Exchanges in History: What Third Party Cyber Risk Management (TPRM) Programs Can Learn from the Past

Thursday, March 09, 2017

Scott Schneider

9e7aeef1ac24eb6d85ff02ae2d29b117

Modern risk exchange concepts (the exchange of one with many like credit ratings and medical records) trace their roots all the way back to ancient Roman censuses.  

Starting in 485 BCE, the Roman Republic conducted a census every five years, to identify voters, taxpayers, and members of the army. When completed, census information was transcribed into wax tablets and stored in designated temples. Results were shared amongst regional government officials. The information was then used make important financial and military decisions. It was one of the first ways that data was gathered, synthesized, stored, and disseminated to the public.

Since then, governments, organizations and businesses have relied on information gathered in exchanges to understand risks and make important decisions. Almost always, large scale economic and societal transformations followed.

Let’s take a look at how exchanges have transformed two industries and how an exchange is transforming third party cyber risk management (TPCRM) programs.

CarFax

Buying cars before 1984 was riskier than it is today. Dishonest vehicle owners and shady dealerships, intent on making an extra buck, would reduce a car’s mileage by disassembling a vehicle’s dashboard and rolling back the odometer. Instantly, the car was more valuable. With the exception of smudges, scratches, or misaligned odometer numbers within a dashboard, it was nearly impossible for buyers to determine mileage fraud. 

Enter visionary Ewin Barnett III. In 1984, he had the revolutionary idea to combat odometer fraud by faxing comprehensive vehicle reports to car dealerships. These reports contained the vehicle's history, including mileage and accident reports. From this concept he developed CarFax. A car report could be instantly faxed to buyers or sellers. His concept drastically reduced the risks associated with buying a used vehicle and revolutionized the way consumers shop for cars.

Today, CarFax keeps track of millions of VIN numbers. At the click of a button they provide instant access to a vehicle’s entire history. With over one million cars on the road with rolled back odometers in 2017, buyers continue to depend upon CarFax’s exchange to make smart purchases.

Consumer Reporting Agencies

Before Consumer Reporting Agencies started using computers to calculate, store, and share credit scores, determining an individual’s creditworthiness was tantamount to espionage.  

The precursors to modern Consumer Reporting Agencies have their roots in the early 1800s, when groups of merchants decided to share lists of customers that didn’t pay their debts. After the Panic of 1837, these merchant groups established Credit Bureaus and by the mid 1800s began publishing credit ratings on individuals in quarterly or biannual reports.

One of the largest credit bureaus in the US at this time was The Mercantile Agency. Headquartered in New York City, they hired about 10,000 agents to gather information on the three C’s of credit: Character, Capital, and Capacity.

To gather information on a person’s “Character,” agents would interview any known associates: everyone from coworkers to bellmen. Common questions included subjects such as drinking habits, church attendance, extramarital affairs, and personal hygiene. Lies and exaggerations were common. A person’s entire reputation could be destroyed by rumors. 

To a lesser degree, local credit bureaus used similar methods to gather information on individuals until the Fair Credit Reporting Act of 1970. This law stated that credit bureaus could no longer base creditworthiness on lifestyle information. “Character” was replaced with “Credit Reputation.” Thus, credit bureaus had to adjust their methods.

It was around that time that Experian, EquiFax, and TransUnion set themselves apart by using computers to calculate “credit reputation” based on more reliable data.

This move transformed the entire credit reporting industry. Lenders had easy access to accurate credit scores. Credit bureaus got information at a fraction of the cost of hiring thousands of agents to gather data on applicants. Individuals had quicker response rates to credit card applications, credit card companies had more customers. They had created a much needed nationwide exchange of individual credit information.

Today Experian, EquiFax and TransUnion are known as the “Big Three” of Credit Reporting Agencies. Over the past 30 years, banks, lenders, and consumers continue to rely on their exchange.

A Third Party Cyber Risk Exchange

Since the mid 1980s, industries recognized the risks of outsourcing functions to third parties. They could grow their business faster, but also had to be wary of the risks that accompanied this new agility.

One of the earliest mentions of third party electronic data risk is in the OCC’s Banking Circular 187. Written in January of 1985, it outlined some of the risks associated with outsourcing data processing services to third parties. Since then, laws have increasingly required regulators to ensure that businesses manage third party cyber risks.

Fast forward 32 years.

Outsourcing has become the backbone of many organizations. And third parties have become the lifeblood to outsourcing. The average Fortune 500 company has over 20,000 vendors in 2017, as companies try to improve agility to stay ahead of market disruptors.

Yet, this agility has inherent risks. Cyber criminals have realized that often the easiest path to access a business’ confidential information is to ride in on trusted connections of weaker third parties. Regulators have responded by requiring businesses to mitigate and manage cyber risks.

It’s difficult enough for organizations to manage their own cyber risk. Now they have to also be concerned with their third party ecosystem. 

Most organizations rely on self-assessments sent in the form of spreadsheets to essentially ask their third parties, “How good are your cyber security controls? If you are breached, can you provide assurance it will not affect my company?” This method is expensive, time consuming and even worse, doesn’t work.  

According to PwC’s 2016 Global State of Information Security report, third-party contractors are the biggest source of security incidents outside of a company’s employees. So how do we solve this daunting challenge?

An exchange that enables cyber risk assessment data to be shared like credit reports or CarFax reports. It’s a simple idea with massive impact.  

This would allow organizations of all sizes to share assessments at the click of a button - driving massive efficiency while simultaneously driving down third-party cyber risk.  

It's important that any kind of TPCRM program benefits both sides of the equation by providing automation and workflow to remove the hassles of keeping track of third party risk assessments with phone calls, emails, and shared spreadsheets.

While it's difficult to imagine a world where credit reporting agencies didn’t exist, there was a time when the notion of collecting financial credit data on every company that organizations provide credit to seemed like an insurmountable challenge. It's a similar challenge that faces third-party cyber risk assessments today.  

Organizations should be focused on managing third-party risk, and spend less time collecting data.

Conclusion

Exchanges revolutionized the decision making process in buying cars and determining credit scores many decades ago. Since Roman Times the concept has basically remained the same:

  1. Gather Information
  2. Store Information
  3. Share Information
  4. Base decisions on Information

Throughout history, whenever organizations, governments, or industries have used an exchange to share information, great transformation has taken place. Now is the time that an exchange transformed third-party cyber risk management programs in 2017. 

28429
General Infosec Island Budgets Security Training
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.