FAQ

Vendors/Third Parties/Supply Chain

How often is my score updated?

Vendor accounts are updated weekly. Customer accounts are updated on a daily basis.

Can you invite your suppliers onto the platform?

Yes, each supplier you add gets a free account on the RiskXchange Platform.

How many suppliers can you add to the platform?

You can add an unlimited number of suppliers.

Does the subscription cost increase the more suppliers you add?

Yes, the subscription cost will increase the more suppliers you decide to add, but the unit (per supplier cost) cost goes down.

Can you communicate with suppliers within the platform?

The RiskXchange platform offers a robust chat feature that enables users to communicate securely with their direct suppliers. This secure communication feature ensures that all conversations are encrypted in transit and at rest, providing an added layer of protection for your sensitive information.

1. One-to-One Chat Sessions: Within the RiskXchange platform, you can initiate one-to-one chat sessions with your suppliers. This allows for direct and confidential communication with individual suppliers, facilitating real-time discussions and quick resolutions to potential risks or concerns.

2. Group Chat Sessions: In addition to one-to-one chats, the RiskXchange platform also provides the capability to have group chat sessions. These sessions enable collaboration among multiple stakeholders, including suppliers, allowing for efficient and effective communication on matters related to risk management, compliance, and supply chain operations.

Does RiskXchange have a managed service offering?

The RiskXchange managed service is an integral solution designed to alleviate the burden of building and maintaining a Vendor Risk Management team within your organisation. It can also provide supplementary support to existing vendor management, procurement or cybersecurity teams that may be understaffed.

The service includes advisory to your suppliers, annual assessment reviews and audits (if required), and suggesting potential remediation approaches to identified vulnerabilities. Additionally, the RiskXchange team assists with the onboarding of new suppliers and provides regular reporting to the customer.

One of the key features of the service is the onboarding of third-party vendors. RiskXchange will help you integrate new vendors smoothly, ensuring that they align with your cybersecurity standards and practices. This involves gaining visibility into the cyber posture and security maturity of these third-party suppliers, thereby enabling you to identify and address potential security risks in a timely manner.

The service also includes the provision of security maturity assessments, along with additional compliance-based assessments if needed. RiskXchange ensures that these assessments are completed punctually and provides comprehensive insights into the evaluation results. They also offer explanations and background information on the questions being asked during these assessments, ensuring you completely understand your cybersecurity status.

RiskXchange managed service is not just a solution; it's a partnership. The team works closely with your business and third-party suppliers, offering continuous support and adding value wherever possible. Many global organisations currently utilise this managed service, demonstrating its reliability and efficacy.

For more detailed information about the RiskXchange managed service, please visit the Services page on the RiskXchange website

Can you upload your own assessments to the platform?

Yes, an unlimited number of custom assessments can be uploaded to the Platform.

Can you send assessments from your platform?

Yes, you can send assessments manually and automatically, based on a set time schedule (every 3, 6 months and yearly). RiskXchange comes with a wide range of assessments covering data protection (GDPR), Information security (ISO27001), Finance, ESG, PCI, SOC 2 and many more.

What types of screening does RiskXchange perform on the initial due diligence phase?

· During the onboarding process of vendor platforms, we carry out an extensive screening process that covers a wide range of risk areas, including but not limited to Information Security, Cyber Security, and compliance checks. When working with our partners, we can provide Credit Risk and other data within the platform. We have integrated with trusted providers for credit screening, sanctions checks, AML/KYC, and you can easily integrate your existing systems into the RiskXchange portal and dashboards.

· Although we do not offer penetration testing services as part of our standard subscription, we request each vendor's latest penetration test reports as part of our comprehensive screening process. We also offer the option to provide actual penetration testing within our managed Services.

What does RiskXchange provide when it comes to ongoing due diligence

· At RiskXchange, we provide our customers with comprehensive cyber security monitoring of their vendors. We offer daily continuous risk scoring to keep you informed of any changes to your vendor's security posture. Additionally, our platform monitors the dark web, surface web, ransomware, and data breaches for any mentions of your third and fourth parties. This ensures that you are alerted to any potential security threats before they can cause any harm.

· Furthermore, we offer the option to deploy active risk compliance assessments, which are automatically scored for non-compliance or new risks. This allows you to proactively address any security issues and ensure your vendors meet your security requirements.

Risk Ratings

Do you show a risk score/rating?

Yes. The risk score includes a combination of the attack vectors across risk categories (Application Security, Business reputation, Cyber Attacks, Database Servers, Mail/DNS, Malware, Network Security, SSL/TLS, Third-party Services) and their impact on your company’s security (Critical, high, medium or low severity). For more information on risk scores.

What are RiskXchange Security Ratings?

RiskXchange Security Ratings provide a dynamic, data-driven, and objective measurement of an organisation's cybersecurity performance. These ratings, presented on a scale from 300 (very poor) to 900 (excellent), are designed to enable organisations to gauge the effectiveness of their cybersecurity practices and pinpoint areas that might need enhancement.

RiskXchange calculates an organisation's cybersecurity risk by considering various factors, including:

1. Network security: The security of the organisation's network infrastructure, examining elements like firewall configuration and secure network architecture.

2. Patch and update frequency: The frequency with which an organisation applies patches and updates to its software can indicate the degree of importance it assigns to its cybersecurity. Software that isn't promptly patched often harbours vulnerabilities that can be exploited by cybercriminals.

3. Endpoint security: The security of devices such as computers, smartphones, and tablets that connect to the organisation's network.

4. Email and DNS security: The assessment of the security of an organisation's email systems and Domain Name System (DNS) configuration.

5. User behaviour: RiskXchange may also evaluate user behaviour patterns that could signify potential security issues, for instance, users accessing the network from high-risk locations or at unusual times.

These aspects are analysed, leading to a security rating for the organisation. This rating, ranging from 300 to 900, helps to identify and alleviate cybersecurity risks, bolster compliance efforts, manage third-party risk, and even inform cybersecurity insurance underwriting decisions.

RiskXchange's ratings should be used as part of a comprehensive cybersecurity risk management strategy, integrated with other tools and methods, to ensure robust security coverage.

What can the Security Rating be used for?

RiskXchange's Security Ratings can be used for various purposes, primarily revolving around cybersecurity risk management. Here are some of the main uses:

· Vendor Risk Management: Companies can use RiskXchange ratings to assess the security posture of their vendors, suppliers, and third-party partners. This helps ensure that these external entities do not introduce unnecessary cyber risks into their own network and systems.

· Mergers and Acquisitions: During M&A due diligence, RiskXchange ratings can provide valuable insights into the cybersecurity health of the target company. This helps the acquiring company understand potential cyber risks that may come with the acquisition.

· Benchmarking and Compliance: Companies can use RiskXchange ratings to benchmark their cybersecurity performance against industry peers and competitors. Additionally, these ratings can help demonstrate compliance with certain cybersecurity standards and regulations.

· Cyber Insurance Underwriting: Insurance companies can use RiskXchange ratings to better understand the cyber risk profile of a potential policyholder, which can inform underwriting decisions and pricing.

· Business Development and Reputation: A strong RiskXchange rating can be used as a selling point in business development efforts. It shows potential customers and partners that a company takes cybersecurity seriously, which can improve its reputation in the market.

It's important to note that a RiskXchange rating is only one piece of the cybersecurity risk management puzzle. Companies should also have other processes and systems in place to manage cybersecurity risks, such as intrusion detection systems, firewalls, regular vulnerability assessments, and employee training programs.

Can anyone else see my rating?

RiskXchange provides cybersecurity risk ratings for businesses. Organisations typically use these scores to evaluate the security posture of their business partners, vendors, or third-party providers. While RiskXchange makes these ratings available to its customers, it's not generally accessible to the public.

However, it's important to note that if a partner or potential partner has evaluated your organisation's RiskXchange score, they would have access to that information. The specifics of who can see your RiskXchange score depend on who your organisation has given permission to access this information or who has requested and obtained your risk rating through their subscription with RiskXchange.

Compliance

How can you help us comply with ISO 27001?

The RiskXchange Platform plays a pivotal role in ensuring your adherence to ISO 27001 standards. Our platform conducts a thorough compliance assessment, particularly aimed at ISO 27001, to identify any gaps in your current compliance status. This helps you understand where your organisation stands in terms of meeting these specific requirements.

Moreover, this assessment comes as part of your standard subscription, making it a cost-effective solution for your ISO 27001 compliance needs.

On top of that, we provide a managed compliance advisory service. Our team of experts is ready to guide you through the process, providing insights and advice on how to address any identified gaps and improve your compliance strategy.

So, not only does RiskXchange Platform help you identify where you may fall short of ISO 27001 compliance, but we also offer solutions and advice to help you address these issues effectively and efficiently.

How can you help with government regulations?

RiskXchange Platform is an invaluable tool for dealing with government regulations. It provides a wide range of compliance assessments highlighting gaps in your current regulatory adherence. Whether it's ISO 27001, PCI, or any other regulatory standard, our platform can help identify where your organisation may fall short.

These assessments are included in your standard subscription, making RiskXchange a cost-effective solution for staying on top of government regulations. Moreover, the assessments we offer are not limited to the ones mentioned above. We strive to cover a comprehensive set of standards that could apply to various regulatory environments.

Additionally, RiskXchange provides a managed compliance advisory service. This means we have a team of experts ready to guide and advise on navigating complex government regulations. Our advisory can help you understand these regulations better, suggest ways to address any identified compliance gaps and help you devise a plan to improve your regulatory compliance strategy. In short, RiskXchange assists with government regulations by identifying compliance gaps, providing expert advisory services, and offering solutions within our platform to ensure your organisation meets regulatory standards. For a detailed understanding of our services, do visit our Services page.

Digital Risk Protection

How do you search the dark web?

Our crawlers search for the open web and dark web for any company information and company mentions (For example, name, IP address, etc.) and whatever keywords the company inputs during the dark web setup, any arbitrary data.

How do you search for leaked credentials?

By monitoring for data breaches and analysing data dumps, paste bin (a known source for dumped data).

How do you know if my company is being impersonated?

RiskXchange Platform scans for cybersquatting and detects impersonation risks by searching for similar domain names and checking if they are active.

Vulnerabilities

Do you carry out pen testing?

Yes, we provide penetration testing within our managed service offering.

Does your platform remediate vulnerabilities?

No, RiskXchange Platform only identifies vulnerabilities. However, we work with several partners that can help you remediate any issues discovered.

How does your company help against zero-day attacks?

RiskXchange Platform isn’t designed to identify zero-days, but it provides visibility into your vulnerabilities as they are identified.

How does your company help against Phishing attacks, Ransomware attacks, Malware etc?

The Platform’s scanning and scoring process checks for any new vulnerabilities and misconfigurations across several risk categories that can make your organisation open to such attacks. The risk categories include Application Security, Business reputation, Cyber Attacks, Database Servers, Mail/DNS, Malware, Network Security, SSL/TLS, Third-party Services.

General

Does your platform support other applications?

RiskXchange Platform can be integrated with other applications by open-based API.

Does RiskXchange outsource any of its platform?

No.

Is it an internal or external facing platform?

RiskXchange Platform is an external facing platform (Saas based, uses an internet connection to access the application)

How do you source your information from other companies?

We go through the comprehensive public discovery exercise.

Do you break through company's firewalls?

No, RiskXchange Platform is non-intrusive and does not break through organisation’s firewalls.

Is everything based in the cloud, is there an option for it not to be based in the cloud?

No, everything is based in the cloud. We have no on-premise option; RiskXchange Platform is a Saas based application.

What cloud-based service provider does RiskXchange use?

RiskXchange does not publicly disclose the name of its hosting provider. However, they do provide a secure and reliable platform for their customers.

Do you cover AML?

No, but we can integrate RiskXchange Platform with other 3rd party systems delivering this service.

Can multiple people in our company access the platform?

Yes, the Platform provides an unlimited number of users per company. You can set read-only, collaborator or administrator privileges for each user.

How long does it take to set up?

Setting up RiskXchange's risk assessment and management solutions typically involves several steps, and the overall time required can vary based on the specific needs and complexity of the organisation. While the initial setup process may be completed in as little as 15 minutes, it's important to note that this timeframe primarily refers to the initial configuration and obtaining an initial risk rating.

To provide a more comprehensive answer, here is an expanded explanation of the setup process:

1. Account Creation: The first step involves signing up for a RiskXchange account. This usually requires providing relevant company information and creating login credentials. The account creation process can typically be completed quickly, usually within a few minutes.

2. Platform Familiarisation: Once the account is created, it is essential to become familiar with RiskXchange's platform and user interface. This step involves exploring the various features and functionalities available to effectively assess and manage cybersecurity risks. The time required for platform familiarisation can vary depending on the user's prior experience and the complexity of the organisation's requirements. This will be covered during a 30-minute on-boarding call.

3. Risk Assessment Configuration: RiskXchange allows organisations to customise their risk assessment parameters based on their industry, compliance requirements, and risk appetite. Configuring these parameters typically involves selecting relevant risk criteria, weighing factors, and defining risk thresholds. The time required for this step can vary depending on the organisation's complexity and the level of customisation desired. Fine-tuning the risk assessment configuration may take a few hours or longer.

4. Vendor Onboarding: For organisations that want to assess the cybersecurity risks associated with their vendors, RiskXchange provides a vendor onboarding process. This step involves connecting and integrating with the vendor's systems to gather relevant security data. The onboarding process may vary depending on the vendor's assessment options. It may involve sharing risk assessment questionnaires, exchanging security-related information, or establishing secure connections to retrieve data. The time required for vendor onboarding can vary depending on the number of vendors and the complexity of the integration process for each vendor.

5. Initial Risk Rating: Once the setup is complete and the necessary data integration and configuration steps have been performed, RiskXchange generates an initial risk rating for the organisation. This rating provides an overview of the organisation's cybersecurity posture and helps identify potential vulnerabilities and areas for improvement. The initial risk rating is usually available shortly after the setup process is finished, typically within 15 minutes or less.

It's important to note that the setup process described here is a general outline and can vary depending on the specific implementation and requirements of each organisation. Additionally, ongoing monitoring, updates, and continuous improvement efforts are crucial for maintaining an effective cybersecurity risk management strategy.

Who are your main customers?

A range across various industries, the primary one being financial services and insurance, as well as the critical national infrastructure.

What size of a business does your company market towards?

RiskXchange is a cybersecurity company that offers risk assessment and management solutions to businesses of various sizes across different industries. They cater to organisations ranging from small and medium-sized enterprises (SMEs) to large corporations. By providing comprehensive cybersecurity assessments, monitoring, and remediation strategies, RiskXchange aims to assist companies in identifying and mitigating potential security risks.

Can you show me where my assets are located?

Yes, RiskXchange Platform reports on the geographic location of each digital asset we discover.

What is the importance of showing where my assets are located?

Knowing where your assets are located helps with compliance requirements (for example, GDPR).

Can you make reports from your platform?

Yes, you can create a range of reports, which can be viewed online or downloaded in PDF or CSV format. The available reports include a Risk Score Changes report, Security Issues report and Worst Performing Third-party Connections report.

Can the platform be used for internal enterprise risk as well as supply chain risk?

Yes, RiskXchange Platform highlights both the risks within your enterprise and that of your supply chain.

How does your platform differ from competitors?

· RiskXchange Platform is one of the only platforms highlighting system risk within the supply chain.

· Additionally, we offer a free account for all your suppliers and provide secure communication between suppliers and your organisation.

· You can add an unlimited number of users per organisation without increasing the subscription price.

· Our data is updated every 24 hours, and a risk score is given within 15 minutes of setting up your account.

Subscription & Licensing

Does the subscription cost increase the more suppliers you add? Is there a max number of suppliers I can add?