Assessment of Business Cyber Risk Shows Slight Improvement in National Risk Score and Highlights Need for Third-Party Risk Management

WASHINGTON, D.C.— August 19, 2019 —

The Q2 Assessment of Business Cyber Risk (ABC) report released today by the U.S. Chamber of Commerce and FICO recorded a National Risk Score of 688, a slight improvement over the previous quarter's score of 687. Since last quarter, the average score for large firms rose from 643 to 649 and small firms moved from 740 to 736.

While these scores reveal the nation’s cybersecurity risk was virtually unchanged, FICO and the Chamber urge businesses to do more to measure and manage risk posed by third parties.

More information: www.cyber-abc.com

"For years, the Chamber has urged organizations to adopt internet security fundamentals, including using the NIST Cybersecurity Framework for enterprise risk management," said Christopher D. Roberti, senior vice president for cyber, intelligence, and security policy at the Chamber. "But we are seeing that organizations are being targeted through third parties and must take steps to integrate a tailored third-party risk management into an overall risk management plan."

New Business Imperative: Third-Party Risk Management
In addition to data on the National Risk Score, the Q2 ABC report highlights the need for effective third-party risk management (TPRM). A growing percentage of cybersecurity incidents against businesses are the result of initial compromises against third parties, allowing malicious actors to gain access through a trusted relationship, move laterally and escalate privileges, and ultimately attain their target. As a result, TPRM is a high priority for many firms.

Larger and more sophisticated firms will typically have well-developed TPRM programs. The increase of highly publicized breaches, awareness of cyber risk, and emerging and evolving compliance frameworks are driving small and midsize firms to adopt these programs as well.

"Knowing your cyber risk is invaluable, and knowing the cyber risk of third parties you work with is essential," said Doug Clare, vice president of cybersecurity solutions at FICO. "Third-party risk management is emerging as one of the most important priorities for IT and security departments nationwide, and cybersecurity risk assessments are an increasingly important component of the broader TPRM framework."

To help businesses recognize and mitigate third-party risk, the ABC report offers four key steps that organizations should include within a broader third-party management framework:

1. Build a framework for third-party categorization
2. Develop workflow to address the intersection of risk and criticality
3. Assess high-impact suppliers frequently
4. Ensure appropriate risk transfer

More information on these four steps can be found in the report and on the FICO Blog.

About the Assessment for Business Cyber Risk
Based on the FICO® Cyber Risk Score, the U.S. Chamber of Commerce’s Assessment for Business Cyber Risk (ABC) is intended to advance cybersecurity awareness and improve the overall effectiveness of cyber defense programs, including third-party risk management (TPRM) activities.

The ABC's National Risk Score is the revenue-weighted average of the FICO® Cyber Risk Score for nearly 2.400 small, medium, and large companies. The score calculates the probability of an organization suffering a material data breach within the next 12 months. Just like a FICO credit score, the range is 300 to 850. For individual companies, the higher the score, the lower the likelihood that an organization will experience a data breach within the next 12 months. Similarly, a lower score indicates greater risk of a successful data breach based on five years of historic breach data. The score analyzes billions of cyber risk indicators and uses machine learning to produce a forward-looking metric for measuring cyber risk.

Organizations that choose to learn more about their specific security performance can register for a free subscription at http://cyberscore.fico.com. A new report from Chartis Research named FICO as a category leader in cyber risk quantification.

About the U.S. Chamber of Commerce
The U.S. Chamber of Commerce is the world’s largest business federation representing the interests of more than 3 million businesses of all sizes, sectors, and regions, as well as state and local chambers and industry associations.

The Chamber has been leading on cybersecurity for years. In 2014, it launched a new comprehensive campaign under the banner Improving Today. Protecting Tomorrow™ to advance cybersecurity policies and legislation, while educating businesses of all sizes about cyber threats and how to protect against them.

Sobre a FICO
FICO (NYSE: FICO) powers decisions that help people and businesses around the world prosper. Founded in 1956 and based in Silicon Valley, the company is a pioneer in the use of predictive analytics and data science to improve operational decisions. FICO holds more than 195 U.S. and foreign patents on technologies that increase profitability, customer satisfaction, and growth for businesses in financial services, telecommunications, health care, retail, and many other industries. Using FICO solutions, businesses in more than 100 countries do everything from protecting 2,6 billion payment cards from fraud, to helping people get credit, to ensuring that millions of airplanes and rental cars are in the right place at the right time. Learn more at http://www.fico.com.

Join the conversation at https://twitter.com/fico and http://www.fico.com/en/blogs.

For FICO news and media resources, visit www.fico.com/news.

FICO is a registered trademark of Fair Isaac Corporation in the U.S. and other countries.

FICO Media
Greg Jawski
Porter Novelli for FICO
+1 212-601-8248
greg.jawski@porternovelli.com

FICO Investor/Analysts
Steven Weber
O FICO
+1 800-213-5542
investor@fico.com

U.S. Chamber of Commerce Media
Kathleen Ward
202-463-5682
kward@uschamber.com