How Third-Party Partners Became So Risky


This week, enterprise security startup CyberGRX announced a new funding round, with investors at Bessemer Venture Partners leading the way for $20 million in Series B financing. The investment is not only a signal of VCs’ appetite for enterprise security offerings, but of enterprises themselves needing more sophisticated security tools.

The message of the data on enterprise security is unmissable: Bbusinesses are facing more threats than ever before, from both within and outside of the enterprise, especially as operations become more digitized. CyberGRX focuses on these external threats, offering companies its CyberGRX Exchange platform that it claims is the world’s first global third-party cyber risk management exchange.

According to the company’s Chief Revenue Officer Scott Schneider, these third parties are anything from a supplier in the supply chain to payment service providers to business partners.

“We use the term third parties to include anyone whom, due to the nature of your relationship with them, if they suffered a breach, it could impact you,” he recently explained to PYMNTS. “There are a variety of different organizations that encompass the third-party ecosystem.”

That community of third-party players is growing for every business, Schneider noted.

“Let’s face it,” he said. “To compete in a global marketplace full of disruptors, businesses must outsource key functions. Outsourcing is on the rise, and what that does is increase the number of third parties you’re dealing with.”

Schneider said that of all the risks a business can face today, cybersecurity and data security are top of the heap. As supply chains go global and businesses reach into new markets, ink partnerships and access services from more companies now than ever, the cybersecurity threat mounts. But those risks are rising for other reasons, too.

For one, third-party risk is pretty much inescapable for some companies.

“Third-party contractors are the second largest source of security incidents,” said Schneider, adding that they are second only to internal employees. Part of the reason is because it’s easier to infiltrate a business by coming in from the sidelines.

“It’s easier to break into a third party than it is to break into Walmart directly,” the executive explained. “It’s a major issue you find every CISO [chief information security officer], every CEO trying to solve today.”

He also pointed to heightened regulations that demand businesses mitigate third-party risk. Take New York’s latest efforts, for instance. In March new regulation from the New York State Department of Financial Services came into effect that require certain practices and protocols within the insurance, banking and financial services space with regards to cybersecurity policy. Specifically, companies must have a senior CISO in place, and that CISO, or the company’s board itself, must approve written cybersecurity policy for the organization at large.

In an environment where companies are facing data breaches, financial losses and the cost of noncompliance if they fail to mitigate third-party risk, it’s a serious wonder that 50 percent of companies fail to implement a dedicated third-party risk management solution, according to data released last month from MetricStream. According to that report, a fifth of businesses face “significant” third-party risk exposure, with a quarter of the companies that have been exposed to this risk facing financial losses of at least $10 million because of it.

MetricStream also noted that not only are companies held liable for any data breaches, but they can often be held accountable for breaches that hit their third-party partners, too.

CyberGRX’s Schneider highlighted what he described as the typically “archaic” way companies approach third-party risk management.

“You may not believe this,” he said, “but even very large Fortune 100 organizations still rely on sending their third parties self-assessments, based on spreadsheets.”

Those spreadsheets are sent to all third parties, which themselves may be receiving dozens or even hundreds of these assessments to fill out, all asking basically the same types of questions about how they safeguard their data and systems. In addition to costing a fair amount of time and money to fill out and send back to a company, that organization typically doesn’t conduct any analytics on the assessment.

Separate data from PwC, cited by CyberGRX in its recent funding announcement, found that the sharing of these spreadsheets is even giving rise to even more risk of data breach in the enterprise.

It’s this process CyberGRX hopes to disrupt by offering a single portal through which companies can access data on company cybersecurity measures, meaning businesses can mitigate that risk while those third-party players can access a more efficient process to analyze themselves.