For procurement and supply chain management there is a fairly new risk indicator that will play an important part in supplier evaluation research efforts in 2019. Recent studies support the critical need to ramp up cyber risk research activities in procurement:
- According to CAPS research, in a Harvard Business Review article, “over 60% of reported attacks on publicly traded U.S. firms in 2017 were launched through the IT systems of suppliers or other third parties such as contractors, up from less than one-quarter of attacks in 2010.”
- In its recent Annual Review, The National Cyber Security Centre stresses the role supply chains play in “leaving organizations vulnerable to compromise” and as technology continues to evolve, supply chain risk will become an increasingly important challenge.
- Symantec’s annual Internet Security Threat Report cites an increase in malware implants into supply chains. There has been a 200 percent increase in these types of attacks — “one every month of 2017 as compared to four attacks annually in years prior.”
- A new report by Ponemon Institute and Opus reveals that 59% of companies surveyed have experienced a data breach caused by a third-party supplier or partner and less than half indicate that managing third-party relationship risks is effective and a priority within their organization.
One way the market is responding to help organizations meet the need to research and evaluate supplier cybersecurity risk is in the form of cybersecurity risk ratings offerings. Security ratings, as Tom Turner of BitSight explains, “are just what they sound like: ‘an objective, continuous, external measure of an organization’s overall cyber security posture.’”
Here are selected key providers for procurement to consider:
BitSight Technologies – Founded in 2011 and headquartered in Boston, BitSight provides cybersecurity ratings and is a key player in the market. BitSight Security Ratings are calculated on a scale of 250-900 with a higher rating indicating better security performance. All data collected by BitSight is “externally observable,” meaning from data on compromised systems, diligence, user behavior and public disclosures. BitSight Security Ratings for Vendor Risk Management quickly quantifies a supplier’s level of cyber risk and when changes occur, BitSight sends an immediate alert.
FICO – Founded in 1956, FICO offers credit scoring solutions in the United States and worldwide. FICO’s Cyber Risk Score is available, free of charge, to all organizations. The Score relies on data signals that reflect key risk indicators and are compared to past data breach behaviors of organizations. From this, a machine learning model produces a score that forecasts the likelihood of a future breach.
Prevalent – Prevalent, Inc. is a third-party risk management and vendor threat intelligence provider. Prevalent’s strength is its unified platform that integrates a combination of automated assessments, continuous monitoring and evidence sharing for collaboration between enterprises and vendors. Their “one size does not fit all” approach offers financial (vendor risk management and collaboration), legal, healthcare and retail solutions. Prevalent was founded in 2004.
RiskRecon – RiskRecon was founded in 2015 and is based in Salt Lake City. RiskRecon allows professionals to easily identify risk priorities and needed action by allocating risk resources where they are needed most, namely high value, low performing vendors. RiskRecon visually summarizes issue risk priority within a “Risk Prioritization Matrix,” showing each issue within the context of issue severity and asset risk value.
SecurityScorecard – Founded in 2013, New York based SecurityScorecard allows companies to quickly asses the security risk of any vendor or business partner. SecurityScorecard for Vendor Risk Management allows for initial vendor cybersecurity assessment and continuous monitoring which leverages set minimum grade requirements for vendors to maintain. Out of an A-F rating scale, “companies with a C, D or F rating are 5.4 times more likely to be breached or face compliance penalties than companies with an A or B rating.”
(All above information taken directly from provider websites, white papers, blogs, and press releases)