The OMA has launched a new initiative known as Vendor Risk Management (VRM), focusing on cyber security in OOH. Whether small or large, all Members have similar security risks, particularly with the rise of dynamic advertising and interconnected systems. It is important to ensure all Members have the same approach to security, so that the whole OOH ecosystem is consistent and secure.

It is also critical for Members to have a supply chain of trusted organisations, as it ensures the highest level of risk management and security for all Members in the supply chain. 

This VRM initiative outlines the way our vendors should interact with Members when providing Software, and/or Data Services to ensure that the security of our Members and their OOH assets is effectively managed. In other words, it provides the “rules of engagement” for Vendor Services when interacting with Members. 

This initiative will make it easier for Members to assess vendors, particularly those who may not have the resources or expertise in house, and will also reduce the duplication of effort for vendors who are working across multiple Members.

Why is OMA doing a VRM for Members?

There have been significant changes across the OOH industry including significant growth, an increase in the size of the dominant OOH companies due to mergers and acquisitions, and an increase in the number of small to medium sized OOH companies, plus the significant growth of Digital OOH assets, along with programmatic buying for those assets. 

These factors and more have changed the OOH landscape and while they are all positives for the OOH sector, they do bring some challenges, not the least of which is the heightened risk of cybersecurity issues.  

Security covers a wide range of areas including physical security, data security, redundancy, cybersecurity, and much more. Recognising this, the OMA established the OOH Cybersecurity Sub-Committee, and they are overseeing the VRM project.

The overarching goal is to provide Members with data on Service Providers to ensure they have the right processes and checks and balances in place and the service they provided will not cause any unacceptable security issues or risks for those Members. 

How is OMA Conducting the VRM?

The OMA is providing each Service Provider with questionnaires and an opportunity to submit related documentation on behalf of all Members and will be managing the process through the BitSight VRM platform for assessing each response and communicating the results in our member portal.

What types of software and data services are being assessed?

The questionnaires look at security across a range of elements covering technical infrastructure, development methodologies, environments where Members’ data will be stored and managed, testing and QA processes, data transfer and protection processes. The responses will allow the OMA Members to determine whether minimum standards are being met. 

In summary the types of services the Service Providers may provide Members include:

  • Software
    • Verification Services
    • Dynamic Services
    • Programmatic Services
  • Data Services

Questionnaires have been designed specifically to suit the vendor services offered and the OMA have partnered with ThirdPartyTrust, a BitSight company, to perform these assessments.

How will Service Providers be assessed?

Service Providers undertake two different questionnaires in the ThirdPartyTrust portal after enrolling into it through the invite:

  • CIS - Security Controls V8
  • Custom Questionnaire

The CIS – Security Controls V8 questionnaire is an in-built questionnaire framework in the platform and covers all the controls and more, aligning with best practice Cyber Security posture for an organisation and its technology. Using a known framework, gives vendors the easier way to answer in a way they should already be familiar with.

The Custom Questionnaire is built according to the products and solutions delivered by the Service Provider to the Outdoor industry.

The Service Providers will also be required to provide insurance and certification documents including:

  • Insurances
    • Cyber Liability / Data Privacy
    • Commercial General Liability
  • Certifications 
    • ISO 27001 and Statement of Applicability (SoA)
    • SOC-2 - Type I
    • SOC-2 - Type II
What are the Rules of Engagement?

The OMA with the assistance of the OOH Cyber Security Sub Committee has prepared key 'Rules of Engagement' for Members to assess Vendors. You can view a copy below:

How often are vendors assessed?

Vendors are assessed annually from the initial date of review, or otherwise updated if there are changes that are reported by the vendor.

For more information on OMA’s VRM project please reach out to