Financial firms needing to manage the cybersecurity risk of companies outside their own walls as well as they do their own can now count on a new risk assessment-as-a-service platform for help.
Launched in March, the Denver-headquartered CyberGRX aims to take the gruntwork out of the due diligence process for third-party cybersecurity risk managers. It offers fund managers, banks and broker-dealers a database of detailed information on the cybersecurity programs of vendors, a risk analysis of those programs, and a message hub. Vendors can include a telephone or electric company, a law firm or accounting firm, a customer data storage facility, or even a customer or a trading counterparty.
CyberGRX was founded in 2015 with the help of a team of former chief information security officers (CISOs), risk officers and compliance managers from Bridgewater Associates, Aetna, Blackstone, MassMutual, ADP, the NSA, Office of the Director of National Intelligence (ODNI). Last year, the firm received US$9 million in funding through firms such as Blackstone, Aetna Ventures, Mass Mutual Ventures, GV and Allegis Partners among others who are now institutional investors. Individual investors include Mike McConnell, former head of the NSA and ODNI and Art Coviello, former chief executive of RSA, now part of EMC. CyberGRX won’t disclose the total number of early adopters of its platform, but say they include platform designers such as Aetna, Blackstone, MassMutual and ADP.
The cybersecurity risk of third-party vendors has been top of mind for financial firms ever since the infamous data breach on retailer Target in 2013. Hackers compromised the security of Target’s third-party HVAC supplier to steal credit card information from an estimated 40 million customers. Banking regulators, the Financial Industry Regulatory Authority, and Securities and Exchange Commission have made cybersecurity risk management a priority in their exams, but left financial firms to devise own cyber risk management programs. The New York Department of Financial Services recently provided more prescriptive rules that apply to banks and similar financial institutions domiciled, requiring implementation of rigorous cybersecurity programs led by chief information security officers (CISOs). As previously reported by FinOps Report, those programs must include evaluation and ongoing monitoring of third-party relationships. Data breaches at third-parties represent just as much of a threat as breaches by insiders, yet financial firms have far less control over them.
CyberGRX’s goal is to build the world’s largest repository of up-to-date cyber risk assessments with a software-as-a-service based analytics platform. CyberGRX already has a library of assessments on an undisclosed number of third-parties which clients can request. If a company isn’t covered, CyberGRX will send out a detailed questionnaire. The multiple choice questions designed by CyberGRX are intended to probe into the vendor’s ability to protect data and withstand a cyberattack. CyberGRX compares its questionnaire to TurboTax® in ease of completion.
Tough Questions
Of the 1,000 questions CyberGRX has developed, any single vendor will only receive a segment related to its business and its criticality to user firms. Not all questions relate to every type of vendor. “The questions are based on a proprietary framework developed by CyberGRX in collaboration with its design partners and built to better align with how security organizations are organized today,” says Fred Kneip, chief executive and former chief compliance officer of Bridgewater Associates. “The CyberGRX team then mapped the approach to most of the standards used today such as those of the National Institute of Standards and Technology, the International Organization for Standardization and the Payment Card Industry to ensure completeness of coverage.”
Once the responses are received, CyberGRX’s platform will evaluate the strengths and weaknesses of the vendor’s cybersecurity program and informs the financial firm of which problem areas it should focus on more intently through a follow-up discussion. The analysis and access to quarterly updates for 12 months will cost a financial firm user anywhere from a few hundred dollars for each vendor to a few thousand if the responses must be validated by CyberGRX. “Part of the uniqueness of our offering is that we do one assessment centrally and then allow that data to be used by multiple customers, thereby creating efficiencies on both sides,” says Kneip. “In addition we update information every 90 days, ensuring a greater level of visibility to the customers into their third-party cybersecurity risk management programs.”
Considering that a tier-one bank could easily have several thousand critical vendor relationships, the costs of due diligence and ongoing monitoring can be staggering. It could easily come to over US$10 million annually depending on the number of internal and external staffers used as well as the amount of time involved. CISOs, vendor procurement, risk management and compliance managers all play a role in the analysis. Often third-party consultancies are also used. Regardless of who does the work, the financial firm is on the hook for any mistakes which could potentially lead to remediation costs, regulatory fines, investor lawsuits, and reputational risk. The financial loss is ultimately unquantifiable.
CyberGRX doesn’t claim to eliminate or reduce the number of staffers handling the third-party cybersecurity risk management. process. Nor does it make any final decisions on whether the financial firm should sign or cancel a contract with the third party. However, it does optimize the use of valuable employee time. Instead of hounding third-party firms to provide information, employees can jump right into shoring up areas of cyber-risk concern. The subsequent discussions with vendors will likely be far more productive, according to Kneip, because the CISOs and their colleagues are more aware of the potential risks and are given additional questions they should ask. “CyberGRX enables the team to become risk managers instead of data collectors,” he says.
Extra Mile
So what does CyberGRX offer that a consultancy doesn’t? Global accounting firms, specialist vendor risk management and cybersecurity consultancies all claim to arm financial firms with the necessary decisionmaking information. Without providing specific figures, Kneip says his firm can do the same, if not more for half the cost or less. CyberGRX’s most expensive annual subscription comes to only a few thousand dollars and includes one indepth report as well as three quarterly updates. Financial firms are paying established firms from US$6,000 to US$10,000 annually for the closest comparable reports from, which are substantially less comprehensive, Kneip contends.
“The granularity of our questions and the requirement for vendors to answer specific questions creates better quality data,” says Kneip. Yet another benefit of using CyberGRX is its analytical capability. “Right now, if a financial firm relies on 50 critical vendors it would have a stack of reports sitting on multiple desks,” says Kneip. “With CyberGRX, the data is setting on one platform and structured so users can go as far as to filter the data they need with a touch of a button.” Among the questions the platform can answer is how many of the firm’s top vendors have experienced a data breach in the last 12 months or how critical vendors rank from top to bottom on endpoint security.
What do CISOs, vendor procurement and compliance managers think of CyberGRX. The consensus of ten East Coast banks and broker-dealers questioned by FinOps Report is that, while CyberGRX’s value proposition is intriguing, they will take a wait-and-see approach. “For starters, they will need info from hundreds if not thousands of vendors to make signing up worthwhile,” says the CISO of a New York bank, adding, “It will also be a tough sell when it come to fulfilling regulatory requirements.” His reasoning: “Regulators will likely give more credence to a third-party consultancy than a tech platform for due diligence,” says the CISO.
Kneip counters that although CyberGRX has only a limited number of vendors signed up, it can easily add new ones at the request of a customer in far less time than it would take the customer to perform its own assessment. He also insists that CyberGRX’s data collection and verification service will help a firm pass regulatory muster because it easily exceeds those currently available on the market.
Precedent isn’t on CyberGRX’s side. S&P tried unsuccessfully to come up with a similar service back in 2006 and Moody’s failed two years later. Still, Kneip isn’t worried. CyberGRX touts itself as equivalent of a rating agency for cybersecurity analysis of third-party firms, but it doesn’t rate or rank the vendor. “What many didn’t recognize is that firms want to evaluate the data themselves rather than receive just a rating or certification,” he says. “Many risk managers have actually decomposed the formulas used to create some certifications and found them lacking. In addition, CyberGRX is built by real practicioners– not analysts. It focuses on the information people need to make a risk-based decision and how that information is used. No one else has done that.”
Understandably, not everyone is ready to jump on CyberGRX bandwagon, despite its roster of impressive founders and financial backers. Its best asset could well be its timing. As financial firms feel the heat from regulators on how they manage their cybersecurity risk, they will at least have one more option to consider when it comes to managing cyber risk in third-party relationships.
Leave a Comment
You must be logged in to post a comment.