In this article:
Risk Control is available with a paid SecurityScorecard plan. See our plans page for more information about levels of features and access.
Use SecurityScorecard's Risk Control to proactively identify companies that are at high risk of sustaining an incident, and deliver personalized email alerts to make them aware of vulnerabilities and issues that need immediate attention.
If you are an insurer or any organization with a vendor risk management program, Risk Control helps you accelerate responses to risk in your ecosystem.
With Release 1.0 of Risk Control, you can:
- Use a burndown chart of issues to track numbers of companies impacted by specific issues in your Portfolios.
- View details about those impacted companies.
- Send alerts to those impacted companies regarding the issues detected in their environment.
- Personalize emails by editing email templates.
Before you get started
To access Risk Control, make sure you have a SecurityScorecard account with a paid plan that includes Risk Control. Contact your Sales Engineer or Customer Success Manager for more information.
Create a new Portfolio
- In the platform, click Portfolios in the top navigation menu and select Create New Portfolio.
- To create a new Portfolio, give it a name and helpful description. Then select whether you want the Portfolio to be visible only to you or to others in your organization.
-
- If you choose Team, select the team from a dropdown menu.
Tip: You can set up who accesses your team in your account settings.
- If you choose Team, select the team from a dropdown menu.
- Click Save.
Add companies with insurance contacts to a Portfolio
- Select your newly created Portfolio from the Portfolios drop-down list.
- From the main Portfolio page, click Add Company.
- In the panel that appears on the right, select whether to add a single company or multiple ones.
-
-
- Company Name
- Domain Name (URL)
- Contact (Email address of contact)
- Contact Type (With a value of Insurance for each row)
-
Tips:
- For best results, upload a maximum of 10,000 companies each time.
- To ensure proper formatting, download a sample .csv file, which contains the required fields. The download link appears below the Upload files button on the page for adding companies. Learn more about uploading multiple companies.
Add insurance contacts to existing companies in a Portfolio
If you are an insurer using Risk Control, and you want to add an insurance contact to a single Portfolio company or multiple companies, do the following:
For a single company
- Select View Invited Companies from the Portfolios drop-down list.
- On the Contact Manager page, start typing the name of the company you want to manage invitations for in the Search companies field.
- When that company appears in the table, click the downward-pointed arrow on the right to expand the information about that company and then click Add Contact.
- In the Add Contact form that appears on the right, enter the contact's first and last name, company email address, and company role.
- Select whether this person becomes the primary contact. Typically a primary contact would be a someone directly responsible for managing the organization's cybersecurity, such as a risk analyst or a chief information security officer (CISO).
- For Contact type, select Insurance so that Risk Control emails only this person from the contact list.
- Click Save Changes at the bottom of the form.
For multiple companies
- Select the Companies tab in a Portfolio.
- Click Add Company in the upper-right corner of the page.
- Follow the steps as for adding multiple companies to a Portfolio.
Note: Risk Control only communicates with contacts who have the Insurance contact type. Make sure you select this type for contacts whom you want to receive Risk Control alerts before setting up alerts.
Survey issue types and CVE exposures in your Portfolios
Once you upload your insurance contacts to a Portfolio, you have several ways to begin assessing exposure across these insureds.
- To understand the security issues impacting your Portfolio the most, select the Overview tab of a Portfolio and view a section of the Most Critical Issues along with Most Common Issues.
- To further analyze exposure, go to Reporting Center, click the Insurance tab, and select Issue Type Trends or CVE Impact on Companies reports.
Creating rules to automate alerts to contacts
Once you understand the issues and vulnerabilities impacting your Portfolio, you can create rules that automatically send alerts to the contacts in your Portfolio.
- Click the Rule tab in a Portfolio.
- Click Create Rule.
- In the rule editor form, provide the following information:
-
- Name your rule.
- Select an event from the drop-down list that triggers the rule. For Risk Control, select either:
- By issue type under the New Issues category for which you can then select mutiple issues in one rule
or - CVE Detected under the Breaches & CVE category.
- By issue type under the New Issues category for which you can then select mutiple issues in one rule
- Select Scorecards to which the rule applies.
- For the action that occurs when the rule is triggered, select Send an Alert. Then select a receiver for the action.
Tip: To only send alerts from Risk Control to insurance contacts, select Myself or the Team.
- Select the option to prioritize your rule if you want to see triggers to this rule as alert notifications.
- Click Save.
Monitor exposure in your Portfolio
Once you create a rule, you can track discovered issue types or common vulnerability enumerations (CVEs) in Risk Control to understand the exposure across your Portfolio.
- Click the Risk Control tab in a Portfolio.
The Issue Type and Critical Vulnerabilities pages, which you can toggle between, show two data visualizations:
-
- A burndown chart labeled Impacted company activity shows the number of companies affected by issue types or vulnerabilities selected in your Risk Control rules over time. Click in the chart to select a specific date.
- A Company details table shows Scorecard scores and alert dates for selected companies.
- Change filter settings to change the displayed data in these visualizations:
-
- Change which issue types or vulnerabilities are displayed.
Note: Data will will start to appear 24 hours after a rule has been created for a selected issue type or vulnerability and only if companies are affected by the selected issue type or vulnerability. - Change the time range for displayed data.
- Change which issue types or vulnerabilities are displayed.
Edit an email template
You can create or edit an email template for all alerts Risk Control sends to your contacts.
- On the Risk Control page, click the Edit Email Template button.
- Edit the email subject and message.
- Review changes in the email preview.
- Click Save Template.
Note: Anyone who has access to your Portfolio can view this template. See Portfolio privacy settings for more information.
Send alerts from Risk Control
To send email alerts notifying companies that are affected by specific issue types or CVEs, take the following steps:
- Click the Send Alert Now button in the upper-right corner of the page in the Portfolio's Risk Control tab.
- Type an email subject and message.
- To receive a copy of every sent email, select CC Me on the email.
- Select the co-branding option, which displays your logo at the top of the email. This is recommended because it shows that the communication is coming from your organization and not a third party.
Note: Learn how to upload your logo in your settings, which is required for the co-branding option.
- Review the email template and click Send Notification.
- Click I’m Ready to Send the Email in the confirmation dialog.
A pop up confirmation indicates emails were sent.
A megaphone icon appears in the burndown chart, indicating the date in which alerts were sent out to companies. This icon remains visible for 48 hours after an alert is sent.