The level of uncertainty financial institutions have for third-party cyber risk is worrying. Firms have no idea how a company accesses their network and the back doors left open for criminals. CyberGRX was created to fix this.
When Fred Kneip left Bridgewater Associates, he was introduced to Jay Leek, the chief information security officer at Blackstone. Leek was responsible for Blackstone’s security and each of its portfolio companies. Quarterly conference calls with 80 CISOs were held to discuss how they could coordinate to improve security. A recurring theme was how CISOs and their teams couldn’t keep pace with the cybersecurity assessments of third-parties and vendors they used.
The idea was born to build a centralised assessment service at Blackstone that could be shared across the portfolio, instead of everyone completing their own assessments. The rationale for this internal approach was justified after an internal survey across the portfolio found that 90% of the CISOs were getting external auditors to assess payroll solution ADP each year. If they put those wasted funds towards a centralised cyber risk assessment programme, it will pay for itself.
“The origin of CyberGRX was the idea of doing one high-quality, thorough cyber risk assessment of a company, and allow that to be shared or used multiple times,” Kneip said.
Whilst building the platform, it quickly became apparent a lot of companies suffered from the same challenge, so Kneip decided to expand the solution beyond Blackstone. He explained that there is so much inefficiency within how people share cyber risk information that this concept would benefit both players. In the example of ADP, they have over 5,000 cybersecurity review requests each year to complete as a third-party. Then on the other side, a Fortune 500 company will have thousands of companies they need their team to assess, which is not scalable. “There are very few things that are a true win on both sides,” said Kneip. “You know you’re onto something when you talk to a consumer of this data who says I hate this experience, and you talk to the third-party and they say, I hate this experience.”
While the inefficiency was high, a bigger problem was how cyber risk was being managed. “What people were doing was saying they don’t have the time and just do something to satisfy a regulator, just to say they did an assessment, put it on a shelf and not even look at it.”
Companies are unprepared for the number of companies – and potential vulnerabilities – they are exposed to. Two decades ago, corporations were relatively isolated. They built their own goods and had internal teams to handle everything. Now, companies prefer to outsource tasks and capabilities so they can focus on their “core competencies.” Kneip explained that companies will implement robust security programmes that protect themselves, but that is not enough. If a hacker can see a bank is fortified, they will look for where they send data and attack that third-party to gain access to it. A report from Ponemon Institute found that 51% of companies have suffered a data breach caused by a third-party.
“The problem is companies say, ‘We’ve put in cool tools ourselves; we feel safe.’ But now they’re sending that data out to so many other people, or they’re allowing many people to access their network. Suddenly, you’ve created a backdoor for people to get in, potentially to much weaker providers.”
Stop the bleeding
Due to the scale of the problem, many firms have opted to implement a new third-party strategy, which Kneip describes as a “stop the bleeding approach.” Any new company that comes in and accesses sensitive data needs to complete a review. However, this skips the companies that have accessed this data – some that could have done so for decades.
If a company has been accessing their services for a long time, many teams are unaware who the company is, what the original deal was or what it does within the network. They ignore it and hope this doesn’t hurt them. CyberGRX gives companies the tools to resolve the whole issue and clients have jumped at the chance. “The appetite for a solution like CyberGRX is voracious, they say ‘I can finally figure this out.”
How it works
Kneip outlined there are two concepts for how risk with third-parties is categorised. The first is how likely are they to be attacked, with an infrastructure services provider higher up the risk spectrum. The other concept is how impactful would it be if the company was breached. Is it a company that delivers core business or it is a secondary backup provider.
Understanding how likely a company is to be attacked is relatively easy to analyse. Looking at their industry, the current attack trends and other similar data points, helps to build a predictability score. However, assessing the damage of a breach is much harder, Kneip stated.
What CyberGRX does is use its database to help companies predict how a third-party accesses their system. “If you give us ADP as one of your third parties, but don’t tell us how you use them, we’ve got hundreds of other customers who have told us how they use them. We’re going to make an assumption that you use it in the most common way provided by other customers.” If a company has 10,000 third parties in use, CyberGRX can give them an estimate on the security posture of those companies and how likely they are to be attacked. This instantly gives them better clarity of their own operations and shows them where they need to focus security efforts.
It’s this instant clarity that gets clients so excited for CyberGRX. Kneip stated that first reactions range from “disbelief to excitement to apprehension.” This is information they never knew was available. “We’re suddenly now enabling you to look at anyone.”
A leapfrog solution
Kneip described CyberGRX as the leapfrog solution to third-party risk. A foundation of its platform is a connected data exchange full of third-party risk assessments. It asks third parties to complete a standardised questionnaire about their risk structure. Once completed, it is stored on the exchange, which consists of 10,000 assessments across 100 countries and is growing each week. As a result, when a new client joins CyberGRX, around 50% of their third parties are already on the exchange.
CyberGRX does not stop there. When faced with a new company, it collates external information, such as their size, industry regions of operation and more. It then leverages its exchange to find similar companies and runs a Monte Carlo simulation of their answered questionnaires to make predictions on the new company’s controls. With this approach, CyberGRX is able to provide valuable information on more than 135,000 companies.
“We can effectively predict how any company in the world will respond to the standard CyberGRX question set and have achieved about 85% predictive accuracy. We’re able to say, ‘you gave us 1,000 third-parties, 500 are on our exchange, that data has come through and validated, for the other 500, here’s a prediction.’ You go from having no idea who these guys are, to having visibility to everyone with varying levels of confidence. And you’ve just fundamentally changed the ability for someone to look at that group.”
Thanks to its standardised questionnaires CyberGRX can also utilise the MITRE ATT&CK framework, which is a decomposition of all known attacks from the past couple years. Through this, CyberGRX can prioritise security operations for clients. It can look across a client’s third-parties, see which ones are most susceptible from a certain attack and help a client be more proactive for their defence. This standardised approach to risk data enables a portfolio perspective unlike others in the market, Kneip added. With other approaches, a company would need to pull up each third-party assessment and find the necessary information.
Kneip concluded that the worst thing a financial institution can do is put off their third-party cyber risk management. He likened the problem to a messy garage. Firms see how bad the problem is but keep putting it off because it is daunting. They’ll fix it tomorrow, but tomorrow never comes. CyberGRX can instantly make the task less overbearing.
CyberGRX was named in this year’s CyberTech100. Download the full free list here.
Copyright © 2022 RegTech Analyst
Copyright © 2018 RegTech Analyst