Editor's Note: The following interview with Prevalent's Brad Hibbert was originally published in the TAG Cyber 2022 Security Annual - 3rd Quarter and is reprinted here with permission.
Significant cybersecurity challenges have emerged for enterprise teams, which include operational concerns and compliance issues. A fundamental problem is that enterprises cannot expect perfect visibility into the security ecosystem of suppliers and partners, resulting in risks to data, systems and shared resources.
Prevalent is a leader in providing commercial solutions for managing third-party risks to security and compliance exposure. TAG Cyber wanted to learn more about how this third-party security capability could be deployed to reduce cyber risk.
Our customers see risks across six broad categories. First, there is cybersecurity, which includes risks to data and systems via outside intrusions through a third party. Next are business risks, such as a third party’s lack of resilience when faced with operational challenges or disruptions due to pandemics or natural disasters. Financial risks are when third-party vendors and suppliers experience financial troubles, bankruptcy or have a poor credit rating. Examples of Environmental, Social and Governance (ESG) risks include a supplier having a poor environmental record, being accused of using illegal labor or not practicing overall effective corporate governance. Reputational risks—such as negative news, product recalls, executive misconduct and sanctions—can also be cause for concern. Finally, compliance risks comprise things like GDPR findings, failed audits, bribery, corruption or ethical problems. While cybersecurity and data-protection risks garner the most attention, many of the other risk types carry regulatory weight behind them, too.
We start by automating the RFP process by adding demographic, fourth-party, ESG, business, reputational and financial insights to help procurement teams incorporate risk intelligence to vendor selection decisions and pre-contract due diligence. Next, we automate the migration of a selected vendor into contracting by centrally tracking all contracts and attributes with workflow and version control. Once a vendor is selected and contracted, we issue profiling and tiering assessments to calculate inherent risk scores. With this data, companies can categorize vendors and make decisions on the scope of further due diligence.
We also offer a library of more than 100 questionnaire templates and custom surveys to assess third parties on a wide range of criteria—from InfoSec and data privacy to ESG and financial solvency. We take the answers from these surveys and populate a central risk register that can be used to view and act on risks. We also provide reporting by regulation and frameworks to simplify how data is presented, as well as manage remediations down to an acceptable level of residual risk.
Because a lot can happen in between regular assessments, we continuously track and analyze externally observable threats to vendors and other third parties. We help organizations through centralized dashboards that manage and track third-party performance to contractual requirements. Finally, we automate contract assessments and offboarding procedures to reduce an organization’s risk of post-contract exposure.
TAG Cyber Security Annual - Q3 2022
The TAG Cyber Quarterly includes original works from TAG analysts, including interviews with icons in the cybersecurity industry. Get complimentary access to the 112-page report.
The old maxim is true: You can’t manage what you can’t measure. And I would add: You can’t measure what you can’t see. Enterprise risk visibility is at the core of our platform. It starts with procurement—gaining pre-contract visibility into risks like vendor finances, data breaches or compliance problems—and extends to offering a single role-based platform that multiple enterprise teams can use to view the risks that matter to them. We do this through customized, role-specific dashboards and reporting.
Our networks are on-demand libraries containing thousands of vendor risk reports that are continuously updated and backed by supporting evidence. Customers use the networks—Exchange, Legal Vendor Network and Healthcare Vendor Network—to get a jump start on their vendor due diligence process by gaining immediate access to completed assessments, helping them scale their programs so they can shift their time and energy from hounding vendors to identifying and remediating exposures.
We see TPRM moving towards greater levels of outsourcing, involving more enterprise teams and risk types, as well as evolving to a more continuous model and going deeper in certain industry verticals. First, enterprises rely on an ever-widening network of third parties, while also facing an expanding web of geopolitical risks, regulatory requirements and cybersecurity threats. Unfortunately, most companies manage these risks by using manual processes that place a greater emphasis on risk identification than risk remediation. Over the next several years, organizations trying to scale effective TPRM risk programs will hit a wall, causing them to adopt more automated and proactive approaches, such as leveraging external business process outsourcing firms and/or dedicated purpose-built external TPRM software.
Next, enterprises are being pressured by a range of stakeholders—including regulators, investors and consumers—to improve visibility and oversight of their exposure to third-party risk. While organizations may begin by focusing primarily on cyber threats, they will see the need to enable risk-based decisions by proactively assessing and monitoring a more comprehensive risk profile throughout the third-party relationship. This will require the rationalization and harmonization of technology, processes (workflow) and people.
Departments and teams will need to consider risk in all activities and decision making, including activities that are currently more focused on operational efficiency. Teams responsible for everything from sourcing and onboarding new vendors to managing their performance over time will continue to consume risk intelligence from similar data sources (e.g., a comprehensive risk profile) and begin to leverage insights from their peers in supporting contract negotiations and discussions related to their respective workstreams.
Enterprises will also continue to enhance third-party programs by utilizing integration, automation, intelligence networks and analytics to continuously assess and monitor their extended supply chains more closely. Finally, enterprises in certain verticals will continue to adopt sharing networks to accelerate risk identification and place a greater focus on risk remediation. These sharing networks will evolve beyond assessment sharing to intelligence sharing as enterprises and third parties design, embrace and enforce open communication to proactively share insights related to cyber, compliance, incidents, performance and more.