Third-Party Risk Management

Put your cyber risk expertise to the test! Take the quiz on third-party risk management and see what's fact or fiction.

Essentials of Third-Party Risk Management

report icon
Forrester Report: Take Control Of Vendor Risk Management Through Continuous Monitoring
guide icon
How Automation is Transforming Third-Party Risk Management
report icon
Protecting Against Third-Party Breaches Requires Continuous Monitoring
Access Content
further reading tab

01

01

Third-party risk management is only necessary for companies with hundreds or thousands of third-party relationships.

1 / 9
Fact Fiction
actually ribbon correct ribbon
Fiction!

The more third parties an organization has, the more likely it may be that one of them will cause a data breach. However, it only takes one.

Even if your immediate third parties don’t pose a direct risk, their third parties (your fourth parties) might. Security leaders must gain visibility into the flow of sensitive data among all third and fourth parties, and closely monitor every organization that comes in contact with it.

Next
< BACK

Essentials of Third-Party Risk Management

report icon
Forrester Report: Take Control Of Vendor Risk Management Through Continuous Monitoring
report icon
BitSight & Gartner Newsletter: How Automation is Transforming Third-Party Cyber Risk Management
report icon
White Paper: Protecting Against Third-Party Breaches Requires Continuous Monitoring
Access Content
further reading tab

02

02

Third-party risk management should be a Board-level initiative.

2 / 9
Fact Fiction
actually ribbon correct ribbon
Fact!

TPRM is no longer just an IT department project.

A successful third-party risk management program has sponsorship from multiple departments, as well as support and involvement from the Board. In fact, Gartner estimates that by 2020, 75% of Fortune Global 500 companies will treat vendor risk management as a Board-level initiative.

Next
< BACK

Essentials of Third-Party Risk Management

report icon
Forrester Report: Take Control Of Vendor Risk Management Through Continuous Monitoring
report icon
BitSight & Gartner Newsletter: How Automation is Transforming Third-Party Cyber Risk Management
report icon
White Paper: Protecting Against Third-Party Breaches Requires Continuous Monitoring
Access Content
further reading tab

03

03

Compliance should be the primary goal of any good TPRM program.

3 / 9
Fact Fiction
actually ribbon correct ribbon
Fiction!

Compliance should be one goal of your third-party risk management program, but not the primary goal.

Many industries and governments regulate third-party risk management, but just maintaining compliance doesn’t ensure the safety of your company's data. Regulatory standards typically reflect minimum acceptable standards of security, while truly effective TPRM requires going above and beyond.

Next
< BACK

Third-Party Risk Management in Action

report icon
Case Study: How Fannie Mae Uses BitSight to Assess & Monitor Third-Party Cyber Risk
report icon
Case Study: Cabela's Uses BitSight Security Ratings to Reduce Cybersecurity Risks
video icon
Video: Enabling Vendor Access in BitSight
Access Content
further reading tab

04

04

All cybersecurity resources should be allocated toward defending one’s own network.

4 / 9
Fact Fiction
actually ribbon correct ribbon
Fiction!

Your own network could be 100% airtight, but without effective third-party risk management, your sensitive data will still be vulnerable.

Surveys indicate that many data breaches are caused by third parties. Deloitte reports that 1 in 5 organizations has experienced a third-party breach, and 1 in 10 has lost revenue as a result.

Next
< BACK

Third-Party Risk Management in Action

report icon
Case Study: How Fannie Mae Uses BitSight to Assess & Monitor Third-Party Cyber Risk
report icon
Case Study: Cabela's Uses BitSight Security Ratings to Reduce Cybersecurity Risks
video icon
Video: Enabling Vendor Access in BitSight
Access Content
further reading tab

05

05

A typical third-party security questionnaire could be 50% shorter and be just as effective.

5 / 9
Fact Fiction
actually ribbon correct ribbon
Fact!

Third-party security questionnaires are often time-consuming and resource-intensive. As a result, many organizations are moving towards shared, streamlined questionnaires.

By supplementing these questionnaires with continuous monitoring data like BitSight Security Ratings, customers have been able to drastically reduce the number of questions they need to ask their third parties and decrease turnaround times.

Next
< BACK

Third-Party Risk Management in Action

report icon
Case Study: How Fannie Mae Uses BitSight to Assess & Monitor Third-Party Cyber Risk
report icon
Case Study: Cabela's Uses BitSight Security Ratings to Reduce Cybersecurity Risks
video icon
Video: Enabling Vendor Access in BitSight
Access Content
further reading tab

06

06

Organizations can’t really influence their third parties’ cybersecurity practices.

6 / 9
Fact Fiction
actually ribbon correct ribbon
Fiction!

Security leaders have many techniques at their disposal to improve the cybersecurity of their third parties.

Writing security obligations into contracts is the strongest of these techniques, but having frequent data-driven conversations using security ratings and assessment results can also improve third-party performance. In fact, one BitSight customer was able to improve the security posture of more than half of their vendors in just 6 months by granting them access to the BitSight platform.

Next
< BACK

Making the Case for Security Ratings

report icon
Data Sheet: The Proven Business Value of Security Ratings
video icon
Video: How TransUnion's Informs & Scales VRM with BitSight Security Ratings
guide icon
Data Sheet: BitSight Security Ratings Correlate to Breaches
Access Content
further reading tab

07

07

It’s possible to always have an up-to-date view of a third party’s cybersecurity posture.

7 / 9
Fact Fiction
actually ribbon correct ribbon
Fact!

BitSight Security Ratings are updated daily, allowing TPRM teams to continuously monitor every third-partys’ cybersecurity posture. This can make a big difference compared to traditional point-in-time risk assessment techniques.

For example, during the outbreak of the WannaCry ransomware attack, one BitSight customer was able to identify every affected third-party in just one day.

Next
< BACK

Making the Case for Security Ratings

report icon
Data Sheet: The Proven Business Value of Security Ratings
video icon
Video: How TransUnion's Informs & Scales VRM with BitSight Security Ratings
guide icon
Data Sheet: BitSight Security Ratings Correlate to Breaches
Access Content
further reading tab

08

08

Security ratings do not reflect real-world security risks.

8 / 9
Fact Fiction
actually ribbon correct ribbon
Fiction!

BitSight continuously updates its rating algorithm to reflect real-world security risk.

A company that has a BitSight Security Rating of 500 or lower is nearly 5x more likely to experience a data breach than a company with a rating of 700 or higher.

Next
< BACK

Making the Case for Security Ratings

report icon
Data Sheet: The Proven Business Value of Security Ratings
video icon
Video: How TransUnion's Informs & Scales VRM with BitSight Security Ratings
guide icon
Data Sheet: BitSight Security Ratings Correlate to Breaches
Access Content
further reading tab

09

09

All security ratings are the same.

9 / 9
Fact Fiction
actually ribbon correct ribbon
Fiction!

Different security ratings measure different risk vectors, have different levels of consistency, and are delivered through different platforms.

For example, BitSight takes 23 risk vectors into account when computing security ratings, while other providers factor in 10 or fewer. In addition, BitSight has more than 1,200 customers monitoring and sharing ratings with 100,000 organizations. This level of engagement enables BitSight to provide more accurate and refined security ratings.


You got 0 / 9 correct


Fortify your third-party risk management program with BitSight Security Ratings.

Request a Demo