Case Study: Utilities

Cyber Risk is not Confined to your Organization’s Perimeter

Introduction:

This Resilience insurance client in the utility industry wanted to improve their third-party security. Their pre-existing security controls were strong, but they signed up for our Edge cyber risk solution to get an extra set of eyes on their vendor risk management protocols. They wanted to be sure they were making the most out of their security controls while building an effective third-party risk management plan.

Problem:

Resilience was tasked with building out this third-party risk management program from the bottom with an organization whose operations relied on several large vendors. Our team began by assessing the client’s most critical vendors and classifying them by IT-type solutions versus business solutions. Our security team needed to review all of the client’s existing vendors and their policies, establish a vendor questionnaire, brainstorm risk selection criteria, and provide foundational third-party risk management guidelines.

Solution:

The Resilience security team referenced the data we had collected and created a baseline standard for cybersecurity, privacy, and data governance for these vendors to adhere to.

The standards consisted of:

Vendor onboarding/offboarding process.
Security questionnaires or requirements.
Annual (or six-month) review process.
Contract language for targeted inclusions in contracts.

Using these criteria, our security experts devised and shared an actionable roadmap detailing the major objectives we hoped to achieve through the third-party risk management program. We produced a 70-question questionnaire with topics categorized into the appropriate CIS control groups and established prototype classification and identification of the client’s most critical third parties.

Results:

Through establishing a quantified action plan, we helped this organization contextualize their third-party risk and manage it with the same visibility and foundations as their internal risk. We shared this program with their CEO, board, and staff to help identify the needed changes and proposed language to include the third-party risk management program in existing policies. At renewal, they continued their engagement with Resilience’s Edge solution to further their security education and remain resilient against third-party threats.