ABSTRACT
Within the last two years, we have seen many new regulations requiring cyber risk programs. These regulations are disparate across geographies, industries, and types of data that is regulated. Over 80% of the requirements are universal and apply to any regulation regardless of the regulatory body. The rub is that the language is tweaked to the specific data type, industry, or geography. We will explore the regulations that require third-party vendor cyber risk programs. Best practice in designing an effective vendor cyber risk program is to implement a framework that typically accommodates the most stringent requirements across the entire portfolio and adjusts the risk treatment strategy based on inherent risk of each vendor.
