Dynamic Third-Party Risk Assessments
Say Goodbye to Annual Shared Spreadsheets
In an increasingly complex and ever evolving digital landscape, organizations need ongoing visibility into their third party ecosystems. CyberGRX offers third-party risk-assessments-as-a service, arming organizations with structured and dynamic data. So enterprises always know which third parties pose them the greatest risk and third parties can reduce the time spent on filling in annual spreadsheets.
Maintain Ongoing Visibility Into Your Third-Party Ecosystem
Always know the status of requested assessments
Identify critical control gaps and prioritize efforts
Run advanced analytics across structured data
Featured Video:: CyberGRX in 90 Seconds
CyberGRX brings efficiency, scalability and accuracy to third-party programs across the globe. Learn about how CyberGRX can assist your organization with cyber risk management in this video.See What CyberGRX Can Do for You
Why Adopt The CyberGRX Approach
CyberGRX assessments take an in-depth look at the controls your third parties have in place to mitigate risk. Our assessments map to industry security frameworks and are independently validated in partnership with Deloitte®. The data is collected in a structured format and resides on the CyberGRX Exchange – so once an assessment is complete, third parties can easily update and share that data with any of their upstream partners. Say goodbye to annual assessments and hello to ongoing visibility.
How The CyberGRX Approach Benefits You
- Evolve your team from data collectors to risk managers
- Identify the third parties that pose you the greatest risk
- Create a prioritized risk-based mitigation strategy
- Continuously monitor your ecosystem
- Cost-effectively scale your program
- Benefit from crowd sourced mitigation efforts
- Never complete another shared spreadsheet again
- Identify and understand the remediation with the most yield
- Share a single assessment with multiple upstream partners
- Spend more time on proactive risk management
- Drive business growth with proactive security engagement
CyberGRX is a force multiplier for our third-party cyber risk management program. In just the first year we will be able to assess 3x more vendors than we assessed last year and reallocate the resources saved to true risk management and mitigation efforts.
Frequently Asked Questions
How long does it take to complete an assessment?
Average timeframes to complete an assessment are as follows: ~75 days for Tier 1, ~28 days for Tier 2, ~35 days for Tier 2 Validated, and ~15 days for Tier 3. Our customer success team does an outstanding job helping third parties complete their assessments in a timely manner with training, support and coaching. That being said, average timeframes can vary depending on the unique situation.
How does this compare with Security Scorecard or Bitsight?
Companies like Security Scorecard, Bitsight and other port-scanning technologies aggregate publicly available data to provide a rating—passively and non-intrusively. This information can provide valuable data points for externally evaluating a third-party vendor. We believe this kind of information is essential, and complementary to our internal approach.
With this in mind, we have partnered with BitSight to bring this complementary and holistic approach to our customers. Integrating BitSight’s objective, quantitative measurements of companies’ security performance into the CyberGRX Exchange provides a unique 360-degree view of third-party cyber risk. The combination of BitSight’s Security Ratings, generated through externally observable data, with CyberGRX’s validated third-party cyber risk assessments, allows customers to make more informed decisions and scale their third-party risk programs.
How are the assessments updated to reflect new regulations and standards?
We are continuously evaluating new regulations and best practices as they are announced to address any control gaps and ensure adequate coverage over relevant risks. These are incorporated as part of our periodic content change management process.
Does the service support multiple industries?
Yes. Our approach to creating a unified control framework and mapping that back to various industry-specific standards allows us to support all industries.