Vendor Risk Management
The Vendor Risk Management (VRM) initiative focuses on cyber security in OOH. Whether large or small, all members face similar security risks, particularly with the rise of dynamic advertising & interconnected systems. To keep the whole OOH ecosystem safe & secure, it is important to ensure a consistent approach to mitigating risk.
The Out of Home (OOH) industry has grown rapidly, driven by mergers, new entrants, and the expansion of Digital OOH and programmatic buying. While positive, these shifts bring heightened cybersecurity risks.
To address this, the OMA formed the OOH Cybersecurity Sub-Committee to oversee the Vendor Risk Management (VRM) project, which ensures Service Providers have the right safeguards in place to protect Members from unacceptable security risks.
When Vendors register, two questionnaires must be completed: the built-in CIS Security Controls V8 and a Custom Questionnaire tailored to their Outdoor industry offerings. They are also required to provide proof of insurance (e.g., Cyber Liability, General Liability) and certifications such as ISO 27001, SOC-2 Type I, and SOC-2 Type II.
Registered vendors are subject to an annual review, or earlier if vendor changes are reported.
The questionnaires review security across areas including technical systems, development methods, data storage and management, testing and QA, and data transfer and protection. Vendor responses will show whether minimum standards are being met.
Vendor offerings that can be assessed are:
• Software
- Verification Services
- Dynamic Services
- Programmatic Services
• Data Services
The questionnaires are tailored to each type of service, and OMA has partnered with BitSight to carry out these assessments.
With the assistance of the OOH Cyber Security Sub Committee, the OMA has prepared key 'Rules of Engagement' for Members to assess Vendors.
Click here to access >
