In a single week earlier this year, Best Buy, Sears, Kmart, and Delta Airlines each announced data breaches involving thousands or millions of customer records. Which was hardly a blip in the post-Equifax world. Yet for cybersecurity professionals, the incidents revealed an important detail: the companies were compromised by security vulnerabilities at a single third-party vendor.
By one estimate, 63% of security breaches can be traced to ineffective security protocols at third-party vendors. Direct response costs for a typical breach average $10 million per incident before factoring in reputational damage, customer fallout, regulatory scrutiny, and legal expenses.
For a small company managing a handful of vendors, auditing and monitoring activities can be manageable. Labor-intensive and time-consuming, but manageable. For larger enterprises with hundreds or even thousands of vendors, risk management requires dedicated teams and lots of time.
CyberGRX is reinventing third-party cyber risk management for both enterprises and vendors. They’ve made tremendous progress but are really just getting started. So today we’re pleased to announce that Scale Venture Partners has invested in the company’s Series C funding round.
Today’s painfully slow and inefficient approach to third-party cyber risk management
No one really questions whether third-party assessment is needed. After all, every outside vendor represents some level of risk. Yet no one would argue that the current approaches work very well either.
To see what third-party cyber risk management looks like today, picture an enterprise evaluating a new CRM platform. To perform procurement diligence with the top candidates, its security team circulates a spreadsheet with 200 detailed questions about the vendor’s cybersecurity capabilities. The vendor’s salesperson dutifully forwards the questionnaire to her security team, which scrambles to track down the relevant documentation or draft new documentation where there are gaps. Eventually, the vendor returns the questionnaire, only to get hit with a new round of follow-up questions. Repeat many times as the months pass.
There are two takeaways here. The first is that cyber risk management as it is practiced today is overly burdensome for everyone involved. It’s so bad that large technology vendors will often only respond to their largest customers. The second is opportunity cost. Because teams spend so much time sending and responding to questionnaires, they have far less bandwidth to tackle actual security issues.
CyberGRX benefits companies and their vendors
The security and risk practitioners we spoke with would describe the ideal risk management process: standardized security questionnaires that vendors fill out just once, easily keep up-to-date, and reuse again and again with a reporting and policy engine to highlight areas of interest and concern.
Which is exactly what CyberGRX has developed. The company acts as a trusted intermediary between companies buying third-party technology and services, and the vendors themselves. Vendors complete a standardized assessment that can be reused for any diligence request on the CyberGRX exchange. For their part, enterprises contract with CyberGRX for access to those assessments. CyberGRX provides three tiers of assessments, from self-reported questionnaires to in-depth onsite audits.
The value proposition is clear. Vendors love the platform because they can leverage a one-time investment in completing the assessment across all future customers. Notably, CyberGRX has signed up many of the same large technology vendors that would previously forgo assessment requests altogether. This suggests that their issues were with the cost and inefficiencies of the one-off assessment process and not the assessments themselves.
A leadership team with hands-on experience
CyberGRX’s rapid growth in both buy-side and sell-side signups is already underway. Enterprise buyers are purchasing assessments for more of their vendors and refreshing those assessments on a regular cadence. Working with CyberGRX means they can focus more resources on actually managing security risk. Likewise, vendors are spending less time documenting their security posture and more time improving it.
The company’s success can be attributed to a leadership team with firsthand experience of the pain points in third-party vendor risk management. Prior to founding CyberGRX, CEO Fred Kneip was the Chief Security and Compliance Officer for Bridgewater Associates. Other senior executives have held security and product roles at Cylance, Security Scorecard, and Visum Cyber, among others.
As Target learned the hard way, security vulnerabilities at third-party vendors can open the door to massive data breaches, nasty news cycles, and angry customers. Solutions like CyberGRX are reducing the risk of fallout throughout the entire ecosystem. We’re excited to join and support the company on this journey.
Eric Anderson contributed to this blog post.