Streamline process &
Third-Party Cyber Risk Management for Enterprises
Third-party risk management is critical. But limited resources make it difficult to perform continuous due diligence on the growing population of vendors, cloud providers and other third parties. The CyberGRX Exchange was designed to be a force multiplier to help you always know who poses the most risk to your organization.
Upload third parties into the CyberGRX Plan module
Answer questions to determine inherent risk
Order appropriate tier of assessment
Track progress of assessments in the Exchange
Identify critical control gaps via completed assessment, compare results to residual risk benchmarks
Continuously monitor for changes in your third-party ecosystem
Why you should break up with your current process
Third-party contractors are the biggest source of security incidents outside of a company’s employees
SOURCE: PwP 2016 Global State of Information Security Report
On average, 181 vendors are granted access to a company’s network in a given week
Benefits for Enterprises
The CyberGRX Exchange and our risk assessments as-a-service help Enterprises and Third Parties cost-effectively identify, prioritize and mitigate risk.
CyberGRX is a force multiplier for our third-party cyber risk management program. In just the first year we will be able to assess 3x more vendors than we assessed last year and reallocate the resources saved to true risk management and mitigation efforts.
Frequently Asked Questions
- How much does this cost?
For the ordering customers, there are two elements to the cost model: an annual platform access fee and a per-assessment fee that varies according to tier of service. Platform access fees are paid annually; funds put into your CyberGRX account to cover assessment fees are evergreen. Once an assessment is ordered and delivered, customers receive access to that assessment and updates for a 12-month period.
- Is there mapping for NIST and ISO, and others?
The control framework that enables our assessments is aligned with the principles of various industry-leading standards—including NIST 800-53, ISO, PCI, HIPAA, OCC, NY-DFS, FFIEC and others. We can provide you with a PDF that illustrates how our assessments map to these standards.
- What is the difference between the three Tiers of assessment?
The three Tiers of assessment differ in both levels of due diligence, as well as validation of evidence.
Tier 1: Our most comprehensive assessment addresses high-risk third parties or vendors who handle extremely sensitive customer data. Includes a long-form vendor questionnaire, followed by a professionally assessed evidence review to validate control maturity and effectiveness.
Tier 2: Our mid-tier assessment is structured for medium-risk third parties. An abbreviated third-party questionnaire is followed by automated validation through a rules engine based on proprietary algorithms to identify inconsistencies in the assessment responses.
Tier 3: Our basic assessment, designed for low-risk third parties, includes a short-form third-party questionnaire followed by self-attestation.
- How are the assessments updated to reflect new regulations and standards?
We are continuously evaluating new regulations and best practices as they are announced to address any control gaps and ensure adequate coverage over relevant risks. These are incorporated as part of our periodic content change management process.
- Does the service support multiple industries?
Yes. Our approach to creating a unified control framework and mapping that back to various industry-specific standards allows us to support all industries.
- How does this compare with Security Scorecard or Bitsight?
Companies like Security Scorecard, Bitsight and other port-scanning technologies aggregate publicly available data to provide a rating—passively and non-intrusively. This information can provide valuable data points for externally evaluating a third-party vendor. We believe this kind of information is essential, and complementary to our internal approach.
With this in mind, we have partnered with BitSight to bring this complementary and holistic approach to our customers. Integrating BitSight’s objective, quantitative measurements of companies’ security performance into the CyberGRX Exchange provides a unique 360-degree view of third-party cyber risk. The combination of BitSight’s Security Ratings, generated through externally observable data, with CyberGRX’s validated third-party cyber risk assessments, allows customers to make more informed decisions and scale their third-party risk programs.