Frequently Asked
Questions

Third-party cyber risk management describes the process where companies identify, assess, and mitigate the potential cyber security risks associated with the use of their external vendors or service providers. This usually involves ongoing evaluation and monitoring of security controls and practices of these third-party entities. But effective TPCRM doesn’t look the same for every organization.

myCYPR enhances TPCRM by giving organizations a choice in how they vet vendors, with multiple options for assessing and scoring each third-party in their network. myCYPR’s approach to TPCRM is also reciprocal, providing insight and dashboards to all parties involved, ensuring maximum insight and mutual improvement.

Vendor risk scoring quantifies the potential risk posed by third party vendors and service providers. Vendor scores can help organizations prioritize their risk management efforts, allocate resources effectively, and make informed decisions about their vendor relationships.

Each tier of assessment has multiple subcategories of focus. Results from each subcategory are weighted according to reliability, risk criticality and organizational impact. The weighted combination of scores across subcategories yields an overall score for each assessment tier, represented on a numerical scale of 250-900.

Yes. Once you fill out the myCYPR SAQ, you can easily send it to other requestors with a myCYPR subscription by providing them access to view your data. The SAQ is required to be re-attested annually, ensuring responses are always up to date and ready to be shared.

Yes. At myCYPR, we believe your data is just that- yours. If you have terminated a relationship, either as the principal organization or as the vendor, you can revoke access to data you have shared with another organization.

Yes and no. OSINT does not require permission to scan a vendor. All information assessed in this tier is publicly accessible and involves no input or permissions from the vendor.

OPSEC | SAQ and OPSEC | Assess are both interactive by nature, requiring the participation of the vendor to ensure completion of the assessment.

OSINT has value. It can provide a quick, broad picture of risk for automated risk scoring and continuous monitoring. That’s why it’s one of our three data options. But OSINT alone is not enough to accurately represent an organization’s total risk profile, whether evaluating a vendor or internal security.

Having a choice of data and how vendors are evaluated lets organizations build a risk management program that works best for their business. Sometimes organizations need more risk insight for one vendor than another. Or an organization may need more risk insight from vendors than OSINT offers and lacks the time or budget to conduct detailed security assessments across their third-party network. myCYPR let’s organizations choose different assessments for different vendors, depending on their risk profile, data exchange, or function in their operations.

Unlike other platforms, myCYPR provides a dashboard to each vendor an organization evaluates. Vendors have access to their results firsthand and are provided with instructions to remediate vulnerabilities. All parties can track remediations, noting progress as it is made.

myCYPR is designed to show the impact vendor risk has on your business. As a primary organization, your internal risk score is dependent on your data and the risk scores of your vendors. With views for both internal and vendor risk, you’ll see your score improve in real-time alongside your vendors.

All myCYPR assessments can be used to evaluate internal security. We recommend OPSEC | Assess, which evaluates internal and external vulnerabilities, operational maturity, and application risk.

myCYPR’s risk management program is flexible and reciprocal. It is designed to organizations more control over their data and risk management programs, while fostering understanding, trust, and mutual improvement for all parties.

Yes. myCYPR aligns with industry-standard security best practices, like NIST and CIS controls. These standards guide all assessment tiers.

myCYPR can be an effective communication tool for communicating with your board of directors and executives. myCYPR’s multiple assessment levels ensure you have the most risk insight possible and its digital dashboard can represent risk as a simple overview, or drill down into specific vulnerabilities. Learn more here (link Boardroom Reporting use case page)

myCYPR is the only third-party risk management platform on the market that gives you a choice in data and is mutually beneficial for all participants. Choose from three assessment tiers, using one platform- no partner integrations needed. You can build a TPCRM program that truly works for your organization and your vendors when you have the flexibility to dig deeper than OSINT.

And while other platforms assess vendors and help principal organizations prioritize high-risk partners, myCYPR provides vendors who’ve been asked to complete an assessment with dashboard access for one year. Vendors receive remediation recommendations, quickening the time between assessment and remediations. Plus, both vendors and principal organizations can track remediation and monitor progress in real time.