Slides used in VIP Customer Forums hosted by Cyber Rescue Alliance, for individual thought leaders. These slides supported discussion about where Third Party Risk Management needs to go in the months and years ahead, in the face of dynamic cyber threats.

1. Where
next for
Cyber TPRM?
The continuing journey of
Third Party Risk Management

2. Welcome
to the
VIP
Customer
Forums
30th Jan 2024

3. ©2023 SecurityScorecard. All Rights Reserved. 3
We Travel in a Universe
of Cyber Risk
Enterprise
Network
Partners
Suppliers
(AI)
SaaS
Trusted connection
for direct info
exchange
Critical assets
for business
operations
Staff signing up
to rogue Apps
REGULATORS
Heavy Demands on
CISOs & Directors
HACKTIVITY
(Focused on
disruption)
OPPORTUNISTIC ACTORS
(“Drive by” scanning
for unpatched issues)
LAYERED
DEFENSES
THREAT ACTORS
(May impersonate vendors)

4. ©2023 SecurityScorecard. All Rights Reserved. 4
● Gain ecosystem risk visibility
● Prioritize supply chain cyber posture
● Optimize vendor interactions
● Mitigate zero-day impacts
Q
u
i
c
k
R
e
s
p
o
n
s
e
t
o
0
-
D
a
y
E
v
e
n
t
s
Reduce
Questionnaires
Extended
Visibility
Continuously
Monitor Risk
P
r
i
o
r
i
t
i
z
e
M
o
s
t
D
a
n
g
e
r
o
u
s
Global
Supply Chain
Ecosystem
The Journey never ends
but Resilience Matures

5. TPRMgr New Vendor
T V
Invites to
SSC
Platform SSC shows pre-
existing
data
V
T
TPRM reviews Clarification needed?
Things missing?
Peer reviews,
uploaded evidence
Inside Out
Address issues with
Action Plans
Outside-in + inside-out
evidence
T
Ensure Continuous
Compliance
I
N
S
I
D
E
O
U
T
“I want to assess
new vendors
quickly, without
talking to them,
and protect my
business from risk”
V
Simplify user journey for TPRMgr

6. V
Upload
questionnaires
and evidence
CUSTOMER 1
CUSTOMER 2
CUSTOMER 3
PROSPECT 4
PROSPECT 5
Responses and
evidence are
automatically
applied to
relevant
frameworks
Share
scorecard
proactively with
ecosystem
Choose who
can access
evidence and
require NDAs
Reduced number of
questionnaires and
requests
“I want to prove
I’m secure, win
business and deter
manual incoming
requests”
Simplify user journey for Vendor

7. Journeys start in different places, for example
depending on Security Team Maturity towards TPRM
Maturity varies at each organization

8. Control frameworks, Reg
standards, cyber applications
and questionnaires are just a
list of parameters that 2 or
more parties want to have a
discussion about to make sure
they’re implemented.
Today, the TPRM journey can be painful…
Who loves
Cyber Security
Questionnaires?
Nobody

9. Big bets that didn't make it and
why they didn’t scale
• Risk exchanges (still point in time, lengthy)
• GRCs (understand risk, lack TPRM competency)
• Arms race of different questionnaires with no
standardization (not a one-size fits all)
Some regulation, but not enough
• Standards are audited by different people and
interpreted in different ways
• Inconsistent and incongruent
What’s working and not working?
So, how to improve our vehicle for TPRM?

10. Market asks and expectations
“Translate the risk in my language”
Stop sharing the “zip bomb” and
syndicate
Getting to a risk-based decision in
minutes vs weeks or months
Introduce and
desire for more AI
automation
Need for common
understanding
Faster results and
faster outcomes,
without roadblocks
And where do we want TPRM to go next?

11. TPRM needs to much faster
for everyone
Accelerating the risk management lifecycle using data and insights
• Rolling start - never starting from scratch
• Form opinion on any company at first glance, through any
regulatory lens
• Make the process faster and less painful
• Not killing the questionnaire (yet) but expedite and supplement
(SSS Strategy)
• 360 view: inside-out and outside-in data
+
Result = Faster time to decision = facilitate business growth

12. Deliver the right business decisions, with the right cyber risk context
Proper review of business impact and risk summary when working with partners
• Can the agreement be standardized?
• Can the agreement be facilitated in a standardized way?
• Continuous compliance?
Outcomes
• Hit TPRM diligence milestones faster
○ Faster up front collection of artifacts
○ Faster understanding of the red flags you care about
○ Faster completion of a questionnaire
○ Faster time to decision for the business → less risk/more revenue/time saved
• Applies to all use cases
What does the TPRM
destination look like?

13. Cyber Insurers
Accelerate time to application submission
and approval
Standardized Risk Reporting: “Tell me about
the risks that are most relevant to the carrier”
Avoid systemic risks due to ecosystem 0-days
Risk Practitioners
Trust Portal: Syndication of evidence means
less “chasing” for policies - leave me alone!
One click preliminary assessment by
mapping inside/outside 360 data to any
framework “risk language”
Get contracts signed faster due to
standardized reporting
C-Suite & Directors
Standardized board reporting
Transparent risk reporting on business
partner ecosystem
Trusted, independent third party view of
cyber risk
Avoid being fined by regulators
Support continuous compliance/governance
Supplement - Accelerate - Automate - Standardize
Each Stakeholder has
a specific destination

14. Customer
Discussion
Where do you want to lead your Firm
next, towards Cyber Resilience?
How can the SecurityScorecard
service evolve, to drive you forward?

15. Star
Maps
Know where
your threat
environment
is evolving
Executive Insights
in your Monthly Cyber Assurance Report

16. Star
Maps
Know when
peers &
suppliers are
breached

17. Star
Maps
Know when
peers &
suppliers are
breached

18. a
Cyber Insurance
Charles Clarke - Insurance Sales Director, International

19. ©2023 SecurityScorecard. All Rights Reserved.
Cyber Risk Moves Fast and is Always Evolving
Vulnerabilities get
exploited quickly
24 hours
Time it takes to exploit
a new vulnerability
Craig Guiliano, Cyber Intelligence Officer at Chubb
Organizations struggle
to fix vulnerabilities
361 days
Average half-life of
unpatched vulnerabilities
Cyentia and SecurityScorecard
Volume of Threats is
Increasing
167%
Increase in confirmed
zero-day exploits
Madiant
19

20. ©2023 SecurityScorecard. All Rights Reserved.
● Helps Insurers Improve risk selection by
triaging applications and identifying
insureds with strong security practices
● Allows Brokers and Insurers to review
subjectivities and quickly resolve to
create efficiencies and clarity
● Incentivize resiliency by rewarding
insureds with strong security postures
with policy perks or discounts
(Measured and Embroker)
20
Risk Evaluation
Empower brokers and insurers to make right decisions
100%
of IPs and domains
scanned across
1500+ ports and 45+
countries
2B+
Malware requests
per day — world’s
largest malware
DNS sinkhole
2x
Faster reflection
of remediations
in score

21. ©2023 SecurityScorecard. All Rights Reserved.
● Prevent claims before they occur by
identifying high risk policyholders and
taking timely action
● Quantify sources of systemic risk from
common technologies or vendors to
reduce catastrophic loss potential
● Bolster cyber resilience by enhancing a
client’s security program and increasing
their incident preparedness
21
Risk Mitigation and Preparation
Manage a growing and resilient portfolio
3x
More continuously
monitored
organizations
100%
of scoring signals
are refreshed daily
or weekly
100B+
vulnerabilities
& attributions
published weekly

22. ©2023 SecurityScorecard. All Rights Reserved.
● Increase policyholder engagement by
delivering personalized and relevant
communications that drive action
● Create awareness of critical issues that
could make a policyholder uninsurable
or face tough renewals
● Deliver in the moment of truth with
incident response strategies that quickly
and effectively resolve claims
22
Risk Engagement
Deliver exceptional customer experiences
+50k
organizations
signed up to use
SecurityScorecard
7-8
point score
improvement for
engaged
organizations
+6M
feedback items
contributed from
users

23. Confidential
SecurityScorecard is a Standard in Cyber Insurance
Our customers represent a third of the cyber insurance premiums written in the US
“We are thrilled to work alongside
SecurityScorecard, which is well known in the cyber
risk industry for its commitment to transparency,
driving value and helping to reduce risk”
Ryan FitzSimmons, Divisional Vice President, Great American Insurance
Company
"SecurityScorecard's data and analytics are a
valuable addition to our proprietary insights,
furthering our ability to help our clients stay on top
of emerging vulnerabilities and threats that may
impact their businesses."
Scott Stransky, Managing Director, Marsh McLennan Cyber Risk Analytics
Center

24. Confidential

25. Thank You