How to Define Your Cyber Risk Appetite & Hold Vendors to the Threshold

cyber risk appetite
Written by Kaitlyn Graham

As cyberattacks surge, you’re charged with protecting your organization’s expanding digital footprint. But what about the risk posed by vendors?

It’s estimated that 60% of organizations now work with more than 1,000 third parties. If not properly vetted, these companies can expose your organization to risk.

But evaluating each vendor – before and throughout the relationship – is a task often dreaded by security and legal teams because of the time and effort required by this vital due diligence.

It doesn’t have to be that way. Instead of stretching yourself thin trying to manage every third-party vulnerability, you can save time and resources by prioritizing risk management based on your cyber risk appetite.

What is cyber risk appetite? 

Cyber risk appetite is defined as the amount of risk your organization is willing to accept as it pursues its objectives. Defining your risk appetite matters because it helps executives make informed and confident decisions about who you do business with and how and where security resources are allocated. It also drives more efficient risk management.

Let’s look at five ways you can define your cyber risk appetite and hold your vendors to that threshold – without overburdening your security team.

1. Establish an acceptable vendor risk threshold

One way to establish the risk you're willing to take with your vendors in a consistent and uniform way is through a security rating. Bitsight Security Ratings, which range from 250 to 900, provide an objective, external metric of a vendor’s cybersecurity posture. These ratings can be used to set an acceptable risk threshold that a third-party must achieve to be considered during the selection process. If a vendor falls below a set threshold, you can save time and effort by focusing instead on companies that have robust security controls in place. 

To further define a risk threshold, consider tiering your vendor pool based on their risk and criticality to the business. For example, a payroll provider with access to sensitive data would be classified a top-tier vendor and held to a higher standard of security performance. However, a food service company would belong in a lower tier with a less stringent risk threshold.

Tiering requires consultation with your legal, finance, and compliance teams, but you can fast-track the process using Bitsight’s tier recommender service. The service uses tiering best practices and provides a suggested tier for each vendor determined by the nature of the third-party and the risk they pose.

2. Implement risk-based procurement and onboarding policies

When you tier your vendors, you can then implement procurement and onboarding policies for vendors that fall into specific tiers. Doing so will allow your security team to handle the onslaught of new vendors without the heavy lifting of conducting a one-size-fits-all vendor security assessment of each.

For instance, you may implement a policy requiring top-tier third parties to complete a lengthy security assessment followed by an on-site visit. In contrast, lower-tier vendors may only need evaluating if they have a history of a breach.

You can also use Bitsight Security Ratings to further prioritize which vendors need the most attention in accordance with your cyber risk appetite. You may decide, for example, that the assessment process for vendors with a high security rating may not need to be as rigorous, while the process for vendors with lower ratings must be more thorough.

Once you have established this threshold, collaborate with legal to devise policies and enforceable contract language, such as cybersecurity SLAs that stipulate that a vendor’s security rating cannot dip below a pre-agreed threshold during the contract term. 

4. Monitor vendors continuously

Cybersecurity due diligence doesn’t begin and end once the contract is signed. Use Bitsight for Third-Party Risk Management to keep a finger on the pulse of your vendors' changing cyber risk profiles throughout the remainder of your partnerships.

With Bitsight, you can establish the appropriate level of continuous monitoring based on a vendor’s closeness to sensitive company data. You can also set alerts for when a vendor’s rating changes and create rules that define when a vendor risk reassessment is required.

Continuous Monitoring eBook

Learn how to adapt to the continuously changing risk environment with an efficient, continuous risk monitoring strategy.

5. Revisit your cyber risk appetite

Lastly, be prepared to revisit your organization’s cyber risk appetite. As threats evolve and business objectives change, you must continually understand the risks your organization is exposed to and which are acceptable.

Set a timeline for when stakeholders will next discuss this moving target. It could be a triggering event, like a data breach in your vendor portfolio or the launch of a new product line that requires new partnerships be formed. Use this up-to-date understanding to inform your third-party risk management program and how your security priorities and policies must evolve.