How a Fortune 500 Automotive Aftermarket Retailer Solves Third-Party Risk Challenges with OneTrust Vendorpedia™ + BitSight Security Ratings
How a Fortune 500 Automotive Aftermarket Retailer Solves Third-Party Risk Challenges with OneTrust Vendorpedia + BitSight Security RatingsDOWNLOAD PDF
How a Fortune 500 Automotive Aftermarket Retailer Solves Third-Party Risk Challenges with OneTrust Vendorpedia + BitSight Security Ratings
Organizations are putting their vendors under a microscope as regulations like the Payment Card Industry Security Standards (PCI DSS), EU’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA) and more increase potential liability surrounding third-party data privacy. However, the complexity of reducing third-party risk while simultaneously keeping detailed records for compliance is a daunting task. Additionally, supplier decision making now takes place at the senior executive level, so cyber risk is becoming more of a board-level initiative for the business. To streamline this risk, proper security and privacy controls must be put in place, and IT, Security, Privacy, Legal, and other business units of an organization must work together to hold vendors accountable.
To solve these complex challenges, companies around the world use OneTrust Vendorpedia in combination with BitSight, the standard in security ratings, for increased automation, vendor prioritization, better visibility, and enhanced monitoring capabilities.
For one Fortune 500 automotive aftermarket retailer, the Vendorpedia and BitSight integration was the right combination to support their 2,500+ vendor landscape and a growing list of third-party risk management challenges.
How OneTrust Vendorpedia Helps
By implementing OneTrust Vendorpedia’s centralized third-party risk management platform, the retailer can leverage aggregated research for vendor due diligence, identify and mitigate associated vendor risks or breach-related incidents, link vendors to multiple engagements, IT systems, and business processes, all while offloading assessment-related work and maintaining regular vendor oversight. With Vendorpedia, the retailer’s third-party risk management team can work alongside business owners to collaborate in real time, using a single system of records for internal as well as external third-party vendors and business operations.
How BitSight Security Ratings Helps
By incorporating BitSight Security Ratings as a data-driven and dynamic measurement of cybersecurity performance, the retailer can make confident decisions based on a material and validate view. With the ability to make these informed decisions the retails is able to drive operational efficiency and risk reduction across their existing workflows. For example, to validate vendor responses during the due diligence process to allow for a more efficient use of limited resources.
“It is essential, with over 2,500 vendors in our ecosystem, that the business be engaged in helping the third-party risk team maintain a centralized database of information, but it isn’t a guarantee of our success. So, what’s the next step? Having the confidence to make faster, more strategic third-party risk management decisions, so we can not only onboard vendors quickly, but still ensure that we are conducting sufficient and adequate data privacy and security risk assessments to both maintain customer trust and compliance,” said the retailer’s Third-Party Risk Manager.
It is essential, with over 2,500 vendors in our ecosystem, that the business be engaged in helping the third-party risk team maintain a centralized database of information, but it isn’t a guarantee of our success. So, what’s the next step? Having the confidence to make faster, more strategic third-party risk management decisions, so we can not only onboard vendors quickly, but still ensure that we are conducting sufficient and adequate data privacy and security risk assessments to both maintain customer trust and compliance.
How Vendorpedia and BitSight’s Integration Works
Along with the Vendorpedia platform, the retailer wanted the integrated value of having security ratings to improve their efficiency and risk reduction efforts. By adding immediate risk data about their vendors’ security posture they were able to help the organization make more transparent and rapid third-party risk management decisions. This is where the OneTrust Vendorpedia and BitSight Security Ratings integration came into play.
The retailer leverages BitSight to gain a better understanding of third-party risks and monitor changes as new risks arise, such as when systems are compromised. These ratings enhance the retailer’s decision-making capability related to assessment depth, risk prioritization, as well as informing purchase decisions.
With the Vendorpedia and BitSight integration, the retailer can seamlessly (and securely) ingest data insights between both platforms while maintaining a consistent and up-to-date vendor inventory that serves as a single source of truth for all third-party risk management operations. The retailer uses BitSight to identify a third party’s risks, while adding context to each vendor by tracking processing activities and operations in the Vendorpedia platform. Leveraging the integration, the retailer can automate their vendor’s lifecycle actions, flag risks, trigger reassessments and track mitigation efforts in the event a third party’s BitSight Security Rating changes.
“Vendorpedia and BitSight’s integration not only automates what was once an increasingly complex and time-consuming third-party risk management process, but it helps visually demonstrate third party cyber risk in a way that senior executives and board members can easily digest,” added the retailer’s Third-Party Risk Manager. “The ability to overlay BitSight Security Ratings on Vendorpedia’s lineage diagrams has opened up more conversations about enterprise risk management which will positively influence all vendor-related operations.”
Vendorpedia and BitSight’s integration not only automates what was once an increasingly complex and time-consuming third-party risk management process, but it helps visually demonstrate third party cyber risk in a way that senior executives and board members can easily digest. The ability to overlay BitSight Security Ratings on Vendorpedia’s lineage diagrams has opened up more conversations about enterprise risk management which will positively influence all vendor-related operations.”
Unique Value for Third-Party Risk Use Cases
Real life example scenarios where the Vendorpedia and BitSight integration worked in practice for this retailer include:
Scenario 1: The Third-Party Provided Inconclusive Evidence
- Problem: A long-term, local vendor’s contract was up for renewal and had a BitSight Security Rating which indicated a high-level of risk. Additionally, the vendor was unable to provide evidence that they were adhering to the retailer’s security best practices including a remediated Penetration Test and SOC2 (3rd Party) Application assessment.
- Outcome: Utilizing the Vendorpedia system of records, in combination with BitSight’s Security Rating, the retailer evaluated the vendor’s rating against their inability to provide standard assessment documentation for a retailer of their size. This was the first successful case where the retailer had an enterprise conversation with members of their leadership and Legal teams about the privacy and security risk of a vendor. Ultimately, the third-party risk team made recommendations to renew their vendor while including recommended language for risk mitigation within the contract. Furthermore, BitSight was leveraged to not only continuously monitor this vendor, but to engage in perpetual remediation, driving their cybersecurity rating up.
Scenario 2: The Third-Party Provided No Evidence
- Problem: A vendor was unable to supply any privacy or security assessment information, however the niche offering of the vendor made it advantageous to onboard.
- Outcome: The Vendorpedia platform and the vendor’s BitSight Security Rating allowed the retailer to demonstrate a level of due diligence from a legal perspective. This was the first example of an exception process where the retailer’s leadership team leveraged the vendor’s rating against the cost of not implementing the vendor and determined they should move forward with onboarding.
Scenario 3: A Third-Party Breach was Discovered
- Problem: The retailer was conducting discovery on an existing CRM vendor because they were looking to implement a third one. During discovery, the third-party risk team pulled a Vendorpedia report comparing the existing vendors use cases and BitSight security ratings against the prospective vendor. In doing so, the retailer discovered an existing vendor had suffered a 100 point decrease in their BitSight Security Rating due to a breach which was not proactively reported to the retailer.
- Outcome: Vendorpedia and BitSight jointly suggested remediation options and the retailer worked with the business owner and existing vendor, as well as their InfoSecurity team, to understand what happened, the impact, and next steps for remediation, so the vendor could stay onboarded.
Scenario 4: Third-Party Vulnerabilities during an RFP
- Problem: While evaluating vendors during the RFP process, the retailer’s third-party risk and executive management teams pull a report from Vendorpedia to review each option and narrow considerations. The third-party risk team made a recommendation to move forward with the two options that had the highest, lowest risk, BitSight Security Rating. A few days after giving this recommendation, the retailer received a notification that one of these vendor’s parent companies had a breach and the BitSight score dropped. This highlighted an area for improvement within the vendor selection process.
- Outcome: Initially, the retailer eliminated all but two of the prospective RFP vendors based on their BitSight ratings as well as their ability to provide specific documentation. This saved time and effort spent during the evaluation process. Because one of these vendors had a breach, the retailer required a Vendorpedia risk assessment to move forward with the evaluation process.
The Retailer’s Key Takeaways
By leveraging OneTrust Vendorpedia and BitSight, this retailer is making third-party risk management a more fundamental aspect of their business operations. Not only can the retailer evaluate vendor’s in a more automated and efficient manner, but their business units are more engaged in the third-party risk management processes, which will continually elevate the overall quality and drive down risk across their portfolio of vendors.
“From a tactical level, our company implemented Vendorpedia and BitSight to better position ourselves against regulations like PCI DSS, GDPR, and CCPA, however the gains we’ve made with these technology solutions far surpass compliance,” concluded the retailer’s Third-Party Risk Manager. “Now we are more empowered than ever to leverage our third-party risk management operations as a competitive advantage and a key to building on our enterprise risk program.”
From a tactical level, our company implemented Vendorpedia and BitSight to better position ourselves against regulations like PCI DSS, GDPR, and CCPA, however the gains we’ve made with these technology solutions far surpass compliance. Now we are more empowered than ever to leverage our third-party risk management operations as a competitive advantage and a key to building on our enterprise risk program.
In this eBook, you’ll learn:
- How assessment and control mapping works
- Why we take and assessment-mapping approach
- The frameworks, standards, and laws the Exchange supports
Are you interested in learning how OneTrust Vendorpedia can help your business streamline TPRM? Click here to get a 1-on-1 demo aligned to your team’s needs with personalized best practice advice from a third-party risk expert.
Less than a month ago, the Information Commissioner’s Office (ICO) revealed its draft for “how organisations can continue to protect people’s personal data when it’s transferred outside of the UK.” This consultation, which ends Oct. 7th, asks for responses to three core elements, which are 1) Proposal and plans for updates to guidance on international transfers; 2) Transfer risk assessments (TRA); and 3) The international data transfer agreement (IDTA). Additionally, the ICO has released a draft of its UK Addendum to the EU Commission Standard Contractual Clauses (SCCs). Why is this important? According to the ICO: “The IDTA will replace the current standard contractual clauses (SCCs) to take into account the binding judgment of the European Court of Justice in a case commonly known as ‘Schrems II’. The ruling required organisations to carry out further diligence when making a transfer of personal data outside of the UK to countries without an adequacy decision.” Given that vendors are often participants in these data transfers, the way you work with many of them will likely change.
In this 30-minute webinar, we’ll outline:
- The ICO announcement regarding personal data transfers and why it matters
- Anticipated impact of the IDTA on your vendor management strategy
- Steps to take today to ready your organisation for potential changes
- What the ICO Guidance, IDTA, TRA, and Amended EU SCCs mean in practice
Implementation of a vendor risk management program is highly dependent on the size of your organization and scale of your vendor management program. Many program implementations follow a common methodology, which is outlined in our eBook.
Download the resource to get a step-by-step guide to:
- Select Software
- Train Your Team
- Build Your Inventory
- Classify Your Vendors
- Choose Your Assessment Framework.
- Develop Your Assessment Methodology
- Define Your Risk Methodology and Control Framework
- Create Automation Workflows and Triggers
- Build Your Reports and Dashboards
- Refine Your Program Over Time
Vendor risk management (VRM) is a risk management discipline that focuses on pinpointing and mitigating risks associated with vendors. VRM gives companies visibility into the vendors they work with, how they work with them, and which vendors have implemented sufficient security controls. As a discipline, VRM is rapidly evolving and a holistic understanding of the discipline is necessary for VRM success.
As a discipline, VRM is rapidly evolving. Each day, companies experience new security, privacy, compliance, and business continuity challenges related to their vendors. With the shift to work from home, digital transformation is rapidly increasing reliance on vendors (mainly cloud providers) making VRM a permanent, board-level concern. Objectives of a vendor risk management program vary significantly based on company size, jurisdiction, applicable laws, industry, and more. That said, there are many VRM best practices that apply to every business.
Download our vendor risk management guide to learn:
- What is the difference between a vendor, third party, supplier, and service provider?
- Why is vendor risk management important?
- How do companies manage vendor risk?
- How do you implement a vendor risk management program?
- What is the vendor risk management lifecycle?
- What are risk exchanges and how can they help me with my vendor risk assessments?
- What are the benefits of vendor risk management software?