Vendor Risk Management is essential to containing an organization’s risk exposure. As well as reputational damage, data breaches can cause significant financial consequences with fines involving GDPR exceeding $175 million USD in 2020 alone.
Leading organizations recognize that partnering with third-party vendors can put data outside the organization’s control. For AXA XL, it was imperative that they manage that risk, and mitigate the potential business impacts.
Monitoring the Supply-Chain
AXA XL is one of the leading insurance and reinsurance firms in the United States, with truly global reach, serving clients in over 200 countries and regions.
AXA XL works with thousands of unique third-party vendors, each with their own purpose and responsibility for company assets.
Artea (Tia) Evans, Information Security Specialist at AXA XL, faces a daunting challenge. She is responsible for managing and tracking all of the third-party vendors in AXA XL’s network and makes strategic decisions when entering new business partnerships.
Tia was quick to discern that without comprehensive and actionable data, making those strategic decisions would be near impossible. The tools at her disposal could only monitor a fraction of her supply chain, and she knew that there were certain vendors that were processing sensitive
AXA XL assets.
She needed an encompassing view of the organization’s risk exposure and a way to easily digest that information and report her findings to her management team.
Tia needed comprehensive data and technical flexibility that allowed for a “single pane of glass” where she could view every vendor relationship and manage them in realtime.
“We tried to build one page where you can look at a supplier and see all aspects of the relationship. What are we hiring them for? What kind of data do they have in their environment? It was too much. There were too many and I didn’t even have fractions of our suppliers in our systems. I had to make sure that we had continuous monitoring.”– Artea (Tia) Evans, Information Security Specialist at AXA
A Single Pane of Glass
Cyber Risk Analytics (CRA) is the standard for data breach intelligence, risk ratings and supply chain monitoring. It is the most comprehensive record of data breaches occurring worldwide, and includes rich metadata with up to 68 attributes such as known court costs, lawsuits, and involved third-parties. The data contained with CRA, as well as its powerful features, allows AXA XL to achieve continuous monitoring of their supply chain and perform vendor due diligence and performance auditing.
“Risk Based Security has given me something no one else has been able to. Cyber Risk Analytics enables us to continually monitor the risks and vulnerabilities of our third-party supply chain involving the security of our assets. It has allowed us to take breach intelligence and translate that into dollars when negotiating.”
Combining Data Breach and Vulnerability Intelligence
In her pursuit of achieving continuous monitoring of her vendors, Tia combined PreBreach, a unique CRA feature, with research from Risk Based Security’s VulnDB® product, marrying data breach and vulnerability intelligence to provide deeper insight into AXA XL’s risk profile.
PreBreach solves the impracticality of formal audits and check-box assessments by providing organizations like AXA XL the ability to make informed risk decisions about current and potential suppliers, clients, partners, acquisition targets, and more. The tool continuously inspects the public domains of AXA XL’s vendors, and generates risk profiles based on over 1,000 security attributes, 55,000 data breaches, and 287,000 software vulnerabilities.
“On a one to ten scale, Risk Based Security’s support team is an eighteen. I’ll come to RBS and say, I have an idea, and they make it happen.”
Better Data Saves Time and Money
Armed with this better data, Tia’s team has been able to repeatedly meet their targets, and the effectiveness of their third-party review process has enabled them to stand out among the AXA group.
“Historically, security was a process inhibitor. Now, we walk arm-in-arm with the business. I want them to make money, but I want them to be secure and not incur financial breakage. We want to avoid bad business arrangements and that is what CRA helps us do.”
The comprehensive data provided by CRA offers Tia proactive visibility into all of her third-party vendors who host or handle AXA XL’s digital assets. CRA monitors over 114,000 organizations, and contains details on over 4.7 billion compromised credentials and over 107 billion records exposed.