“What gets measured, gets managed,” is one of executives’ go-to quotes, and with good reason. But unfortunately, many of the things that keep executives awake at night, such as the cybersecurity risk of their extended enterprise, have been impossible to measure, let alone manage, at least until now.
FICO recently announced new capabilities for identifying and scoring 4th party risk with the FICO® Enterprise Security Score, allowing organizations to:
- Pinpoint specific 4th party risks
- Identify concentrations of risk throughout their extended enterprise and across common cloud services.
Connectivity Creates Aggregate RiskThe extended enterprise is not a new term, but in today’s hyper-connected environment, it takes on new meaning. Large companies may be connected over the internet to tens of thousands of business partners, each of which, in turn, may be connected to thousands more. These “4th parties”—the partners of partners—represent an additional, significant cybersecurity threat, as they can be conduits to all manner of threats that eventually strike within the metaphorical “four walls” of any given enterprise.
Aggregate risk is a familiar concept in the property and casualty (P&C) insurance industry, in which the extreme impact of a common set of threats — such as a major hurricane — can affect a large portion of their portfolio of their business. Aggregate risk modeling helps insurance companies take appropriate steps toward mitigation, including portfolio diversification and allocating appropriate capital to cover claims in case there is a major disruption.
Data breaches and malware attacks are the hurricanes and earthquakes of the rapidly growing cybersecurity insurance industry. Multiplied across the millions of interconnected businesses within the US alone, a single large cyber attack could trigger a similarly large number of claims, posing systemic risk to the insurance industry itself. But given the complex web of connectivity between most large enterprises and their extended network of business partners, it has been nearly impossible to identify and quantify aggregate risk.
A Score That Identifies 4th Party RiskFICO has enhanced the FICO® Enterprise Security Score to identify the specific 4th party risks of scored organizations. While other approaches involve the application of industry averages, the FICO® Enterprise Security Score now helps breach insurers and enterprise vendor management teams to identify the specific vendor dependencies of their clients and business partners (including deployed IT components), and see the Enterprise Security Score of these 4th party relationships.
The service also helps users to identify common 4th party dependencies across a portfolio of 3rd party relationships. Breach insurers can now understand aggregate risk concentrations across a portfolio of policies, where multiple insureds may be exposed to common IT suppliers and technologies.
The FICO® Enterprise Security Score performs a complex assessment of an organization’s network assets, applies advanced predictive algorithms, and then condenses the results down to a three-digit score that rank-orders based on the odds of breach for the organization. The solution is now enhanced with key IT vendor and cloud service provider information for most organizations, allowing appropriately credentialed users to evaluate the risk of the extended enterprise.
Manage the Big Picture of Cyber RiskIdentifying 4th party risks is an increasingly important consideration for both enterprises and breach insurance carriers. These groups are concerned, respectively, about hidden, aggregate risk exposures across the extended enterprise and their portfolio of insureds. With the FICO® Enterprise Security Score, both can now better measure and manage 4th party risk.
Follow me on Twitter at @dougoclare.