The challenge of cybersecurity has driven global interest by firms looking to quantify their own cyber risk, including that of their third party network. A new report from research firm Chartis names FICO a category leader in cyber risk quantification solutions.
The Cyber Risk Quantification Solutions, 2019: Market and Vendor Landscape report notes:
“As the frequency and severity of cyber breaches continue to grow, cyber crime is now one of the biggest challenges facing financial institutions (FIs. FIs and vendors have sought to quantify cyber risk before, but increasingly they are spending such large sums on cybersecurity systems that they require defensible risk scores for their cyber domains. And only now is there technology available to automate analysis and leverage the vast datasets required to properly quantify cyber risk. Demand for cyber risk quantification (CRQ) solutions is coming from insurers – keen to assess the risk in counterparties’ infrastructure – and more general financial services firms, which want to assess the risk in the systems they rely on for their operations.”
A companion report, Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019, gives more detailed analysis of FICO’s rating in the industry report*.
“Given FICO’s heritage in risk quantification and ML [machine learning], the underpinnings of the FICO Cyber Risk Score leverage a rich set of IP in feature engineering, designed to expose and amplify signals used to quantify forward-looking risk outcomes,” the Vendor Analysis states. It calls out three notable features of the FICO® Cyber Risk Score:
- Empirically derived. “The FICO Cyber Risk Score is built using a supervised analytic model. This score leverages mathematical relationships between signal data, inferred behaviors, and real-world security outcomes from both breached and non-breached organizations.”
- Focused on risk quantification. This is a better approach than just inventories of vulnerability. “While vulnerability inventories are important, they can also serve to mask underlying risk. As a result, organizations may confuse security activity (e.g., patching cadence) with effectiveness, and distract security teams from focusing on impactful change.”
- Depth and breadth of signals. “The key risk signals leveraged by the FICO Cyber Risk Score are based on a deep database of timeseries historical information, collected by FICO, which spans the entire internet address space for six years. This allows FICO to correlate conditions and behaviors to cyber incidents, regardless of delays in disclosure, and enables it to immediately generate scores for companies worldwide.”
As the report notes, the FICO® Cyber Risk Score, like the FICO® Score for credit, is a predictive tool rather than a report card: “Rather than grading the current state of the network, FICO evaluates forward-looking risk by employing a ML model that is trained to a well-defined objective outcome – the likelihood of a material data breach event in the next 12 months. This provides an easy to interpret result that applies across self-assessment, third-party risk management, and cyber insurance underwriting.”
Organizations can get a free subscription to their FICO® Cyber Risk Score at cyberscore.fico.com. Subscriptions for third-party risk management, including scores on third- and fourth-party vendors and supply chain partners, are also available.
*Note that the quadrant image and these statements were published by Chartis Research as part of larger research documents (‘Cyber Risk Quantification Solutions, 2019: Market and Vendor Landscape’ and ‘Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019’) and should be evaluated in the context of the entire document(s). Chartis evaluates all vendors using consistent and objective criteria, and does not endorse any vendor, product or service depicted in its research publications, nor does it advise technology users to select only those vendors with the highest ratings or other designation. Chartis Research’s publications consist of the opinions of its research analysts and should not be construed as statements of fact.