Skip to main content

About the author

Roland Thomas

Associate Director | Corporate Development

Roland is an Associate Director in Thomas Murray’s Corporate Development team. He joined Thomas Murray in 2018 with responsibility for group strategy, partnerships and corporate finance. More recently, Roland’s role has focused on establishing Thomas Murray’s cyber risk business, starting in 2021 with the launch of our Orbit Security platform, and the development of our expert cyber risk consultancy. Roland has a BA in English Language and Literature from Oxford University.

The financial sector is constantly under attack from cyber criminals. Ensuring your own firm’s security is robust is the most important thing you can do to combat this threat, but supplementing this with the use of security ratings is also essential.

Cybersecurity ratings can be used to assess and manage the risks associated with third-party vendors, suppliers, and business partners. Ratings give you an invaluable insight into the security posture and practices of every entity and contractor your firm is connected to, allowing you to make informed decisions about how you manage those relationships – and the associated risks. 

Benchmarking and compliance 

Cybersecurity ratings can be used to benchmark your own firm’s security posture against those of its peers. Use this benchmarking to identify areas for improvement and prioritise your cybersecurity spending. Ratings can also be useful for meeting compliance requirements, because they provide an objective and measurable assessment of your vendors’ security practices.

Continuous monitoring 

Cybersecurity ratings are a living measurement, so will change over time. By continuously monitoring the ratings of your vendors and partners, you can spot possible risks before they become real threats. You can also start to conduct additional assessments, request improvements or, if necessary, terminate relationships that no longer fall within your range of risk tolerance.

Due diligence and vendor selection 

Incorporating cybersecurity ratings into your due diligence process is a good idea. Like-for-like comparisons of different vendors will highlight those with the strongest security measures. In turn, this can minimise the risk of data breaches, service disruptions, or other security incidents that could harm your financial operations.

Incident response and recovery 

Should you experience a cybersecurity incident involving one of your third parties, cybersecurity ratings can help you to assess both the likely impact and the third party’s response capabilities. This information plays a vital role in your own incident response and recovery strategies.

Vendor risk management

It’s not just possible suppliers and vendors who need to be assessed for the cybersecurity risk they pose to your firm. Security ratings also help you evaluate the security posture of your existing third parties. You can see potential risks and vulnerabilities associated with their systems and practices by evaluating their ratings. This allows you to make informed decisions about whether to engage with a particular vendor or supplier on specific projects, and to negotiate appropriate security controls and contractual obligations.

Ratings alone will not give you a complete picture and should be used as part of a wider program of comprehensive risk management. The valuable insights that ratings provide ought to be supplemented with other assessment methods, such as audits, penetration testing, and contracts to ensure a robust approach to cybersecurity.

Orbit Security

Orbit Security

Security ratings for enhanced attack surface management and third party risk. Monitor for breaches and vulnerabilities that could be exploited by threat actors.

Learn more

Contact an expert

Robert Smith

Robert Smith

Head of SaaS Sales and Customer Success 

Roland Thomas

Roland Thomas

Associate Director | Cyber Risk