If you want to reduce the risk posed by third parties to your organization, you hire another third party to police them.

This concept may not be intuitive, but cyber risk rating companies such as BitSight, RiskRecon and SecurityScorecard have made it central to their business proposition.

These companies are trying to offer an alternative to the staple methods of third-party risk management, where banks vet vendors using questionnaires, lengthy audits and site visits. Instead, the rating companies scrape the internet for any data that can help paint a picture of a third party’s cybersecurity defenses and their vulnerability to cyber crooks.

Financial institutions are weighing up the service as they struggle to manage the risk posed by an intricate network of third parties. Many of those third parties themselves outsource to external vendors, creating a complex web of vendor relationships for banks to monitor.

“It’s risk management once removed, and it’s a problem the whole industry faces,” says Richard Downing, head of vendor risk management at Deutsche Bank in London.

Banks hoping for a magic bullet from cyber risk rating companies may be disappointed, though. There are questions over whether the ratings provide a sufficiently comprehensive measure of vendor risk. Some believe ratings can only ever complement, not replace, banks’ own internal vetting processes.

Regulators are well aware of the problem. The US Federal Reserve is focusing on vendor risk management as one of its supervisory priorities for the country’s largest banks, while the European Banking Authority has released stringent guidelines on outsourcing arrangements. The European Securities and Markets Authority plans to release its own outsourcing guidelines for financial firms not under the purview of the EBA next year.

The specter of data loss is one of the biggest fears for risk managers, judging by Risk.net’s annual Top 10 op risks survey, which in 2019 placed data compromise in the top slot for the first time. As well as the costs from reputational damage and customer remediation, data loss can also attract swingeing fines under Europe’s sweeping General Data Protection Regulation (GDPR) laws.

Know the score

Cyber risk rating providers employ big data techniques to gauge the cybersecurity capabilities of firms, scraping the internet for information that can provide clues as to a company’s resilience against hacks, outages and other threats. The data is aggregated and run through an automated program, which scores the data along preset parameters. These scores are weighted to produce a security rating. SecurityScorecard has a 100-point system and gives out grades on a scale of A to F, with a report card that highlights what actions can be taken to improve the grade. BitSight offers a rating on a scale from 250 to 900 points, similar to a credit score, and Risk Recon provides a score anywhere from zero to 10.

Broadly, these services monitor whether a firm’s systems are properly patched, the health of domain name systems (DNS), the security of a company’s network and other factors. Patching, or updating, the software used by companies is a basic but important way to avoid cyber breaches, experts say, as hackers can exploit temporary holes in security in unpatched software. DNS is the decentralized way in which entities are labelled on the internet, and companies must make sure to monitor their own DNS designations to avoid malicious activity – for example, attackers being able to affect internet traffic or impersonate a company’s email address.

Some of the cyber risk ratings apply a very good layer of analysis to the data they gather … But the data analysis of some providers can be of low quality, so can’t be used as a decision point in a risk assessment

Charles Forde, Allied Irish Bank

However, these services can go beyond just monitoring the perimeter of companies’ security infrastructure. SecurityScorecard also eavesdrops on web chatter about companies to determine if data has been leaked or if hackers are planning to launch a cyber attack on a target.

Similarly, BitSight boasts of having access to one of the largest cyber sinkhole infrastructures in the world, after acquiring a Portuguese cyber analytics firm in 2014. The sinkhole is a huge dragnet that intercepts fake URLs. Often, this type of malicious traffic emanates from groups of infected computers referred to as botnets. By accessing these botnets, BitSight, SecurityScorecard and other firms can track communications sent by the computers and obtain a worldwide view of the ebb and flow of infections. This can provide some important intelligence on the vulnerability of different firms to potential cyber attacks.

“Access to this sinkhole lets us know when malicious links are clicked, as our sinkhole intercepts the message sent back to the hacker,” says Jake Olcott, vice-president in communications at BitSight.

SecurityScorecard also says it uses cyber sinkholes to aid monitoring. The company’s vice-president of international operations, Matthew McKenna, says automation is important in enabling cyber rating firms to increase the range of vendors they cover. He claims the firm scores 1.1 million companies.

RiskRecon was unable to respond to requests for comment.

The breadth of coverage offered by rating providers may be a draw for multinational companies that need to set variable levels of risk tolerance depending on region or market.

“Take a firm with an asset management business in the US and a wealth management business in Singapore,” says Charles Forde, group head of operational risk at Allied Irish Bank. “You will likely have a different risk appetite for vendors in these different regions so you can tailor your findings to each business. A score might be acceptable for one business but not another. That flexibility is useful.”

Cyber rating firms operate under a subscriber payment model. This sets them apart from their credit rating agency cousins, which use an ‘issuer pays’ model – a structure that some claim introduces perverse incentives into the rating process.

“Our business is similar to that of a conventional credit rating agency, but there are some fundamental differences,” says Olcott. “In the financial ratings market, organizations pay to be rated, which can lead to a significant conflict of interest. For us, any organization can pay to get on the platform and see the ratings of hundreds of thousands of firms.”

Fast response

Proponents of cyber ratings claim the service offers a quick and easy snapshot of a vendor’s vulnerabilities compared with the traditional vetting procedure involving questionnaires and audits.

“These utilities become very cost-effective because while an audit or questionnaire of a vendor can take a minimum [of] four to six weeks, these cyber risk rating services give you an answer immediately,” says Amit Lakhani, the global head of IT and third-party risks for corporate and institutional banking at BNP Paribas in London.

Financial institutions have the option to outsource the questionnaire process using an external monitoring services such as KY3P from IHS Markit or the TruSight utility from large American banks.

Allied Irish Bank’s Forde proposes an alternative approach to screening new vendor relationships using cyber risk ratings instead of questionnaires. Banks could request and affirm basic information that would normally be included within a vetting questionnaire, as minimum contract standards with vendors. The kind of information could include whether a vendor has a chief information security officer who sets policies, or what are the processes for data encryption. For more technical details normally requested in a questionnaire, the cyber rating firms can come into play, providing up-to-date information on cybersecurity policies.

“Cyber risk rating services offer an instant response on technical vulnerabilities, issues with patching and encryption, among other risks,” says Forde. “This approach also extends to discovery and monitoring more deeply into the supply chain, covering fourth parties.”

Gaining a detailed picture of the supplier relationships among vendors is hard for a large institution that might have hundreds of individual outsourcing arrangements. Cyber rating firms are starting to offer analysis of the chains of connection among vendors, to show third and fourth parties.

“If your supplier is subcontracting to another supplier, then these rating agencies can provide you with a view of the number of fourth parties your supplier has,” says BNP Paribas’s Lakhani. “It is very helpful to see if all your fourth parties are converging to certain cloud service providers such as Amazon Web Services [AWS] or Microsoft’s Azure platform. This could change your view of risk if it is determined that many of your third parties would suffer if any of these services were to go down tomorrow.

He adds: “As an organization, this helps because the EBA is very interested in seeing where risk concentrations exist.”

New guidelines from the EBA, released in February, provide detailed principles on how to manage outsourcing risk from third parties. Banks must maintain a comprehensive register of outsourcing relationships and closely scrutinize vendors based on their “criticality” to the functioning of the business. The rules go beyond the scope of the outsourcing guidelines released by the Committee of European Banking Supervisors in 2006, ramping up the compliance burden with regard to third and fourth parties, banks report.

As regulators finesse their guidelines for the management of third-party risk, their expectations for how firms tackle cyber risk are also taking shape. US regulators initially favored a tough approach that would compel financial institutions to introduce a two-hour return to operations following a cyber attack. The proposal was shelved after industry criticism, but the Fed is pushing ahead with an initiative to set common standards for classifying and modelling cyber risk.

In Europe, the GDPR rules over data privacy introduced last year have forced all companies that handle personal data to overhaul how they use and store that information.

“Regulations are tightening in respect to third-party risk monitoring and assurance,” says McKenna from SecurityScorecard. “As an example, GDPR requires organizations to continuously monitor and understand third-party risk related to data privacy.”

The EBA’s focus on concentration risk is designed to ensure firms are not becoming overly dependent on the functioning of certain key entities. Cloud services such as Azure and AWS are under particular scrutiny by regulators, as banks and financial market utilities such as clearing houses outsource important functions to them.

Deutsche Börse, one of the world’s largest exchange groups, recently signed a deal with Microsoft, acknowledging that the deal allowed it to place services into the cloud that were “typically considered essential” for firms’ core businesses. The Options Clearing Corp has started a multi-year project to modernize business processes, including using the public cloud.

Cyber risk ratings could offer a way of sourcing information about fourth parties as companies adapt to the stringent new guidelines. It is unclear if firms will be able to negotiate rights of access to information on fourth parties, as required by the guidelines, according to Deutsche Bank’s Downing: “It’s something the industry is working on with vendors.”

“It is quite difficult to ask for third parties to grant us audit and access rights for fourth parties,” he adds. “It is still being debated as to what exactly the EBA guidelines mandate when it comes to fourth-party risk management.”

Data crunch

Third-party risk has a broader scope than the outsourcing of tech services. Large financial firms connect with many service providers that are not bound by outsourcing contracts and may be reluctant to divulge vital information.

William Moran, chief risk officer for technology at Bank of America, recently said important financial market utilities such as central counterparties often would not answer questions about their cybersecurity arrangements.

“They either won’t participate at all – that is, they won’t answer your questions – or they won’t let you do an on-site [inspection], or they basically cherry-pick which questions they want to answer,” he said at the Risk USA conference in New York in November.

[Financial market utilities] either won’t participate at all or they won’t let you do an on-site [inspection], or they basically cherry-pick which questions they want to answer

William Moran, Bank of America

Regulators that usually have privileged access to company information “don’t tend to be very responsive about what they’re doing in terms of cyber”, he added.

“I think the notion of having single, independent groups trying to evaluate vendors for things like cyber is good,” he said.

While the principle of cyber ratings may sound persuasive, successful application of the concept is a different matter. For rating firms that track hundreds of thousands of companies continuously, providing a consistent level of analysis on the data scraped from the internet is crucial. Some suggest the ratings firms are not always successful in this regard.

“The level of much of the detail provided by these services is quite good,” says Forde of Allied Irish Bank. “I think the challenge is you can’t use all these services in the same way. Some of the cyber risk ratings apply a very good layer of analysis to the data they gather, providing accurate conclusions. But the data analysis of some providers can be of low quality, so can’t be used as a decision point in a risk assessment.”

James Tedman, a partner at ACA Aponix, an operational risk advisory firm in London, agrees that the concept of cyber risk ratings is valid but that there will always be gaps in the coverage these kind of firms offer.

“An ‘outside-in’ approach is a useful complement to questionnaires in assessing and monitoring vendor risk,” he says. “However, you can only get to a subset of risk by using these cyber risk monitoring services.”

Tedman adds that a real-time service based on data will not offer insight into more qualitative factors such as the level of staff awareness of cyber issues in a firm, or how susceptible the company is to a fourth party with access to the network.

“These are the sort of risks that cannot be captured from the outside, and require on-site risk assessments or questionnaires,” he says.

In other words, firms would be foolish to rely solely on external ratings for a complete picture of third-party cyber risk. Banks may need to devise internal processes to complement the information gleaned from ratings. Deutsche Bank is doing so with its protective intelligence unit that looks through news items to determine threat levels from vendors. The bank is working to better link this function with what it calls a “vendor criticality matrix”, which tabulates the systemic importance of third parties to the firm.

“There is a broader industry push to both use third-party services that help bank monitor vendors, but also to develop internal systems that follow news items about those vendors,” says Downing.

Third-party risk encompasses much more than a cyber risk rating can cover. Take, for example, the reputational risk that may affect a firm if it uses a vendor with poor working conditions. In other areas of tech, such as manufacturing, companies have faced public criticism over employment practices – Taiwanese firm Foxconn a prominent example.

To get a complete view of vendors, firms will have to employ a mix of oversight strategies, of which cyber risk rating firms are one element. The machines are not quite ready to take over yet.

Correction, November 12, 2019: An earlier version of this article stated that the Office of the Comptroller of the Currency was working on a project to modernize business processes, whereas the Options Clearing Corporation is the organization concerned. The article has been corrected.

Additional reporting by Tom Osborn