Reduce risk,

Streamline process &

Lower costs

Third-Party Cyber Risk Management for Enterprises

Third-party risk management is critical. But limited resources make it difficult to perform continuous due diligence on the growing population of vendors, cloud providers and other third parties. The CyberGRX Exchange was designed to be a force multiplier to help you always know who poses the most risk to your organization.

  • Upload third parties into the CyberGRX Plan module

    Step 1

  • Answer questions to determine inherent risk

    Step 2

  • CyberGRX_Order_2

    Order appropriate tier of assessment

    Step 3

  • Track progress of assessments in the Exchange

    Step 4

  • Identify critical control gaps via completed assessment, compare results to residual risk benchmarks

    Step 5

  • Continuously monitor for changes in your third-party ecosystem

    Step 6

Why you should break up with your current process

Third-party contractors are the biggest source of security incidents outside of a company’s employees

SOURCE: https:/

of organizations don't have an inventory of all 3rd parties

SOURCE: PwP 2016 Global State of Information Security Report

On average, 181 vendors are granted access to a company’s network in a given week


Benefits for Enterprises

The CyberGRX Exchange and our risk assessments as-a-service help Enterprises and Third Parties cost-effectively identify, prioritize and mitigate risk.

Evolve your team from data collectors to risk managers
Identify the third parties that pose you the greatest risk
Create a prioritized risk-based mitigation strategy
Continuously monitor your ecosystem
Cost effectively scale your program
Benefit from crowd sourced mitigation efforts

CyberGRX is a force multiplier for our third-party cyber risk management program. In just the first year we will be able to assess 3x more vendors than we assessed last year and reallocate the resources saved to true risk management and mitigation efforts.

Adam Fletcher
Adam Fletcher, CISO of Blackstone
  • ADP logo
  • Bessemer Venture Partners logo
  • Mass Mutual logo TPCRM
  • Rally Ventures logo
  • TenEleven logo
  • Aetna logo TPRM
  • Blackstone logo third party vendor risk management software
  • Google Ventures cyber risk management
  • Clear Sky Power and Technology Fund logo
  • Allegis logo
  • ADP logo
  • Bessemer Venture Partners logo
  • Mass Mutual logo TPCRM
  • Rally Ventures logo
  • TenEleven logo
  • Aetna logo TPRM
  • Blackstone logo third party vendor risk management software
  • Google Ventures cyber risk management
  • Clear Sky Power and Technology Fund logo
  • Allegis logo

Frequently Asked Questions

  • How much does this cost?

    For the ordering customers, there are two elements to the cost model: an annual platform access fee and a per-assessment fee that varies according to tier of service. Platform access fees are paid annually; funds put into your CyberGRX account to cover assessment fees are evergreen. Once an assessment is ordered and delivered, customers receive access to that assessment and updates for a 12-month period.

  • Is there mapping for NIST and ISO, and others?

    The control framework that enables our assessments is aligned with the principles of various industry-leading standards—including NIST 800-53, ISO, PCI, HIPAA, OCC, NY-DFS, FFIEC and others. We can provide you with a PDF that illustrates how our assessments map to these standards.

  • What is the difference between the three Tiers of assessment?

    The three Tiers of assessment differ in both levels of due diligence, as well as validation of evidence.

    Tier 1: Our most comprehensive assessment addresses high-risk third parties or vendors who handle extremely sensitive customer data. Includes a long-form vendor questionnaire, followed by a professionally assessed evidence review to validate control maturity and effectiveness.

    Tier 2: Our mid-tier assessment is structured for medium-risk third parties. An abbreviated third-party questionnaire is followed by automated validation through a rules engine based on proprietary algorithms to identify inconsistencies in the assessment responses.

    Tier 3: Our basic assessment, designed for low-risk third parties, includes a short-form third-party questionnaire followed by self-attestation. 

  • How are the assessments updated to reflect new regulations and standards?

    We are continuously evaluating new regulations and best practices as they are announced to address any control gaps and ensure adequate coverage over relevant risks. These are incorporated as part of our periodic content change management process.

  • Does the service support multiple industries?

    Yes. Our approach to creating a unified control framework and mapping that back to various industry-specific standards allows us to support all industries.


  • How does this compare with Security Scorecard or Bitsight?

    Companies like Security Scorecard, Bitsight and other port-scanning technologies aggregate publicly available data to provide a rating—passively and non-intrusively. This information can provide valuable data points for externally evaluating a third-party vendor. We believe this kind of information is essential, and complementary to our internal approach.


    With this in mind, we have partnered with BitSight to bring this complementary and holistic approach to our customers. Integrating BitSight’s objective, quantitative measurements of companies’ security performance into the CyberGRX Exchange provides a unique 360-degree view of third-party cyber risk. The combination of BitSight’s Security Ratings, generated through externally observable data, with CyberGRX’s validated third-party cyber risk assessments, allows customers to make more informed decisions and scale their third-party risk programs.

Try the CyberGRX Exchange for free

Mitigate risk. Manage complexity. Reduce cost.

Request Free Trial