The ugly secret about the Third Party Risk Management industry is that the data quality used to provide risk decisions is poor. We list a few solutions for your company to reduce its workload and make your third party program better.
Learn more with BreachSiren [dot] com
The Ugly Secret about Third Party Risk Management.pdfBreachSiren
Your current data provider doesn’t have federal, state and industry sources representing more than 75% of the US population and growing… but we do.
BreachSiren provides quality breach data to innovative risk and security companies looking to differentiate themselves from competitors. Contact us to learn more about our data breach database and enterprise API.
The Unseen Enemy - Protecting the Brand, the Assets and the Customers BDO_Consulting
Michael Barba and Jeff Hall discuss the most pressing cyber-threats facing retailers and what companies can do in the event of a cyber breach, data loss or claim. Mr. Barba is a managing director and Mr. Hall is a senior manager with BDO Consulting.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
The pre-conference workshop entitled 'Trust is a Terrible Thing to Waste' from the 2010 International Association of Privacy Professionals conference in Washington, D.C. The session reviewed why trust is important, how to handle crisis communications, and how to build trust before a crisis hits.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
The Ugly Secret about Third Party Risk Management.pdfBreachSiren
Your current data provider doesn’t have federal, state and industry sources representing more than 75% of the US population and growing… but we do.
BreachSiren provides quality breach data to innovative risk and security companies looking to differentiate themselves from competitors. Contact us to learn more about our data breach database and enterprise API.
The Unseen Enemy - Protecting the Brand, the Assets and the Customers BDO_Consulting
Michael Barba and Jeff Hall discuss the most pressing cyber-threats facing retailers and what companies can do in the event of a cyber breach, data loss or claim. Mr. Barba is a managing director and Mr. Hall is a senior manager with BDO Consulting.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to:
https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2020/
The pre-conference workshop entitled 'Trust is a Terrible Thing to Waste' from the 2010 International Association of Privacy Professionals conference in Washington, D.C. The session reviewed why trust is important, how to handle crisis communications, and how to build trust before a crisis hits.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
To view the accompanying webinar, go to: https://www.financialpoise.com/financial-poise-webinars/data-privacy-compliance-2021/
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsSurfWatch Labs
Understanding the types of malicious actors that are attempting to compromise your organization, what motivates them, and what their goals are is a crucial step when it comes to taking action against cyber risks.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
Part of the webinar series: CORPORATE & REGULATORY COMPLIANCE BOOTCAMP 2022 - PART I
See more at https://www.financialpoise.com/webinars/
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
Lost laptops, misplaced paper records, cyber theft - breaches are a fact of life. But they don't have to be a disaster. Breach veterans know that the impact of a data loss event is substantially determined by what happens in the 48 hours after you find out about it. Get things right, and even a substantial and public breach can be weathered gracefully. Mess things up, and a small breach can turn into a nightmare.
This webinar will review critical steps organizations can take in the wake of a breach. Our featured speaker will be privacy and compliance expert, Deb Hampson who is an AVP & Assistant General Counsel at The Hartford. Don't miss this opportunity to learn best practices from a proven professional.
This presentation focuses to the rising prominence of insurance considerations—and more particularly—to legal aspects of insurance as it relates to cybersecurity and privacy.
The presentation defines "Cyber and Privacy Insurance” and organizes such insurance into four main types of cyber insurance coverage: data breach and privacy management coverage, multimedia liability coverage, extortion liability coverage, and network security liability coverage. With these definitions, the presentation then gives snapshot of how the Cyber Insurance Market Is Maturing, its participants, costs, and related attributes.
Consideration is given to the importance of defined terms, before launching into difficulties that providers and users have relative to measuring, modeling, and pricing cyber insurance risk. Particular attention is given to the language of “claims” and how to navigate through associated risk/cost analyses and cost structures.
Additionally, general considerations, pre-conditions, cost of compliance, business interruption, governing board oversight and related issues are brought together is a cohesive manner.
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to adapt to the shifts around them.
What’s needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
In this webinar, Protegrity CTO and data security thought leader Ulf Mattsson integrates new information from the Verizon 2014 Data Breach Investigation Report (DBIR) into his analysis on what is driving data breaches today, and how we can prevent them in the future.
KEY TOPICS INCLUDE:
• The changing threat landscape
• The effects of new technologies on breaches
• Analysis of recent breaches, including Target
• Compliance vs. security
• The importance of shifting from reactive to proactive thinking
• Preparing for future attacks with new technology & techniques
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
Know Your Adversary: Analyzing the Human Element in Evolving Cyber ThreatsSurfWatch Labs
Understanding the types of malicious actors that are attempting to compromise your organization, what motivates them, and what their goals are is a crucial step when it comes to taking action against cyber risks.
Responding to a Company-Wide PII Data BreachCBIZ, Inc.
Many small employers falsely believe they can elude the attention of a hacker, yet studies have shown the opposite is true; a growing number of companies with fewer than 100 employees are reporting data breaches every year.
All levels of society rely upon information technology systems. Network operations are pervasive and impact nearly every aspect of our society. The desire of companies to collect, use, store, and secure information about customers, employees, and other individuals is a requirement of the new economy. It is no wonder that the prevalence of electronic communications and a growing dependency on cyber structures and operations also create potential vulnerabilities to cyberattacks. It is critical to preserve information systems and address and prevent weaknesses in cyber protection efforts. This webinar examines the means for companies to reach data goals ethically, efficiently and legally. The panel will also discuss the evolving regulatory approaches of the European Union, United States Federal government and significant developments in U.S. state regimes, including California. Best practices and model comprehensive privacy and cybersecurity policies are discussed. And, data breach response and related litigation, including class action litigation issues and fiduciary duty violations under corporate law, are discussed.
Part of the webinar series: CORPORATE & REGULATORY COMPLIANCE BOOTCAMP 2022 - PART I
See more at https://www.financialpoise.com/webinars/
Patrick Bourk, National Cyber Practice Leader from Hub International, discusses the various cyber policies available for mid size commercial businesses. He also showcases the various types of risk to consider when working with an insurer.
Lost laptops, misplaced paper records, cyber theft - breaches are a fact of life. But they don't have to be a disaster. Breach veterans know that the impact of a data loss event is substantially determined by what happens in the 48 hours after you find out about it. Get things right, and even a substantial and public breach can be weathered gracefully. Mess things up, and a small breach can turn into a nightmare.
This webinar will review critical steps organizations can take in the wake of a breach. Our featured speaker will be privacy and compliance expert, Deb Hampson who is an AVP & Assistant General Counsel at The Hartford. Don't miss this opportunity to learn best practices from a proven professional.
This presentation focuses to the rising prominence of insurance considerations—and more particularly—to legal aspects of insurance as it relates to cybersecurity and privacy.
The presentation defines "Cyber and Privacy Insurance” and organizes such insurance into four main types of cyber insurance coverage: data breach and privacy management coverage, multimedia liability coverage, extortion liability coverage, and network security liability coverage. With these definitions, the presentation then gives snapshot of how the Cyber Insurance Market Is Maturing, its participants, costs, and related attributes.
Consideration is given to the importance of defined terms, before launching into difficulties that providers and users have relative to measuring, modeling, and pricing cyber insurance risk. Particular attention is given to the language of “claims” and how to navigate through associated risk/cost analyses and cost structures.
Additionally, general considerations, pre-conditions, cost of compliance, business interruption, governing board oversight and related issues are brought together is a cohesive manner.
Verizon 2014 data breach investigation report and the target breachUlf Mattsson
The landscape of threats to sensitive data is changing. New technologies bring with them new vulnerabilities, and organizations like Target are failing to adapt to the shifts around them.
What’s needed is an approach equal to the persistent, advanced attacks companies face every day. The sooner we start adopting the same proactive thinking hackers are using to get at our data, the better we will be able to protect it.
In this webinar, Protegrity CTO and data security thought leader Ulf Mattsson integrates new information from the Verizon 2014 Data Breach Investigation Report (DBIR) into his analysis on what is driving data breaches today, and how we can prevent them in the future.
KEY TOPICS INCLUDE:
• The changing threat landscape
• The effects of new technologies on breaches
• Analysis of recent breaches, including Target
• Compliance vs. security
• The importance of shifting from reactive to proactive thinking
• Preparing for future attacks with new technology & techniques
Palestine last event orientationfvgnh .pptxRaedMohamed3
An EFL lesson about the current events in Palestine. It is intended to be for intermediate students who wish to increase their listening skills through a short lesson in power point.
A Strategic Approach: GenAI in EducationPeter Windle
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Read| The latest issue of The Challenger is here! We are thrilled to announce that our school paper has qualified for the NATIONAL SCHOOLS PRESS CONFERENCE (NSPC) 2024. Thank you for your unwavering support and trust. Dive into the stories that made us stand out!
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
Acetabularia Information For Class 9 .docxvaibhavrinwa19
Acetabularia acetabulum is a single-celled green alga that in its vegetative state is morphologically differentiated into a basal rhizoid and an axially elongated stalk, which bears whorls of branching hairs. The single diploid nucleus resides in the rhizoid.
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...Levi Shapiro
Letter from the Congress of the United States regarding Anti-Semitism sent June 3rd to MIT President Sally Kornbluth, MIT Corp Chair, Mark Gorenberg
Dear Dr. Kornbluth and Mr. Gorenberg,
The US House of Representatives is deeply concerned by ongoing and pervasive acts of antisemitic
harassment and intimidation at the Massachusetts Institute of Technology (MIT). Failing to act decisively to ensure a safe learning environment for all students would be a grave dereliction of your responsibilities as President of MIT and Chair of the MIT Corporation.
This Congress will not stand idly by and allow an environment hostile to Jewish students to persist. The House believes that your institution is in violation of Title VI of the Civil Rights Act, and the inability or
unwillingness to rectify this violation through action requires accountability.
Postsecondary education is a unique opportunity for students to learn and have their ideas and beliefs challenged. However, universities receiving hundreds of millions of federal funds annually have denied
students that opportunity and have been hijacked to become venues for the promotion of terrorism, antisemitic harassment and intimidation, unlawful encampments, and in some cases, assaults and riots.
The House of Representatives will not countenance the use of federal funds to indoctrinate students into hateful, antisemitic, anti-American supporters of terrorism. Investigations into campus antisemitism by the Committee on Education and the Workforce and the Committee on Ways and Means have been expanded into a Congress-wide probe across all relevant jurisdictions to address this national crisis. The undersigned Committees will conduct oversight into the use of federal funds at MIT and its learning environment under authorities granted to each Committee.
• The Committee on Education and the Workforce has been investigating your institution since December 7, 2023. The Committee has broad jurisdiction over postsecondary education, including its compliance with Title VI of the Civil Rights Act, campus safety concerns over disruptions to the learning environment, and the awarding of federal student aid under the Higher Education Act.
• The Committee on Oversight and Accountability is investigating the sources of funding and other support flowing to groups espousing pro-Hamas propaganda and engaged in antisemitic harassment and intimidation of students. The Committee on Oversight and Accountability is the principal oversight committee of the US House of Representatives and has broad authority to investigate “any matter” at “any time” under House Rule X.
• The Committee on Ways and Means has been investigating several universities since November 15, 2023, when the Committee held a hearing entitled From Ivory Towers to Dark Corners: Investigating the Nexus Between Antisemitism, Tax-Exempt Universities, and Terror Financing. The Committee followed the hearing with letters to those institutions on January 10, 202
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Francesca Gottschalk from the OECD’s Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Francesca Gottschalk - How can education support child empowerment.pptx
The Ugly Secret about Third Party Risk Management.pptx
1. The ugly truth about third
party risk management
Data Breach Database
2. Your vendors are selling you bad, incomplete data. Who are their sources?
1. If they have NOT purchased a cyber loss feed from insurers,
they cannot accurately quantify the financial impact of a risky vendor
1. If they are NOT sourcing breach notification data from all
federal, state and industry regulators, they are not truly
monitoring vendors.
tl;dr - The Ugly Truth
5. “Organizations should stop
using risk scores and risk
matrices. There is mounting
evidence against (and none for)
their effectiveness”
— Doug Hubbard, author of “How to Measure Anything in
Cybersecurity”
Problem 2
Source: https://www.youtube.com/watch?v=bYjPmptlc14
10. All 50 states and the District of Columbia
have laws requiring private businesses, to
notify individuals of security breaches of [..]
personally identifiable information.”
— National Conference of State Legislatures
Fun Fact
Source: https://www.ncsl.org/technology-and-communication/security-breach-notification-laws
11. 1. Breach notifications are regulated at state level
2. 35 states and DC require private companies to notify their
Office of the Attorney General
3. 40 states and DC require notification to a credit reporting agency
4. Generally, notification is required for >=1,000 citizens
5. Notification requirements are ASAP to 45 days generally
Things to know…
12.
13.
14. 1. Breach notifications are real data. They are the Who, What,
Where and When.
1. Not notifying impacted users = you’re breaking state law!
1. Breach notification data can be used to ensure vendors,
clients and partners are being truthful
2. If you’re paying for risk/threat intelligence data but real data
isn’t included, what are you really paying for?
Takeaways
18. It’s your insurers job to know how much it will cost them
if your company has a breach because of risk transfer.
Why is this important…
Insurance
Company
Reinsurer
Insurance
Linked
Securities
19. ● Company and industry identifiers
● External or internal caused loss including
employee, vendor/consultant, terrorist, criminal
organization, etc
● Actor vectors, proximate + secondary causes,
compromised data sources, types, and affected
counts
● Settlement amounts, legal fees, fines, restitution
Fields
20.
21.
22. 1. Cyber loss data is used purely for underwriting purposes not
continuous monitoring of actual breaches as reported to regulators
1. It is occasionally the Why but always the How Much of our story.
2. Identify the REAL cost of a breach from an insurers POV
1. Enrich your risk tools for better storytelling
Things to know…
24. Vendor X - High Risk
What story do we want to tell?
● What letter grade would another
vendor assign them?
● What would their theoretical credit
score be?
● What security issues are in their
external facing sites?
25. Vendor X - High Risk
An alternative story:
● How many breaches have been reported to a regulator?
● Have they reported a breach but not told us?
● Did they report something different than what
was shared with us?
● How much did their breaches cost them
and/or other parties?
26. Which story is better?
A story:
● Vendor X reported three “incidents” last year
● They informed us of one of the three
● They lost the data of a competitor due to phishing
● The total loss amount was $5m USD
A story:
● Vendor X has a risk rating of A-
● They have websites that don’t enforce HTTPS
● The vendor is mentioned in an unnamed
forum on the dark web
● The range of industry losses is $500k-7m
27. “CISOs need to translate the
cybersecurity request for funds
into the language of the rest of
the organization”
— Doug Hubbard, author of “How to Measure Anything in
Cybersecurity”
Solution Source: https://www.youtube.com/watch?v=bYjPmptlc14
28. ● For cyber loss data:
○ Verisk, IHS Markit, Zywave
● For breach notification data:
○ Sign up for breachsiren.com
● Reading:
○ “How to Measure Anything in Cybersecurity Risk” by Doug Hubbard
○ FAIR Blog: Shopping for Cyber Loss Data by Allison Seidel
Recommendations…
29. Your vendors are selling you bad, incomplete data. Who are their sources?
1. If they have NOT purchased a cyber loss feed from insurers,
they cannot accurately quantify the financial impact of a risky vendor
1. If they are NOT sourcing breach notification data from all
federal, state and industry regulators, they are not truly
monitoring vendors.
The Ugly Truth
Note: Verizon DBIR historically used a small subset of breach data (~17 states) for trend analysis
Fun Fact: How many TPRM vendors have this information? I’ve checked and to my surprise. I have yet to find a single one.
This problem lives in our tools. How do we communicate value when our tools don’t use REAL data?
One we’re missing the big metric = real money but more importantly we’re failing to tell a story. I want to know what’s impacted my competitors and industry peers quarterly and annual earnings. Not some breach study with averages or someone’s opinion on what the dark web values.
Literally most of the tools in our industry are pushing us in the wrong direction here…
We can do what Doug says to do which is to use historical observations and to also quantify those observations.
To build out that story with data, we’re going to look at insurance and legal and deal with our topics for the day which are two different types of closely related data types (breach & cyber loss data). Before we hop in let me tell you a quick story about we ended up here…
That was a clue that we needed more data and lead to the question what are breach notifications really?
Show of hands. We know about HIPAA. Right but what if it’s just PII?
Not 5, 10, 25 but all 50 states have laws requiring you to notify.
What I find fascinating is that to be honest, I didn’t know this until last year. If your company is not notifying the state, you may be breaking the law. This gets really interesting when we think about whistleblowers. Let’s look at these and learn more…
Here’s a breach reporting form for the state of New York in 2012. In a lot of cases, what happens is that inside counsel works with outside counsel who handles notification and contacts the AG’s office.
Note: Verizon DBIR historically used a small subset of breach data (~17 states) for trend analysis
Fun Fact: How many TPRM vendors have this information? I’ve checked and to my surprise. I have yet to find a single one.
Secondary question: Can you compute reputational damage?
As an example, here’s a slide from a presentation that I did many years ago on the Anthem (Wellpoint) breach of 80 million records of PHI. Here are the actual costs as reported in their annual reports and regular reporters.
We could attempt to crunch the numbers ourselves but we cut corners here by understanding a little bit about how the insurance industry works…
Now that we understand what it is and why it is. Let’s dive in to what the data looks like and how it can be used.
Now that we understand what it is and why it is. Let’s dive in to what the data looks like and how it can be used.
In this case, we have the largest cyber losses from last year. Instagram was the winner with $401m due to GDPR violation. The other top 4 were hacking losses in the cryptocurrency industry.
For 2022, we can see that breach losses as a whole cost more than privacy losses.
Fun fact: Insurers pay a ton of money for this data and there are entire companies that specialize in helping them model and price out risk. Starting price hundreds of thousands to millions of dollars annually.
Let’s wrap up and talk solutions.
Status Quo - Let’s assume that they’ve completed a questionnaire and in this case we just want to know about their technical risks. The current options let us check the box and lets be honest that does have value but there are so many gaps that it borders on fraudulent. What happens if a vendor doesn’t have a significant online presence? How does a letter grade tell me whether their using MFA or if they’re getting quality pentesting or not?
Current tools can’t provide you this information and when they do its for a tiny subset of what’s out there. Again it’s time for change.
Let’s suppose that your vendor process is the same in both of these stories. A questionnaire has been completed along with a quality SOC2. From here, we can arm legal with resources to build out meaningful asks for added insurance coverage or security language.
Here’s one last quote from Doug Hubbard the author of #1 bestselling business math book, “How to Measure Anything” and also “How to Measure Anything in Cybersecurity.” Two of his books are required reading for the Society of Actuaries exam prep.
Note: Verizon DBIR historically used a small subset of breach data (~17 states) for trend analysis
Fun Fact: How many TPRM vendors have this information? I’ve checked and to my surprise. I have yet to find a single one.