The Challenge
As an international insurance group based in London, Howden Group Holdings must meet strict regulatory requirements from governing bodies such as the Financial Conduct Authority (FCA) and the Information Commissioner’s Office (ICO). Carl Johnson, Head of IT Governance, is charged with administering both internal and external audits, which includes overseeing third-party security risk for Howden.
But managing third-party security risk is not easy, especially when you manually assess approximately 100 high risk, IT and critical suppliers—which is precisely what Johnson was doing to meet FCA requirements. In addition, as part of the compliance process, the FCA required Howden to evaluate the current state of their third-party risk program along with a roadmap of what could realistically be achieved to improve their third-party risk level within 18 months. Their spreadsheet system needed an upgrade.
“We’d send spreadsheets to potential clients and third parties and realize it’s not particularly slick, it’s not sustainable and it’s a burden to manage,” said Johnson. “We needed a system to manage this process for us.”
With the realization that Howden needed a more efficient system to manage the third-party security process, Johnson began to look for what was available in the market.
“We’d send spreadsheets to potential clients and third parties and realize it’s not particularly slick, it’s not sustainable and it’s a burden to manage. We needed a system to manage this process for us”
The Solution
When looking for a solution, Johnson had two main criteria: the ability to easily respond to inbound questionnaires, as well as customize and send questionnaires to third parties. The latter was important to Howden, as it facilitated the inclusion of specific topics that were significant to the organization in addition to the standard questions related to privacy, security and the like.
Johnson was pleased to find that Panorays offered an automated, easy-to-customize security questionnaire that would make the process of sending questionnaires to third parties quick and easy. In addition, Panorays also allowed Howden to respond to incoming questionnaires and readily demonstrate adherence to standards and regulations, which is especially crucial for a highly regulated insurance company like Howden. In addition, Johnson was pleased with the seamless onboarding process, intuitive dashboard and price point.
“Panorays gives you the cyber posture information about your vendors in black and white,” explained Johnson. “This is the ammunition needed to tell the third party that this issue must be addressed in order to work together.”
Though the automated, easy-to-use security questionnaire was what initially attracted Johnson to Panorays, discovering that the tool also performed a non-intrusive, external footprint assessment on Howden’s vendors was the icing on the cake.
“Panorays gives you the cyber posture information about your vendors in black and white. This is the ammunition needed to tell the third party that this issue must be addressed in order to work together.”
The Value
Having an all-in-one solution, at the right price point, was very attractive to Johnson. “I couldn’t find a competitor that did both,” he explained. He understood the value that Panorays offered Howden. Not only would Panorays help satisfy regulatory requirements, but the addition of an external assessment provided the checks and balances needed to feel confident about vendors’ security posture.
Having easy access to vendors’ security information provides Howden Group with useful information for procurement and renewal discussions. At each juncture, the Security Operations team can make decisions regarding whether to begin or continue a professional relationship with the vendor based on the security information provided by Panorays.
Johnson takes vendor security very seriously and believes suppliers are getting the message. “It is pretty much table stakes now for every organization. Vendors realize they have to have a solid cyber posture in order for us to be able to transact with them,” he explained. “Panorays was a very powerful package that was not included in the current-year budget, but I put together a business case for us to proceed with the purchase. I realized the benefits for me were significant in terms of automating a pretty laborious and difficult to manage manual process.”
Panorays not only expedited Howden’s regulatory due diligence process, it also provided a more comprehensive, in-depth view of third-party security risk all wrapped up in an easy-to-use, affordable, one-stop-shop solution.
“I realized the benefits for me were significant in terms of automating a pretty laborious and difficult to manage manual process”