Cyber Risk Assessment for U.S. Businesses Holds Steady for First Quarter of 2019

WASHINGTON, D.C. — April 11, 2019

• The quarterly Assessment of Business Cyber (ABC) Risk for the first quarter of 2019 holds steady at 687— unchanged quarter over quarter.
• The ABC is based on scoring nearly 2,400 U.S. companies using the FICO® Cyber Risk Score, an empirical standard for assessing cybersecurity risk.
• The U.S. Chamber of Commerce and FICO supplied a list of six recommendations for businesses to improve their cyber posture.

According to the Assessment of Business Cyber Risk (ABC) report released today by the U.S. Chamber of Commerce and FICO, the level of cyber risk to the U.S. business community is holding steady for the first quarter of 2019, with a national risk score of 687.

More information: www.cyber-abc.com

The ABC measures the aggregate cybersecurity risk faced by the U.S. business community. Based on data from the FICO® Cyber Risk Score, the ABC is intended to advance cybersecurity awareness and improve the overall effectiveness of cyber defense programs.

The report reveals that since the fourth quarter of 2018, small firms showed a slight improvement—up to 740 from 737—while large firms moved from 646 to 643. These changes indicated relatively stable risk performance from quarter to quarter.

“The disparity in risk scores between small and large organizations is due to the fact that large firms have a wider attack surface and are more frequently the target of cybercriminals,” said Doug Clare, vice president for cybersecurity solutions at FICO.

The ABC is the revenue-weighted average of the FICO® Cyber Risk Score for nearly 2,400 small, medium, and large companies. The score calculates the probability of an organization suffering a material data breach in the next 12 months. Just like a FICO credit score, the range is 300 to 850. For individual companies, the higher the score, the lower the likelihood that an organization will experience a data breach in the next 12 months. Similarly, a lower score indicates greater risk of a successful data breach, based on five years of historic breach data. The score analyzes billions of cyber risk indicators and uses machine learning to produce a forward-looking metric for measuring cyber risk.

“As businesses review the results for their organizations, it’s important to note that industries carry different levels of risk, which are outside the control of individual firms,” said Clare. “Banks are riskier than bakeries because they are richer targets, with more data to steal and that data is more valuable. The FICO® Cyber Risk Score looks at both security preparedness and sector-level risk factors, and both are reflected in the ABC.”

Tips for Improving Cybersecurity
“When we launched the ABC in October 2018, it was a wake-up call to many businesses across the country,” said Christopher D. Roberti, senior vice president for cyber, intelligence, and security policy at the U.S. Chamber of Commerce. “Our focus this quarter is to help businesses understand how to improve their cyber posture. It is important to emphasize that a lower score—whether for a company or a sector—does not necessarily imply that insufficient diligence is being applied by those entities. Such entities may simply have a higher risk profile (i.e., they face greater risk of breach) due to the nature of their businesses.”

Managing risk in the world of cybersecurity is about managing behavioral risk and skills gaps, as well as technical flaws. Based on the observations of thousands of businesses scored for the ABC, the U.S. Chamber and FICO offer these six recommendations:

1. Use the National Institute of Standards and Technology (NIST) Cybersecurity Framework to develop an information security program. The framework enables organizations—regardless of their size, risk profile, or cyber sophistication—to develop a cybersecurity plan or improve an existing one.
2. Develop a reliable understanding of one’s network. This includes identifying assets to apply security management based on risk.
3. Identify functions and teams whose process and policy maturity are not performing adequately. This will enable organizations to identify weak links in technology, personnel, policy, and leadership.
4. Oversee an organization’s network team to confirm alignment to the details of network management policies. Avoid unnecessarily exposing network infrastructure assets and ensure correct configuration for those that must be exposed.
5. Protect and monitor network endpoints. Organizations that monitor endpoints are able to provide an early warning of potential problems.
6. Develop a process to confirm that active certificate management programs are in place and are being implemented.

More information on how to improve cybersecurity in your organization can be found in the report and on the FICO Blog.

Organizations that choose to learn more about their specific security performance can register for a free subscription at cyberscore.fico.com.

About the U.S. Chamber of Commerce
The U.S. Chamber of Commerce is the world’s largest business organization representing the interests of more than 3 million businesses of all sizes, sectors, and regions. Our members range from mom-and-pop shops and local chambers of commerce to leading industry associations and large corporations. They all share one thing—they count on the U.S. Chamber to be their voice in Washington, D.C. For more information, visit uschamber.com and FreeEnterprise.com, like us on Facebook, and follow us on Twitter.

The Chamber has been leading on cybersecurity for years. In 2014, it launched a new comprehensive campaign under the banner Improving Today. Protecting Tomorrow™ to advance cybersecurity policies and legislation while educating businesses of all sizes about cyber threats and how to protect against them.

About FICO
FICO (NYSE: FICO) powers decisions that help people and businesses around the world prosper. Founded in 1956 and based in Silicon Valley, the company is a pioneer in the use of predictive analytics and data science to improve operational decisions. FICO holds more than 195 U.S. and foreign patents on technologies that increase profitability, customer satisfaction and growth for businesses in financial services, telecommunications, health care, retail, and many other industries. Using FICO solutions, businesses in more than 100 countries do everything from protecting 2.6 billion payment cards from fraud, to helping people get credit, to ensuring that millions of airplanes and rental cars are in the right place at the right time. Learn more at https://www.fico.com.

Join the conversation at https://twitter.com/fico and http://www.fico.com/en/blogs.

For FICO news and media resources, visit www.fico.com/news.

FICO is a registered trademark of Fair Isaac Corporation in the U.S. and other countries.

Contacts

FICO Media:
Greg Jawski
Porter Novelli for FICO
+1 212-601-8248
greg.jawski@porternovelli.com

FICO Investors/Analysts:
Steven Weber
FICO
+1 800-213-5542
investor@fico.com

U.S. Chamber of Commerce Media:
Kathleen Ward
202-463-5682
kward@uschamber.com