Exchanges in History: What Third-Party Cyber Risk Management Programs Can Learn from the Past
by Mike Reedy
Modern risk exchange concepts (the exchange of one with many like credit ratings and medical records) trace their roots all the way back to ancient Roman censuses.
Starting in 485 BCE, the Roman Republic conducted a census every five years, to identify voters, taxpayers, and members of the army. When completed, census information was transcribed into wax tablets and stored in designated temples. Results were shared amongst regional government officials. The information was then used make important financial and military decisions. It was one of the first ways that data was gathered, synthesized, stored, and disseminated to the public.
Since then, governments, organizations and businesses have relied on information gathered in exchanges to understand risks and make important decisions. Almost always, large scale economic and societal transformations followed.
Let’s take a look at how exchanges have transformed two industries and how an exchange is transforming third party cyber risk management (TPCRM) programs.
Buying cars before 1984 was riskier than it is today. Dishonest vehicle owners and shady dealerships, intent on making an extra buck, would reduce a car’s mileage by disassembling a vehicle’s dashboard and rolling back the odometer. Instantly, the car was more valuable. With the exception of smudges, scratches, or misaligned odometer numbers within a dashboard, it was nearly impossible for buyers to determine mileage fraud.
Enter visionary Ewin Barnett III. In 1984, he had the revolutionary idea to combat odometer fraud by faxing comprehensive vehicle reports to car dealerships. These reports contained the vehicle’s history, including mileage and accident reports. From this concept he developed CarFax. A car report could be instantly faxed to buyers or sellers. His concept drastically reduced the risks associated with buying a used vehicle and revolutionized the way consumers shop for cars.
Today, CarFax keeps track of billions of records from more than 100,000 domestic and international sources. At the click of a button they provide instant access to a vehicle’s entire history. With over 1.8 million cars on the road with rolled back odometers as of 2020, buyers continue to depend upon CarFax’s exchange to make smart purchases.
Consumer Reporting Agencies
Before Consumer Reporting Agencies started using computers to calculate, store, and share credit scores, determining an individual’s creditworthiness was tantamount to espionage.
The precursors to modern Consumer Reporting Agencies have their roots in the early 1800s, when groups of merchants decided to share lists of customers that didn’t pay their debts. After the Panic of 1837, these merchant groups established Credit Bureaus and by the mid 1800s began publishing credit ratings on individuals in quarterly or biannual reports.
One of the largest credit bureaus in the US at this time was The Mercantile Agency. Headquartered in New York City, they hired about 10,000 agents to gather information on the three C’s of credit: Character, Capital, and Capacity.
To gather information on a person’s “Character”, agents would interview any known associates: everyone from coworkers to bellmen. Common questions included subjects such as drinking habits, church attendance, extramarital affairs, and personal hygiene. Lies and exaggerations were common. A person’s entire reputation could be destroyed by rumors.
To a lesser degree, local credit bureaus used similar methods to gather information on individuals until the Fair Credit Reporting Act of 1970. This law stated that credit bureaus could no longer base creditworthiness on lifestyle information. “Character” was replaced with “Credit Reputation.” Thus, credit bureaus had to adjust their methods.
It was around that time that Experian, Equifax, and TransUnion set themselves apart by using computers to calculate “credit reputation” based on more reliable data.
This move transformed the entire credit reporting industry. Lenders had easy access to accurate credit scores. Credit bureaus got information at a fraction of the cost of hiring thousands of agents to gather data on applicants. Individuals had quicker response rates to credit card applications, Credit card companies had more customers. They had created a much needed nationwide exchange of individual credit information.
Today Experian, Equifax and TransUnion are known as the “Big Three” of Credit Reporting Agencies. Over the past 30 years, banks, lenders, and consumers continue to rely on their exchange.
A Third-Party Cyber Risk Exchange
Since the mid-1980s industries have recognized that there are risks with outsourcing functions to third parties. One of the earliest mentions of third-party electronic data risk is in the OCC’s Banking Circular 187. Written in January of 1985, it outlined some of the risks associated with outsourcing data processing services to third parties. Since then, laws have increasingly required regulators to ensure that businesses manage third-party cyber risks.
Fast forward three decades.
Outsourcing has become the backbone of many organizations and third parties have become the lifeblood to outsourcing. The average organization has over 6000 third-party vendors, as companies try to improve agility to stay ahead of market disruptors.
This agility comes with inherent risks. Cybercriminals have realized that often the easiest path to access a business’ confidential information is to ride in on trusted connections of weaker third parties. Regulators have responded by requiring businesses to mitigate and manage cyber risks.
It’s difficult enough for organizations to manage their own cyber risk. Now they have to also be concerned with their third-party ecosystem.
Most organizations rely on self-assessments sent in the form of spreadsheets to essentially ask their third parties, “How good are your cybersecurity controls? If you are breached, can you provide assurance it will not affect my company?” This method is expensive, time-consuming and even worse, doesn’t work.
So how do we solve this daunting challenge?
An exchange that enables cyber risk assessment data to be shared like credit reports or CarFax reports. It’s a simple idea with a massive impact.
This would allow organizations of all sizes to share assessments at the click of a button – driving massive efficiency while simultaneously driving down third-party cyber risk.
It’s important that any kind of TPCRM program benefits both sides of the equation by providing automation and workflow to remove the hassles of keeping track of third-party risk assessments with phone calls, emails, and shared spreadsheets.
We can’t imagine a world where credit reporting agencies didn’t exist. However, there was a time when the notion of collecting financial credit data on every company that organizations provide credit to seemed like an insurmountable challenge. This is exactly what the market is doing with third-party cyber risk assessments today.
Organizations should spend more resources managing third-party risk and less time collecting data.
Exchanges revolutionized the decision-making process in buying cars and determining credit scores many decades ago. Since Roman Times the concept has basically remained the same:
- Gather Information
- Store Information
- Share Information
- Base decisions on Information
Throughout history, whenever organizations, governments, or industries have used an exchange to share information, great transformation has taken place. CyberGRX has the world’s largest cyber risk Exchange with over 100,000 participants. Because of the dynamic and scalable nature of the exchange, organizations and third parties work together in a one-to-many fashion to crowdsource data, insights, and remediation strategies. Rich with validated data and analytics, the CyberGRX Exchange is where organizations go to reduce third-party risk.
To learn more about how CyberGRX can help you manage your third-party cyber risk, request a demo today.