In recent years, cyber-attacks have continued to grow in frequency and complexity unabated causing adverse impact on organizations and their customers. The menace of ransomware has been dominating news headlines as cybercriminal gangs target organizations that possess sensitive information and technology assets leveraged to provide critical services to the broader community. From critical infrastructure to healthcare to governmental and educational institutions, the scourge of cyberattacks has left no sector safe. The adverse impacts of these attacks run the gamut from disrupting the delivery of critical services and resources to civilians to compromising and exploiting national security secrets to causing notable financial losses for businesses to name a few.
To combat this trend, government and industry bodies have begun to escalate their efforts to enact broader countermeasures and frameworks that not only disrupt cyber criminal activities but elevate expectations from organizations to better secure and protect their assets. A key component of such initiatives is the ability to effectively and transparently assess and report on the cyber security posture of organizations in a manner that fosters greater accountability not only to their business partners and industry bodies but also to their customers.
The proposed challenge aims to solicit innovative solutions for better manage third party cyber risks (TPCR) with broader accessibility and more granular control over data shared with various groups. Establishing a representation of trust, security and privacy is at the core of such interactions. Lack of effective controls and processes around third party cyber risk management (TPCRM) can lead to system compromises, data breaches, and exposure of confidential and PII information. In order to protect the digital ecosystems connecting individuals, businesses and governments, a solution is required to optimize decision making with respect to third-party engagements and interactions.
The traditional approaches to TPCRM are primarily manual, inaccurate, non-scalable and incomprehensible. Despite various efforts to standardize vendor assessment and prioritize third party interactions, the following problems are still frequently encountered:
- Challenges regarding trust scores based on static snapshots of third-party controls and system configuration, lack of dynamic and continuous metrics.
- Timeliness and subjectivity of risk scores
- Risk classification
- Insufficient compliance-centric risk metrics on vendors
- Quantification of financial risk and monetary impact of vendor engagements
- Governance of TPCRM threat/assessment data exchange/sharing platforms