How a Fortune 500 Automotive Aftermarket Retailer Solves Third-Party Risk Challenges with OneTrust Vendorpedia™ + BitSight Security Ratings
How a Fortune 500 Automotive Aftermarket Retailer Solves Third-Party Risk Challenges with OneTrust Vendorpedia + BitSight Security RatingsDOWNLOAD PDF
How a Fortune 500 Automotive Aftermarket Retailer Solves Third-Party Risk Challenges with OneTrust Vendorpedia + BitSight Security Ratings
Organizations are putting their vendors under a microscope as regulations like the Payment Card Industry Security Standards (PCI DSS), EU’s General Data Protection Regulation (GDPR), California’s Consumer Privacy Act (CCPA) and more increase potential liability surrounding third-party data privacy. However, the complexity of reducing third-party risk while simultaneously keeping detailed records for compliance is a daunting task. Additionally, supplier decision making now takes place at the senior executive level, so cyber risk is becoming more of a board-level initiative for the business. To streamline this risk, proper security and privacy controls must be put in place, and IT, Security, Privacy, Legal, and other business units of an organization must work together to hold vendors accountable.
To solve these complex challenges, companies around the world use OneTrust Vendorpedia in combination with BitSight, the standard in security ratings, for increased automation, vendor prioritization, better visibility, and enhanced monitoring capabilities.
For one Fortune 500 automotive aftermarket retailer, the Vendorpedia and BitSight integration was the right combination to support their 2,500+ vendor landscape and a growing list of third-party risk management challenges.
How OneTrust Vendorpedia Helps
By implementing OneTrust Vendorpedia’s centralized third-party risk management platform, the retailer can leverage aggregated research for vendor due diligence, identify and mitigate associated vendor risks or breach-related incidents, link vendors to multiple engagements, IT systems, and business processes, all while offloading assessment-related work and maintaining regular vendor oversight. With Vendorpedia, the retailer’s third-party risk management team can work alongside business owners to collaborate in real time, using a single system of records for internal as well as external third-party vendors and business operations.
How BitSight Security Ratings Helps
By incorporating BitSight Security Ratings as a data-driven and dynamic measurement of cybersecurity performance, the retailer can make confident decisions based on a material and validate view. With the ability to make these informed decisions the retails is able to drive operational efficiency and risk reduction across their existing workflows. For example, to validate vendor responses during the due diligence process to allow for a more efficient use of limited resources.
“It is essential, with over 2,500 vendors in our ecosystem, that the business be engaged in helping the third-party risk team maintain a centralized database of information, but it isn’t a guarantee of our success. So, what’s the next step? Having the confidence to make faster, more strategic third-party risk management decisions, so we can not only onboard vendors quickly, but still ensure that we are conducting sufficient and adequate data privacy and security risk assessments to both maintain customer trust and compliance,” said the retailer’s Third-Party Risk Manager.
It is essential, with over 2,500 vendors in our ecosystem, that the business be engaged in helping the third-party risk team maintain a centralized database of information, but it isn’t a guarantee of our success. So, what’s the next step? Having the confidence to make faster, more strategic third-party risk management decisions, so we can not only onboard vendors quickly, but still ensure that we are conducting sufficient and adequate data privacy and security risk assessments to both maintain customer trust and compliance.
How Vendorpedia and BitSight’s Integration Works
Along with the Vendorpedia platform, the retailer wanted the integrated value of having security ratings to improve their efficiency and risk reduction efforts. By adding immediate risk data about their vendors’ security posture they were able to help the organization make more transparent and rapid third-party risk management decisions. This is where the OneTrust Vendorpedia and BitSight Security Ratings integration came into play.
The retailer leverages BitSight to gain a better understanding of third-party risks and monitor changes as new risks arise, such as when systems are compromised. These ratings enhance the retailer’s decision-making capability related to assessment depth, risk prioritization, as well as informing purchase decisions.
With the Vendorpedia and BitSight integration, the retailer can seamlessly (and securely) ingest data insights between both platforms while maintaining a consistent and up-to-date vendor inventory that serves as a single source of truth for all third-party risk management operations. The retailer uses BitSight to identify a third party’s risks, while adding context to each vendor by tracking processing activities and operations in the Vendorpedia platform. Leveraging the integration, the retailer can automate their vendor’s lifecycle actions, flag risks, trigger reassessments and track mitigation efforts in the event a third party’s BitSight Security Rating changes.
“Vendorpedia and BitSight’s integration not only automates what was once an increasingly complex and time-consuming third-party risk management process, but it helps visually demonstrate third party cyber risk in a way that senior executives and board members can easily digest,” added the retailer’s Third-Party Risk Manager. “The ability to overlay BitSight Security Ratings on Vendorpedia’s lineage diagrams has opened up more conversations about enterprise risk management which will positively influence all vendor-related operations.”
Vendorpedia and BitSight’s integration not only automates what was once an increasingly complex and time-consuming third-party risk management process, but it helps visually demonstrate third party cyber risk in a way that senior executives and board members can easily digest. The ability to overlay BitSight Security Ratings on Vendorpedia’s lineage diagrams has opened up more conversations about enterprise risk management which will positively influence all vendor-related operations.”
Unique Value for Third-Party Risk Use Cases
Real life example scenarios where the Vendorpedia and BitSight integration worked in practice for this retailer include:
Scenario 1: The Third-Party Provided Inconclusive Evidence
- Problem: A long-term, local vendor’s contract was up for renewal and had a BitSight Security Rating which indicated a high-level of risk. Additionally, the vendor was unable to provide evidence that they were adhering to the retailer’s security best practices including a remediated Penetration Test and SOC2 (3rd Party) Application assessment.
- Outcome: Utilizing the Vendorpedia system of records, in combination with BitSight’s Security Rating, the retailer evaluated the vendor’s rating against their inability to provide standard assessment documentation for a retailer of their size. This was the first successful case where the retailer had an enterprise conversation with members of their leadership and Legal teams about the privacy and security risk of a vendor. Ultimately, the third-party risk team made recommendations to renew their vendor while including recommended language for risk mitigation within the contract. Furthermore, BitSight was leveraged to not only continuously monitor this vendor, but to engage in perpetual remediation, driving their cybersecurity rating up.
Scenario 2: The Third-Party Provided No Evidence
- Problem: A vendor was unable to supply any privacy or security assessment information, however the niche offering of the vendor made it advantageous to onboard.
- Outcome: The Vendorpedia platform and the vendor’s BitSight Security Rating allowed the retailer to demonstrate a level of due diligence from a legal perspective. This was the first example of an exception process where the retailer’s leadership team leveraged the vendor’s rating against the cost of not implementing the vendor and determined they should move forward with onboarding.
Scenario 3: A Third-Party Breach was Discovered
- Problem: The retailer was conducting discovery on an existing CRM vendor because they were looking to implement a third one. During discovery, the third-party risk team pulled a Vendorpedia report comparing the existing vendors use cases and BitSight security ratings against the prospective vendor. In doing so, the retailer discovered an existing vendor had suffered a 100 point decrease in their BitSight Security Rating due to a breach which was not proactively reported to the retailer.
- Outcome: Vendorpedia and BitSight jointly suggested remediation options and the retailer worked with the business owner and existing vendor, as well as their InfoSecurity team, to understand what happened, the impact, and next steps for remediation, so the vendor could stay onboarded.
Scenario 4: Third-Party Vulnerabilities during an RFP
- Problem: While evaluating vendors during the RFP process, the retailer’s third-party risk and executive management teams pull a report from Vendorpedia to review each option and narrow considerations. The third-party risk team made a recommendation to move forward with the two options that had the highest, lowest risk, BitSight Security Rating. A few days after giving this recommendation, the retailer received a notification that one of these vendor’s parent companies had a breach and the BitSight score dropped. This highlighted an area for improvement within the vendor selection process.
- Outcome: Initially, the retailer eliminated all but two of the prospective RFP vendors based on their BitSight ratings as well as their ability to provide specific documentation. This saved time and effort spent during the evaluation process. Because one of these vendors had a breach, the retailer required a Vendorpedia risk assessment to move forward with the evaluation process.
The Retailer’s Key Takeaways
By leveraging OneTrust Vendorpedia and BitSight, this retailer is making third-party risk management a more fundamental aspect of their business operations. Not only can the retailer evaluate vendor’s in a more automated and efficient manner, but their business units are more engaged in the third-party risk management processes, which will continually elevate the overall quality and drive down risk across their portfolio of vendors.
“From a tactical level, our company implemented Vendorpedia and BitSight to better position ourselves against regulations like PCI DSS, GDPR, and CCPA, however the gains we’ve made with these technology solutions far surpass compliance,” concluded the retailer’s Third-Party Risk Manager. “Now we are more empowered than ever to leverage our third-party risk management operations as a competitive advantage and a key to building on our enterprise risk program.”
From a tactical level, our company implemented Vendorpedia and BitSight to better position ourselves against regulations like PCI DSS, GDPR, and CCPA, however the gains we’ve made with these technology solutions far surpass compliance. Now we are more empowered than ever to leverage our third-party risk management operations as a competitive advantage and a key to building on our enterprise risk program.
In July 2020, the CJEU’s Schrems II judgment invalidated the EU-US Privacy Shield and required additional safeguards when using standard contractual clauses (SCCs) to transfer personal data from the EU to non-EU/EEA third countries. As a result, many organizations had to find alternative mechanisms to lawfully transfer personal data and evaluate the level of data protection in third countries. Since then, organizations have eagerly waited for the European Data Protection Board (EDPB) to provide clarity in its final Schrems II recommendations on supplementary measures for international personal data transfers. On June 18th, the EDPB released that guidance.
The EDPB’s recommendations outline a six-step roadmap to ensure the lawfulness of personal data transfers and describe specific technical, contractual, and organizational measures data exporters and data importers should consider implementing to ensure that transferred personal data enjoys an essentially equivalent level of data protection as that guaranteed in the EU.
So, what does this mean for your vendor risk management strategy? In this 30-minute webinar, we’ll discuss practical steps for adapting your vendor risk management strategy to meet the EDPB’s guidance. This will include:
- Overview of the six-step roadmap for international personal data transfers
- Key aspects to consider for assessing a third-country’s level of personal data protection
- How to evaluate and adopt supplementary measures for personal data transfers
- Next steps for your vendor risk management program
Expert Panel: How Do You Answer Security Questionnaires?
With recent security incidents (such as the SolarWinds cyberattack), many organizations have seen an uptick in the amount of security questionnaires they receive. This raises an important question: How do you answer security questionnaires? When considering your response, there are many more challenges than what your answers actually say. And while the answers themselves are a critical piece of the puzzle, the operational aspect is where you will find the most ROI. There are endless opportunities to be more efficient by building automated workflows that save time, speed up responses, and keep your sales teams selling – all while building more trust with your customers.
In this webinar, we’re bringing together a panel of industry experts who have spent years streamlining questionnaire response processes for their organizations. Our panelists will discuss how to:
- Intake and organize requests for questionnaire completion
- Build and automate questionnaire response workflows
- Develop unique answer libraries for different types of questionnaires
- Implement version control to keep answers up to date
- Reduce the need to answer custom questionnaires with proactive outreach