Financial firms have long used rating agencies like Moody’s or S&P to judge the risk of bonds. Now, companies that face risk from cyber attacks—which these days is almost everyone—have a tool to do the same.
On Wednesday, CyberGRX unveiled a platform that acts as a clearinghouse for cyber risk. Developed by a group of blue chip security pros from companies like Blackstone and Aetna, CyberGRX promises to make the process of flagging cyber dangers from their vendors dramatically more efficient.
The risk posed by vendors has been top of mind for many companies ever since the infamous hack on Target (TGT) in 2013, which saw attackers compromise the computer systems of Target’s HVAC supplier in order to steal credit card information from 40 million customers.
According to Jay Leek, the former chief security officer of Blackstone, the idea for a clearinghouse came about because companies spend enormous amounts of time filling out check-lists to assess the security risks posed by their vendors. Many of Blackstone’s portfolio companies, for instance, were all conducting the same compliance tests to see if vendors—which can include anyone from software giants like Salesforce (CRM) or Workday (WDAY) to catering companies—had programs in place to defend against cyber-attacks.
This process, says Leek, resulted in a lot of duplicated efforts and security officers spending their time on checklists rather than on mitigating cyber dangers.
In response, Leek and others realized the approach was to build what they call a “third party global cyber risk exchange” that will let companies assess vendors in the same way banks rely on ratings agencies to assess bonds. Leek likens it to performing cyber-risk by means of a Turbo Tax method, rather than doing it by hand.
“The inherent efficiency of the CyberGRX Exchange eliminates the waste in today’s approach—largely based on sharing spreadsheets—in a way no one in the market does. For the first time, companies will know which of their third parties pose the greatest risk to their organizations,” says Fred Kneip, CyberGRX CEO.
The process has been in the works since last year when CyberGRX raised $9 million from investors that include Allegis Capital, Blackstone, TenEleven Ventures, Rally Ventures, GV (formerly Google Ventures), and MassMutual Ventures.
To building process has relied on what CyberGRX calls its “design partners” like Aetna, and their existing dossiers of tens of thousands of vendor reports.
Now, the tool is ready for primetime as CyberGRX (GRX is for global risk exchange) invited other companies to take part. Here is how CyberGRX described it in a release announcing the news:
Built in partnership with chief security and risk officers from Aetna, Blackstone, MassMutual, ADP and other large companies with a combined network of more than 40,000 companies in their digital ecosystems, the CyberGRX Exchange brings together enterprises and their third parties and creates massive efficiency to a process that has largely been driven by sharing spreadsheets and trusting unvalidated self-assessments.
While the plan will provide a way for big companies to speed up their cyber risk assessments, it will also help hundreds of thousands of vendors who currently must wait for a cyber seal-of-approval before they can start providing their services.
Get Data Sheet, Coins2Day’s technology newsletter.
As for the risk assessments the platform provides, those are compiled from the reports provided by the member companies but also from a host of outside signals. These include threat reports from security companies as well as news reports from Thomson Reuters and others.
The other advantage of the service, according to CyberGRX, is that it will continually update the security profiles of all the companies on the exchange. This means companies will no longer need to rely on an annual checklist system to confirm a vendor can still be trusted.
The idea for a cyber risk clearinghouse is not a new one. According to Leek, S&P tried unsuccessfully to come up such a service way back in 2006. Goldman Sachs (GS), meanwhile, tried to create a risk standard with Moody’s in 2008 but was likewise unable to pull it off.
If CyberGRX is a success, its backers say the service could save companies billions in legal and compliance costs, and allow security executives to devote far more time to threat mitigation rather than bureaucratic measures.
The new service may also jumpstart the market for cyber-insurance, which has been expanding in light of the ongoing number of high profile data breach incidents. But that is far from mature—in large part because of a lack of information on how to price cyber risk.
(This story has been corrected to say the Goldman Sachs-Moody’s venture took place in 2008, not 2015)