Posted In: Business Transactions & Corporate Counseling, Cybersecurity & Data Privacy & Cybersecurity & Data Privacy
By Craig S. Horbus on July 10, 2019
“By 2022, cybersecurity ratings will become as important as credit ratings when assessing the risk of business relationships.” – Gartner Innovation Insight.
Globalization and an increasingly interconnected supply chain have broadened the third-party risk landscape to include the increasingly present cybersecurity threats. In fact, just last month, Quest Diagnostics, one of the largest blood testing providers in the nation, warned that nearly 12 million of its customers may have had their financial and medical information breached due to an issue with one of its vendors. With new liabilities on the horizon, organizations must focus on supply chain risk management.
Ascertaining a vendor’s security rigor and looking for indications of cyber risk in your supply chain network is no easy feat. Yet, without this insight, it’s impossible to address, quantify, and mitigate cyber risk.
Security ratings can be effective in identifying risky vendors and supply chain vulnerabilities. These ratings are the cybersecurity equivalent to a credit score, presented in an easy-to-understand manner and backed by data that correlates to potential security incidents and context. Like credit scores, security ratings are based on a scoring system (ranging from 250 to 900). The higher the score, the less risk the vendor poses. According to BitSight, a cybersecurity ratings company, organizations with a security rating of 500 or lower are five times more likely to be breached than those with a 700 or higher rating.
Where Tier 1 or 2 suppliers may balk at an end customer poking around in their supply chain networking looking for indications of cyber risk, security ratings can be especially useful to manage cyber risk in supply chain interactions where transparency has historically been lacking. These ratings rely on externally observable events or trends, so it becomes much easier to get around proprietary data restrictions that limit visibility into the security posture of each link in your supply chain.
Last year, 59% of breaches originated with third-party vendors.1 Implementing a third-party risk management program that utilizes security ratings can help you scale your monitoring of third-parties and mitigate cybersecurity risk in your supply chain.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2023 Brouse McDowell. All rights reserved.