"With hundreds of thousands of assets on the internet and cloud instances being spun up every day, we needed visibility into where cybersecurity falls short – and BitSight delivers that."

James Arden
Advisory and Assurance Manager, RBC Brewin Dolphin
Video Url

Like all financial services companies, RBC Brewin Dolphin – one of the UK’s leading wealth managers – takes cybersecurity very seriously. Because of the sensitive data held in its networks, any cyber incident can compromise client data, lead to financial losses, damage the firm’s reputation, and have regulatory consequences.

With a footprint of 33 offices across the UK, Jersey, and Republic of Ireland and an extensive digital supply chain, RBC Brewin Dolphin needed to understand its attack surface and the associated vulnerabilities and risks that a hacker could exploit.

“You can't reduce the cyber risks faced by your organization if you don't know what you're up against – both internally and across your vendor portfolio,” said James Arden, Advisory and Assurance Manager at RBC Brewin Dolphin.

In response to that need, the firm chose BitSight for Security Performance Management (SPM). The solution provides deep insights into the firm’s security posture and continuously monitors the attack surface for emerging risks.

When Arden joined the firm, he was charged with designing and implementing new security initiatives in a swift, relevant, and pragmatic way. As such, he was curious to understand if BitSight could address other use cases, notably the urgent need to understand third-party risk. Enter BitSight for Third-Party Risk Management (TPRM).

Today, the combined solutions provide holistic data-driven insights and understanding into internal and third-party risk profiles. Now, RBC Brewin Dolphin can:

  • Understand the firm’s security posture and identify hidden risk using BitSight Security Rating
  • Enhance their security questionnaires process to achieve unparalleled and trusted insight into and validation of its vendors’ security postures.
  • Improve due diligence by understanding where the firm’s digital assets are located and the vulnerabilities present in vendor digital ecosystems.
  • Collaborate with suppliers to investigate cyber risk and vulnerabilities in their networks.
  • Evaluate the security performance of future vendors before risk is introduced into its digital ecosystem

The insight into third-party risk was revelatory:

“BitSight immediately shone a light on hidden risk in our own vendor portfolio, particularly critical third parties in the technology sector,” said Arden. “Before BitSight, we relied on what our vendors told us, but now we have a complete picture of risks that would have otherwise gone undiscovered.”


Stopping risk before it enters the firm’s supply chain

The addition of BitSight to RBC Brewin Dolphin's third-party due diligence process has enabled a more comprehensive assessment and informed decision-making.

Explains Arden: “When a third-party responds to a security question we use BitSight for TPRM to further validate that response. For example, if BitSight detects that a supplier has an indicator of risk or less than perfect security posture, we can confidently request them to investigate further.”

But BitSight's value extends beyond due diligence. “BitSight’s findings have greatly informed our understanding of our vendor ecosystem – where their digital assets are based, the vulnerabilities present in their digital ecosystems, and risky fourth-party relationships,” said Arden.

One of Arden’s favorite components of BitSight is its integration with News Feeds (a news aggregator of global cybersecurity incidents). “As a result of this visibility, I can understand the security posture of third-party vendors we may work with but have never scrutinized before – and even that of future potential vendors.”

Understanding risky connections

Furthermore, BitSight illuminates the connections between vendors and peers, and how these relationships impact risk.

Per Arden: “The more organizations vendors work with, the greater the chances they could introduce risk into our company. Therefore it’s helpful to be aware of the size of our vendors’ networks. BitSight for Third-Party Management gives us this level of insight. For example, we can now determine if a vendor is used by 95% of the financial services industry and how that type of footprint could impact our risk exposure. That’s information we wouldn’t have otherwise. With BitSight, we learn fundamental things about our extended cyber risk landscape that we didn't even realize we needed to know!”

Some of RBC Brewin Dolphin’s vendors have seen the success the firm has had with BitSight – and have chosen to adopt the technology to better secure their own businesses. “When we point out that their business is at risk and they need to clean up their act, we’ve seen a few companies turn to BitSight with similar success to what we’ve experienced.”

"When a third-party responds to a security question we use BitSight for TPRM to further validate that response. For example, if BitSight detects that a supplier has an indicator of risk or less than perfect security posture, we can confidently request them to investigate further."

James Arden
Advisory and Assurance Manager at Brewin Dolphin

For Arden, BitSight's technology and data are only the beginning of why RBC Brewin Dolphin values its relationship with the company. The service and support BitSight provides are equally important and have helped the firm remain protected from potential threats.

“The account team has been fantastic. When I started my journey with the firm, my objective was to understand what we use BitSight for, untapped use cases for the technology, and any capabilities we were missing,” said Arden. “Through training and awareness, the team helped me – and anyone new to the business – explore all of BitSight's value. Plus, they were quick to take my feedback and use it to improve the platform. If there are capabilities we’re missing or expect to see, they are incredibly quick to respond.”