Sramana Mitra: Could you point out the ecosystem around you in a bit more detail? Who are the people you interface with? Whom do you compete with?
Kelly White: There’s quite a large industry around managing third-party cyber security risks. The roots of that industry are in GRC platform providers.
You look at companies like RSA and Archer where companies are using those systems to record the fact that they have a risk relationship with a third-party. They document the nature of that risk relationship and then they’ll perform activities to track the vendor’s compliance to their risk management requirements.
In those platforms, their core process for verifying vendors and managing vendor compliance has been administering questionnaires. That questionnaire could be based on this cyber security framework where they’re asking for evidence of compliance to specific controls.
RiskRecon closely works with GRC platform providers to provide objective verification of security control performance. You might have a control that says, “Software should be patched against critical vulnerabilities.” The vendor might answer yes.
RiskRecon brings forward objective data to verify if that is the case. We integrate with a large number of GRC providers. They leverage our data to help customers understand and manage that third-party risk.
Our data is also used quite heavily by professionals who are managing the third-party risk. They are leveraging out data and analytics whether they’re practitioners working within the company. From an ecosystem standpoint, our primary competitors are BitSight and Security Scorecard.
Sramana Mitra: What is the level of adoption of your kind of technology in the market currently? What are you seeing? What percentage of enterprises have rolled out a solution?
Kelly White: If you look at global adoption of this technology, it’s right around 2,000 to 2,500 companies. A good portion are RiskRecon customers. It really started in cyber insurance and also the financial sectors that were highly-regulated where both parties are motivated to get objective data on the cyber security performance of other companies.
Insurance is really underwriting the risk of a company and wants evidence of how well the company is managing cyber security risk. In the financial sector, there has been a long standing regulation that requires companies to have a good understanding of their third-party risk and to actively manage that.
The macro theme that’s driving adoption way beyond the financial sector like legal, manufacturing, healthcare, and utilities is two-fold. The regulators are consistently pushing this theme. You can outsource your systems and services, but you cannot outsource your risk.
The regulators have been pushing that theme for a long time. More and more boards are recognizing that as truly being an authentically important business function – proactively manage risk regardless of whether you’ve outsourced to another firm or not.
There have been a couple of high-profile cases that continue to drive awareness of the importance of managing third-party security risk. The most recent one was early June when American Medical Collection Agency, which provided debt collection services to a wide range of healthcare providers, was compromised.
When that happened, over 30 healthcare providers had to disclose that their customer patient data had been stolen. Also, related financial information had been stolen because of a breach of a vendor. The implications of that not only impact the vendor but also every customer of that vendor whose data was stolen. They end up having to go through disclosures and regulatory fines.