Slides used in VIP Customer Forums hosted by Cyber Rescue Alliance, for individual thought leaders.
These slides supported discussion about where Third Party Risk Management needs to go in the months and years ahead, in the face of dynamic cyber threats.
5. TPRMgr New Vendor
T V
Invites to
SSC
Platform SSC shows pre-
existing
data
V
T
TPRM reviews Clarification needed?
Things missing?
Peer reviews,
uploaded evidence
Inside Out
Address issues with
Action Plans
Outside-in + inside-out
evidence
T
Ensure Continuous
Compliance
I
N
S
I
D
E
O
U
T
“I want to assess
new vendors
quickly, without
talking to them,
and protect my
business from risk”
V
Simplify user journey for TPRMgr
6. V
Upload
questionnaires
and evidence
CUSTOMER 1
CUSTOMER 2
CUSTOMER 3
PROSPECT 4
PROSPECT 5
Responses and
evidence are
automatically
applied to
relevant
frameworks
Share
scorecard
proactively with
ecosystem
Choose who
can access
evidence and
require NDAs
Reduced number of
questionnaires and
requests
“I want to prove
I’m secure, win
business and deter
manual incoming
requests”
Simplify user journey for Vendor
7. Journeys start in different places, for example
depending on Security Team Maturity towards TPRM
Maturity varies at each organization
8. Control frameworks, Reg
standards, cyber applications
and questionnaires are just a
list of parameters that 2 or
more parties want to have a
discussion about to make sure
they’re implemented.
Today, the TPRM journey can be painful…
Who loves
Cyber Security
Questionnaires?
Nobody
9. Big bets that didn't make it and
why they didn’t scale
• Risk exchanges (still point in time, lengthy)
• GRCs (understand risk, lack TPRM competency)
• Arms race of different questionnaires with no
standardization (not a one-size fits all)
Some regulation, but not enough
• Standards are audited by different people and
interpreted in different ways
• Inconsistent and incongruent
What’s working and not working?
So, how to improve our vehicle for TPRM?
10. Market asks and expectations
“Translate the risk in my language”
Stop sharing the “zip bomb” and
syndicate
Getting to a risk-based decision in
minutes vs weeks or months
Introduce and
desire for more AI
automation
Need for common
understanding
Faster results and
faster outcomes,
without roadblocks
And where do we want TPRM to go next?
11. TPRM needs to much faster
for everyone
Accelerating the risk management lifecycle using data and insights
• Rolling start - never starting from scratch
• Form opinion on any company at first glance, through any
regulatory lens
• Make the process faster and less painful
• Not killing the questionnaire (yet) but expedite and supplement
(SSS Strategy)
• 360 view: inside-out and outside-in data
+
Result = Faster time to decision = facilitate business growth
12. Deliver the right business decisions, with the right cyber risk context
Proper review of business impact and risk summary when working with partners
• Can the agreement be standardized?
• Can the agreement be facilitated in a standardized way?
• Continuous compliance?
Outcomes
• Hit TPRM diligence milestones faster
○ Faster up front collection of artifacts
○ Faster understanding of the red flags you care about
○ Faster completion of a questionnaire
○ Faster time to decision for the business → less risk/more revenue/time saved
• Applies to all use cases
What does the TPRM
destination look like?
13. Cyber Insurers
Accelerate time to application submission
and approval
Standardized Risk Reporting: “Tell me about
the risks that are most relevant to the carrier”
Avoid systemic risks due to ecosystem 0-days
Risk Practitioners
Trust Portal: Syndication of evidence means
less “chasing” for policies - leave me alone!
One click preliminary assessment by
mapping inside/outside 360 data to any
framework “risk language”
Get contracts signed faster due to
standardized reporting
C-Suite & Directors
Standardized board reporting
Transparent risk reporting on business
partner ecosystem
Trusted, independent third party view of
cyber risk
Avoid being fined by regulators
Support continuous compliance/governance
Supplement - Accelerate - Automate - Standardize
Each Stakeholder has
a specific destination
14. Customer
Discussion
Where do you want to lead your Firm
next, towards Cyber Resilience?
How can the SecurityScorecard
service evolve, to drive you forward?
23. Confidential
SecurityScorecard is a Standard in Cyber Insurance
Our customers represent a third of the cyber insurance premiums written in the US
“We are thrilled to work alongside
SecurityScorecard, which is well known in the cyber
risk industry for its commitment to transparency,
driving value and helping to reduce risk”
Ryan FitzSimmons, Divisional Vice President, Great American Insurance
Company
"SecurityScorecard's data and analytics are a
valuable addition to our proprietary insights,
furthering our ability to help our clients stay on top
of emerging vulnerabilities and threats that may
impact their businesses."
Scott Stransky, Managing Director, Marsh McLennan Cyber Risk Analytics
Center