Skip to main content

Frequently Asked
Questions

Answers to common questions about our solution

What is TPCRM vs. enhanced TPCRM?

Third-party cyber risk management describes the process where companies identify, assess, and mitigate the potential cyber security risks associated with the use of their external vendors or service providers. This usually involves ongoing evaluation and monitoring of security controls and practices of these third-party entities. But effective TPCRM doesn’t look the same for every organization.

myCYPR enhances TPCRM by giving organizations a choice in how they vet vendors, with multiple options for assessing and scoring each third-party in their network. myCYPR’s approach to TPCRM is also reciprocal, providing insight and dashboards to all parties involved, ensuring maximum insight and mutual improvement.

What is vendor risk scoring?

Vendor risk scoring quantifies the potential risk posed by third party vendors and service providers. Vendor scores can help organizations prioritize their risk management efforts, allocate resources effectively, and make informed decisions about their vendor relationships.

How does myCYPR score vendors?

Each tier of assessment has multiple subcategories of focus. Results from each subcategory are weighted according to reliability, risk criticality and organizational impact. The weighted combination of scores across subcategories yields an overall score for each assessment tier, represented on a numerical scale of 250-900.

I’ve already filled out a myCYPR SAQ. Can I send it with another requestor?

Yes. Once you fill out the myCYPR SAQ, you can easily send it to other requestors with a myCYPR subscription by providing them access to view your data. The SAQ is required to be re-attested annually, ensuring responses are always up to date and ready to be shared.

I shared my data with a vendor but terminated the relationship. Can I revoke their access?

Yes. At myCYPR, we believe your data is just that- yours. If you have terminated a relationship, either as the principal organization or as the vendor, you can revoke access to data you have shared with another organization.

Do I Need Permission to Scan a Vendor?

Yes and no. OSINT does not require permission to scan a vendor. All information assessed in this tier is publicly accessible and involves no input or permissions from the vendor.

OPSEC | SAQ and OPSEC | Assess are both interactive by nature, requiring the participation of the vendor to ensure completion of the assessment.

Why isn’t OSINT good enough?

OSINT has value. It can provide a quick, broad picture of risk for automated risk scoring and continuous monitoring. That’s why it’s one of our three data options. But OSINT alone is not enough to accurately represent an organization’s total risk profile, whether evaluating a vendor or internal security.

Why is a choice of data important?

Having a choice of data and how vendors are evaluated lets organizations build a risk management program that works best for their business. Sometimes organizations need more risk insight for one vendor than another. Or an organization may need more risk insight from vendors than OSINT offers and lacks the time or budget to conduct detailed security assessments across their third-party network. myCYPR let’s organizations choose different assessments for different vendors, depending on their risk profile, data exchange, or function in their operations.

What information does myCYPR provide to improve vendor security scores?

Unlike other platforms, myCYPR provides a dashboard to each vendor an organization evaluates. Vendors have access to their results firsthand and are provided with instructions to remediate vulnerabilities. All parties can track remediations, noting progress as it is made.

How does myCYPR improve enterprise security?

myCYPR is designed to show the impact vendor risk has on your business. As a primary organization, your internal risk score is dependent on your data and the risk scores of your vendors. With views for both internal and vendor risk, you’ll see your score improve in real-time alongside your vendors.

What type of internal security risk or vulnerability assessments does myCYPR perform?

All myCYPR assessments can be used to evaluate internal security. We recommend OPSEC | Assess, which evaluates internal and external vulnerabilities, operational maturity, and application risk.

What are the core elements of the myCYPR risk management program?

myCYPR’s risk management program is flexible and reciprocal. It is designed to organizations more control over their data and risk management programs, while fostering understanding, trust, and mutual improvement for all parties.

Is the myCYPR platform based on industry-standard security best practices and control frameworks?

Yes. myCYPR aligns with industry-standard security best practices, like NIST and CIS controls. These standards guide all assessment tiers.

Can myCYPR be used as an effective communication tool in the boardroom?

myCYPR can be an effective communication tool for communicating with your board of directors and executives. myCYPR’s multiple assessment levels ensure you have the most risk insight possible and its digital dashboard can represent risk as a simple overview, or drill down into specific vulnerabilities. Learn more here (link Boardroom Reporting use case page)

There’s already a lot of options for risk management platforms. Why myCYPR?

myCYPR is the only third-party risk management platform on the market that gives you a choice in data and is mutually beneficial for all participants. Choose from three assessment tiers, using one platform- no partner integrations needed. You can build a TPCRM program that truly works for your organization and your vendors when you have the flexibility to dig deeper than OSINT.

And while other platforms assess vendors and help principal organizations prioritize high-risk partners, myCYPR provides vendors who’ve been asked to complete an assessment with dashboard access for one year. Vendors receive remediation recommendations, quickening the time between assessment and remediations. Plus, both vendors and principal organizations can track remediation and monitor progress in real time.