Morningstar

Morningstar is a global financial services firm based in Chicago specializing in investment research. Morningstar offers numerous services and products, including portfolio management, investment research, stock insights, and general market data.

Amy Voegeli is the Director of Security at Morningstar, overseeing compliance, third-party risk management, security project management, and privacy management functions.

The Challenge

Before UpGuard, Morningstar faced many challenges in its third-party risk management program, largely caused by a manual and unstructured process. With no formal process in place, Morningstar lacked the necessary resources to maintain a comprehensive security program, could not keep historical records of its vendors, and had trouble tracking its security performance over time.

Part of each security review involved a manual ad hoc process to evaluate a third party, including using Excel spreadsheets as security questionnaires. In addition, every vendor's due diligence process was also different and time-consuming. As a result, Morningstar was only able to assess 5 to 10 vendors a year. This limitation impacted Morningstar’s ability to properly assess their vendors, leaving them open to potential third-party risks.

The Solution

After securing an additional budget, the Morningstar team was able to dedicate further resources to launch their TPRM program. Through UpGuard, Morningstar restructured and standardized processes with the workflows, tools, and capabilities offered in-platform, using both BreachSight and Vendor Risk.

“The UpGuard platform is straightforward, easy to use, and gives you exactly what you need, unlike other platforms that are over-engineered.”

Morningstar uses UpGuard for third-party vendor management and risk assessments, and the platform has allowed the firm to gain deeper insights into its vendors. All of the findings are built into the questionnaire process, which has helped streamline Morningstar’s vendor assessment workflow and drastically increase its assessment volume. Ultimately, Morningstar now has the ability to accurately tier their vendors and onboard them with greater efficiency.

Furthermore, Morningstar was able to easily access their vendors’ security documentation and evidence through the UpGuard platform, allowing them to optimize their review process. This feature makes it easier to view a vendor’s security posture in one centralized location, rather than switch between various tools to track assessments.

The Results

After onboarding UpGuard, Morningstar has increased its vendor assessments by over 1300%, with an estimated 130 new vendors being reviewed annually. What used to take a full day or more to assess a single third party has been reduced to just 1-2 hours, once all the evidence and questionnaire responses have been collected.

“It takes no more than two hours to complete a review, compared to a full day’s of work before. In some cases, we could probably finish a review in about an hour.”

In addition, the Morningstar team is highly satisfied with the excellent customer experience and support that UpGuard’s Customer Success team provides, citing the high level of technical knowledge and expedited support on issues that may arise. Because Amy and her team use the UpGuard platform daily, it’s important for them to maximize usage of the platform’s extensive range of features, and working closely with the CS team enables them to do so. 

“UpGuard’s Customer Success Managers are far more knowledgeable about their tool than other vendors we’ve worked with. The entire team understands exactly how to utilize the tool to its fullest ability.”

Overall, Amy appreciates the UpGuard platform's flexibility and how seamlessly it scales with Morningstar’s third-party risk management program, especially as it continues to mature. The platform is intuitive and allows users to customize their usage based on their company’s cyber maturity. With the high level of support that Morningstar receives and the UpGuard platform’s comprehensive features, they have transformed their TPRM program to make their security review processes more efficient, assess over 10x the number of vendors, and manage everything from the UpGuard platform from start to finish.