We Got Tired of Monitoring Vendors so we Automated It!

With the myriad vendor management requirements that financial institutions must handle, and frequent mergers and corporate changes among vendors themselves, the task of keeping up with third party service providers can be daunting! This is where my story begins….

I’m a former Microsoftie and startup junkie who finally took my first entrepreneurial leap as a partner since my early college days. My longtime friend and colleague Randy Lindberg, CEO of Rivial Security convinced me to join Rivial and help grow their efforts from a pure services organization to a software and services organization. So what happens when you combine an application developer with the routine process of monitoring vendors?

Learning the customer, the market, their membership, the rules and regulations has been quite a bit to process as I began to wrap my arms around what was my new customer, my partner, my community banks and credit unions. Randy and I talked for hours about the opportunity in the market, but we kept coming back to 3 core things:

1. Rivial has the best Risk Assessment process when looking at the competition, what these assessments produce educates each client without the need to search through obscure findings. Randy’s been doing Risk Assessments close to 15 years and he seen almost everything in the field. So combine our ability to excute on Risk Assessments and knowing that regulations (and indirectly by law due to GLBA), all financial institutions are required to do a risk assessment every year. They can choose to do it themselves or outsource it.

Side note: Randy has written quite a few “How To’s” for our security partners including this Cybersecurity Vendor Template that helps assess your Vendor Risk using the NIST Cybersecurity Framework. Use this template as a starting point in assessing your risk for a particular vendor.

2. Although Randy has doubled Rivial’s revenue each year since its founding in 2010, outside of a GRC Module he co-developed for another SaaS partner of ours Quantivate, we did not have any other tangible intellectual property outside of the proprietary way we do our services. I saw this as a clean slate to come in and focus on an area and build a product from the ground up that paired nicely with our existing service offerings of risk assessments, IT audits, penetration tests and social engineering services. It was here we discovered the idea of Rivial Vendor Intelligence. We knew by law, banks and credit unions of all sizes must comply and perform risk assessments and due diligence on their critical vendors each year. It would make sense that we continue to perform risk assessments for all potential customers, but the need for vendor monitoring and quality due diligence was obvious.

3. Let’s take a look at exactly what is required for quality due diligence reporting: Due diligence is the manual process of requesting financials, SSAE 16s, SLAs and a product baseline reporting on how each of your critical vendors you rely on our performing. From talking to my friends and colleagues in this new financial world it became obvious there is a pain point of performing this due diligence and no real low cost alternatives for quality third party data reporting as required by the NCUA or FDIC audits.


Given what we know about Rival’s core competencies and examining the three points above we set out to build vendor due diligence reports with our target market in mind

<$500M in assets and the product would be known as Vendor Intelligence. Vendor Intelligence is a new SaaS application that helps banks and credit unions perform their due diligence monitoring of their critical vendors yearly as required by legislation. Using well known sources for web data, business data, detailed cybersecurity reviews allows us to inspect the performance of these third parties without requiring cooperation from the vendor. It’s with this expert data that our banks and credit unions use to perform their due diligence on there most trusted of business partners.

So how did we do it, and so quickly! Total time from concept to development 10 weeks and we began serving our first customers in February 2015.

We needed a development partner. We had ideas, requirements, features, wireframes and even some example screenshots, but we did not have a working product. For us it was logical to outsource to a well known partner who could work with us as we launched our first stand alone SaaS product in the cloud. This is where Stephen Brown’s

Schemata.io stepped in and helped us build a version 1.0 of Vendor Intelligence. Vendor Intelligence is a lightweight Ruby on Rails application with a mySQL backend that talks to Schemata.io’s proprietary Java service. It is this blended solution that allows us to report across so many disparate data sources while creating customer value by way of Critical Vendor Reports that are auto generated PDFs that you can disperse to your team. We then performed a 2 week beta with several higher profile partners.

This story is far from over, but it gives you a sense of where Rivial is, where we are going and a little bit more about where we’ve been. If you would like your own sample critical vendor report you can have one on us ($250 value) - Get it here Free.