The team at Pinnacol Assurance was looking for a tool that would help them automate communication with vendors when they needed their SOC reports or other security documents. They were also hoping it would be an easier process to obtain these reports, as opposed to having vendor owners asking for documentation.
Download the full Pinnacol Assurance case study to discover the KPIs and how they automated the request of security documents:
Below is a recap of our conversation with our customer Kelly Lutinski, Chief Risk Officer at Pinnacol Assurance.
Why were you looking for a TPRM solution?
We were looking for a tool that would help us in automating the communication to vendors when we needed their SOC reports and other certifications/reports – and were also hoping it would be an easier process to obtain these reports.
Our previous process was to reach out to Pinnacol’s internal vendor owners and have them do the asking. In many cases the vendor owners were too busy and didn’t make this a priority or didn’t understand what they were asking for, which created additional work for everyone involved and was not efficient.
Read More: How to get Legal, Procurement and Business Owners Onboard with Security
Why did you choose ThirdPartyTrust?
We quickly realized that ThirdPartyTrust had additional features and functionality that our previous vendor did not. The platform improvements and the network approach helped us improve on our current approach, so it was a functionality based decision.
We had demoed some other tools in the past that didn’t match our needs. The pricing and ease of use with ThirdPartyTrust were the big decision drivers.
What are your thoughts after these first months using the tool?
The tool is easy to use and support is great. Everybody at ThirdPartyTrust is great to work with and very responsive.
What did your process look like before and after 3PT?
We were using a non-industry standard questionnaire for vendors that didn’t have SOC reports or other standard assessments/certifications. For the rest of them, obtaining SOC reports was ‘owned’ by individual vendor owners throughout the organization which required a lot of ongoing follow-up and clarification of what was being requested.
The current process is we have a contract management system for our third-parties, which assists us with our risk ratings and reminding of expirations (e.g., SOC, contracts, insurance). We complement that with ThirdPartyTrust for the assessment/certificate requests for our high risk vendors.
Currently we’re managing 65 vendors and introducing more as we request their SOC reports or certifications when they’re actually coming due. It’s a rolling process with an expected time frame of one year to onboard all our high risk vendors to ThirdPartyTrust.
Are you getting a good response rate from vendors?
Yes, I would say 80%. We are introducing vendors to the platform when we need their updated assessment/certifications so we aren’t doing all vendors at once.
What’s your main use of the tool?
Automating the intake of information and then weighing BitSight, RiskRecon, and SecurityScorecard scores together. The scans that you guys provide and the vendors you create relationships with are the big reasons we went with ThirdPartyTrust.
Kelly Lutinski, Chief Risk Officer at Pinnacol Assurance
Click on the images to enlarge
It’s more ongoing monitoring versus a ‘one and done’, annual review. Even outside of the scans, if we can get our vendors to upload documents into the platform when they become available, I get notified and I can stay on top of it more.
What are your favorite ThirdPartyTrust features?
I love the scans as they give me a more immediate understanding of the vendors risk profile. We are really liking the different providers ThirdPartyTrust has partnered with to help us monitor our vendors.
To learn more about how ThirdPartyTrust can help you automate your third-party risk assessment and monitoring process, request your free trial now:
