor security ratings enabled the team to prioritize the assessment of third parties based on risk and the questionnaire assessments closed the loop with detailed responses on internal controls needed to safely do business.
By comparing spreadsheet-based processes to CyberRisk’s workflow, our research has shown that a benefit of automating security questionnaires is a 42% reduction in time to assess each vendor through automated workflows and reduced friction from the vendor side. In the case of First State Super, they have been able to assess and monitor up to 14 more third-party vendors than otherwise would be possible, without increasing headcount.
UpGuard CyberRisk provides external intelligence on security performance and enables comparisons with industry peers. This gives First State Super the ability to see which security risks are affecting their overall security performance with ongoing comparison against their industry average.
First State Super uses UpGuard CyberRisk to monitor and assess 56 third-party vendors, and has issued them 38 security questionnaires. First State Super is also using CyberRisk to monitor 40 of their own digital assets.
After over a year of working together with UpGuard, First State Super’s executive IT leadership were satisfied with the progress made and are continuing the partnership with UpGuard.
Book a call with one of our specialists and we'll arrange a time for a demo.