The ONE Thing All Modern Third-Party Cyber Risk Management Programs Do

6 minute read

May 2022

At CyberGRX, we’re fortunate to engage with the brightest minds in the third-party cyber risk industry. In addition to our original design partners: ADP, Aetna, Blackstone, MassMutual, and two other Fortune 500 companies, our customer base is comprised of innovative enterprises across the globe.  And while they come from many different industries, they share a thirst for modern approaches to solving difficult challenges at scale.

Reducing third party cyber risk is without a doubt, a difficult challenge.  The thought of gaining visibility into the security posture of hundreds or thousands of third parties is daunting, to say the least.

Related: Cyber Risk Intelligence for a Digitally Transformed World

Consider this scenario: A new cyber attack is causing disruption. Your head immediately starts spinning…Which of my third parties could be affected? How will a third party breach impact our data? Our supply chain? Our intellectual property? Which vendors need my attention based on inherent and residual risk?

Our customers are not working to automate legacy third-party cyber risk management programs based on technologies ill-equipped for the rising challenge– and neither should you. As the threat landscape expands, we all need a transformational approach that materially moves the needle in terms of improving efficiency, effectiveness, and reducing costs while managing risks from a growing ecosystem of partners, vendors, and affiliates.

Many organizations are realizing it’s no longer sufficient to take a compliance-based approach. Enterprises must truly measure and manage risk from their expanding third-party population.  Longer, spreadsheet-based assessments and hiring more assessors is widely recognized as a poor strategy for measuring cyber risk given today’s climate and cybersecurity talent shortage.

A third-party cybersecurity breach – the most costly of all breaches – can translate to millions of dollars in lost revenue, remediation costs, reputational risk, and potential regulatory fines.  And did you know, the per capita cost of a breach goes up by $16 per record when a third-party organization is part of the breach equation?

Download the Report: The Transformation of Cybersecurity from Cost Center to Business Enabler

Managing Supply Chain Risk

In CrowdStrike’s report “Securing the Supply Chain”, they stated that although almost 90% of the respondents believe they are at risk for a supply chain attack, companies are still slow to detect, remediate and respond to the threats.

So what’s causing some companies to delay building third party cyber risk management programs that scale and provide total visibility, especially when the costs of a third-party cybersecurity breach are so high?

Perhaps many are waiting for a better, more efficient and cost-effective way to manage third-party risk. They’re seeking the one thing that enables them to transform their third party cyber risk program from nascent to advanced in a short period of time.

90% of organization believe they are at risk for a supply chain attack, yet are slow to detect, remediate, and respond to the threats.

We’ve talked to hundreds of organizations who struggle with the same challenge – a lack of resources combined with a growing third party population.  It’s become clear what doesn’t work – customized, spreadsheet-based self-assessments that place an unnecessary burden on your third parties while simultaneously providing little decision making support. It’s also become clear what does work.

The common denominator all world-class third-party cyber risk management programs share is they leverage some type of exchange to achieve scale and reduce costs.

This one-to-many approach enables speed and lowers cost for all market participants – including third parties.

Risk Management at Scale

What if every time someone applied for a credit card, an auditor from Capital One, Citi or American Express showed up in your home to review your creditworthiness? It’s neither practical nor possible. Instead, they leverage TransUnion, Experian or Equifax to perform the work on an ongoing basis. An Exchange works the same way for third-party cyber risk.

Three primary factors are driving the requirement to build a more advanced third-party cyber risk function in almost every enterprise.  All three factors require leveraging a risk Exchange to achieve the scale necessary to succeed:

  1. Increased regulatory scrutiny
  2. Increase in vendor/third party volume
  3. Increase in cyber events that involve a third party

With regulators like the OCC, NYDFS and others insisting that organizations manage the cybersecurity risk of companies outside their own walls – third-party relationships with vendors, affiliates, service providers, customers, and partners – as well as they do their own, CISO’s, CRO’s and CPO’s are required to prove that their policies and procedures attempt to lower overall risk.

Be prepared; download now: Leadership Guide for SEC Cybersecurity Disclosure Rule Preparedness

It’s no longer acceptable to point to a two-year-old, static spreadsheet based assessment as “managing cyber risk”. These regulations require a more dynamic approach that enables true cyber risk management.

A recent Ponemon study found that 57% of organizations surveyed don’t have an inventory of all third parties with whom they share information. The same study found that only 17% of respondents feel they’re highly effective at mitigating third-party risks (down from 22% in 2017).  We rarely speak with an organization whose vendor population is shrinking or their budget to manage vendor risk is increasing. This asymmetry creates an easily exploitable gap that can only be managed via a vendor assessment Exchange concept. All security and risk teams are asked to do more with less, and meanwhile, third party adoption continues to increase. We refer to it as the TPRM Dilemma:

TPRM Dilemma

3 Advantages of Leveraging A Third-Party Cyber Risk Exchange

  1. Comprehensiveness:  Whether you prefer a NIST,  ISO, or customized assessment, the question set is only relevant if you have the ability to process the responses and monitor your third parties for security posture changes over time.  When a vendor centralizes on one assessment for all of their customers, keeping it up-to-date with accurate security data becomes manageable.
  2. Cost Effectiveness: An Exchange based business model drives cost allocation since the costs are being divided amongst several buyers. Rather than many companies paying to separately assess a common provider like ADP, the exchange provider can perform the assessment once and allow ADP to share the results with all customers.  Your vendors will thank you…. we promise.
  3. Speed:  Company A has assessed Vendor 1.  Why should Company B perform the same exercise?  For vendors who have have been assessed by an exchange participant, the data is available immediately to other members.  See this case study from Blackstone where they performed 5x the number of assessments for half the cost. Or if you’re the one being assessed, let’s look again at ADP. They recently reached a milestone of sharing their Exchange risk assessment over a 1,000 times – one assessment used over and over again. Imagine the staff time savings! And ADP’s success is not uncommon– typically, an Exchange assessment is accepted by the requestor 70% of the time, eliminating the need to complete a new, bespoke risk assessment.

History has proven that for a marketplace to thrive, both sides must see benefits.  The taxi industry has been disrupted by Lyft because they introduced a new way of getting from point A to point B that satisfied the needs of both the driver and the rider.  An Exchange brings balance to the equation and helps third parties avoid completing multiple, redundant spreadsheet-based self-assessments. Which in turn, helps customers manage third-party cyber risk more accurately.

The Future of Third Party Risk Management

With cyber events dominating the headlines and ever-expanding third-party ecosystems, it’s time to modernize our approach to third-party cyber risk.  The CyberGRX Exchange is a force multiplier that includes a library of {{Assessments}} assessments, {{Companies}} company profiles, threat intelligence, Attack Scenario Analytics, predictive risk data, and continuous monitoring.  Our goal is simple: To enable enterprises and their third parties to identify and manage risk quickly, comprehensively and cost-effectively.

Book time with our team to learn more about the benefits of an Exchange, and how to improve your risk management program efficiency.

Related Articles

About Us

ProcessUnity is a leading provider of cloud-based applications for risk and compliance management. The company’s software as a service (SaaS) platform gives organizations the control to assess, measure, and mitigate risk and to ensure the optimal performance of key business processes. ProcessUnity’s flagship solution, ProcessUnity Vendor Risk Management, protects companies and their brands by reducing risks from third-party vendors and suppliers. ProcessUnity helps customers effectively and efficiently assess and monitor both new and existing vendors – from initial due diligence and onboarding through termination. Headquartered outside of Boston, Massachusetts, ProcessUnity is used by the world’s leading financial service firms and commercial enterprises. For more information, visit