About NorthStandard
NorthStandard is one of the world’s leading marine insurance companies and among the largest protection and indemnity (P&I) clubs in the International Group. Their products cover almost every eventuality that might befall a shipper to protect crews, vessels, and their owners. Their 600 employees include master mariners, engineers, lawyers, and analysts that provide unmatched depth and breadth of expertise in marine underwriting.
NorthStandard’s global footprint includes offices covering all main shipping regions, including Asia (China, Hong Kong, Singapore, Japan, and South Korea), Australasia (Australia and New Zealand), Europe (UK, Ireland and Greece), and the United States.
The company insures shipping totaling some 260 million in gross tonnage worldwide (mutually poolable) across all sectors (some 18% of the International Group’s total), and they are backed by a financial strength and resilience that is A-rated by S&P Global.
“Risk management, especially in the context of outsourcing and third-party cyber risk, is becoming an increasingly significant business concern. The fact that tools like Panorays now exist to not only identify, assess and manage such risks but also streamline governance processes and help transfer sensitive data more securely was very appealing to me.”
—Declan Burke, Head of Cyber Security and Operational Resilience, NorthStandard
Background
Previously, NorthStandard had been using traditional spreadsheets to manually track the security posture and risk profile of their outsourced service providers and third-party affiliates. The former one-size-fits-all process was labor-intensive, costly, insecure and generally ineffective from a position of determining, assessing and managing associated risks.
The Challenge
Declan Burke, Head of Cyber Security and Operational Resilience at NorthStandard
Declan Burke, Head of Cyber Security and Operational Resilience at NorthStandard, explained that with over 250 suppliers and circa 10% being considered strategic suppliers with varying degrees of risk , NorthStandard needed a solution that would allow their security team to gain actionable insights into their supplier’s vulnerabilities. Being cognizant of the ever-shifting digital threat landscape, Burke also wanted to be alerted to any posture changes that might make their supply chain more prone to cyberattacks. Importantly, NorthStandard needed a solution that would help them meet the compliance requirements of existing regulation such as PRA SS2/21 and emerging regulation, such as the Digital Operational Resilience Act (DORA). Overall, this provides NorthStandard with a cohesive view of the enterprise’s third-party risk and landscape enabling strategic decisions regarding sourcing and security.
#1 – Limited Visibility of Third Party Security Risks
The global average cost of a data breach is $4.45 million and almost 50% of cyber and resilience incidents occur through indirect attacks on third party suppliers and associated contagion risks. Without a dedicated solution, Burke’s team was unable to fully visualize their third party landscape to gain actionable insights into their supplier’s vulnerabilities. Due diligence tended to be done upfront during the onboarding phase, with no mechanism to monitor or receive alerts, limiting the ability to monitor the ongoing relationship in an objective, data led manner and as new threats emerge.
#2 – Emerging Regulatory Requirements
One of NorthStandard’s big challenges was centered around complying with emerging regulations from DORA, which focuses much more specifically on ICT third-party security risks and the role of third parties.
With Panorays now integrated into their workflow, sharing information to help manage risk and remain compliant is far easier. Real time monitoring and notification of cyber events, alongside deeper insight into the 4th party landscape, underpins the evolving regulatory risk landscape.
#3 – Inefficient and Insecure Manual Processes
Using and maintaining Excel spreadsheets demanded time and resources that drove costs and increased the risk of human error. More importantly, there was a high degree of risk in manually inputting sensitive information into uncontrolled documents—posing a potential risk to NorthStandard, as well as the suppliers they deal with. Lack of a system also meant a limited ability to interface with other sources of MI and reporting.
The Solution
Panorays assessed the cybersecurity posture of each of NorthStandard’s third parties by taking into account the level of business criticality, external and internal assessments, and NorthStandard’s risk appetite to create a unique Risk DNA for the company.
NorthStandard’s Risk DNA score was then calculated with a nuanced analysis of millions of data points, spanning attack vectors, third-party questionnaires, and real-time threat intelligence. Panorays then filtered the raw findings through the company’s unique security lens, aligning outcomes with their KPIs and KRIs, to provide a precise cyber-risk rating that reflected the true risks within their third-party ecosystem. This allowed NorthStandard to identify and prioritize their most critical third parties and empowered Burke’s security team to focus their efforts where they matter most.
Onboarding Panorays and Main Use Cases
Integrating a third-party security solution into existing workflows can be a cumbersome process that slows time to value. For NorthStandard, however, onboarding Panorays was an efficient and enjoyable experience. As Burke explained, “It’s nice and easy to get on board with, and our account manager has always been super helpful.”
Seamless integration allowed NorthStandard to quickly harness the power of Panorays’ platform to:
#1 – Track common vulnerabilities enterprises are exposed to while providing a deeper level of insight to remain secure in an ever-changing threat landscape.
#2 – Streamline the questionnaire process in a way that allows NorthStandard to easily articulate a suppliers security posture, generate a meaningful risk score and demonstrate compliance from a due diligence perspective.
#3 – Drill down to the level of 4th and Nth parties to see the full attack profile of their suppliers.
The Outcome
Panorays was able to provide NorthStandard with a third-party cyber-risk management solution that not only provides invaluable insights into their existing third-party connections but furnishes a proactive solution to prevent future breaches through constant monitoring that alerts them to any changes in their third-party risk profiles. With Panorays now integrated into their workflow, NorthStandard is able to:
- Monitor all outsourcing and supplier arrangements in a single solution – Seeing all of their tier 1 and tier 2 suppliers in a single solution has allowed NorthStandard to gain insights based on new risk metrics such as industry benchmarking, dark web mentions, asset locations, 4th party vulnerabilities and more—insights they were unable to achieve before.
- Automate data-inputting to save 75% of assessment time – Automating the data-inputting process with Panorays streamlined the workflow, saving time and money while freeing up valuable human resources to concentrate on NorthStandard’s most important security challenges.
- Remain compliant in a changing regulatory environment – Being able to easily input, assess, and demonstrate management of outsourcing and third party security risk means NorthStandard is well positioned to meet evolving regulatory requirements of DORA and others.
- Deliver actionable insights and reports – Providing findings that are easy to understand, articulate, and share with executives, auditors and suppliers was made easy thanks to Panorays’ clear, actionable reports.
“The value you get through managing third-party security risk through the [Panorays] platform is significantly more than you would ever get through any spreadsheet,” Burke said.
Rethinking Third-Party Risk Management?
If your enterprise is struggling with inefficient, manual vendor risk management processes, follow NorthStandard’s success to take control of your supply chain security today with Panorays. Learn more!