assessment of business cyber risk€¦ · of quadmetrics, and key contributor of the intellectual...

Q 2 2 0 1 9

P O W E R E D B Y

A S S E S S M E N TO F B U S I N E S SC Y B E R R I S K

U.S. CHAMBER OF COMMERCE

T H I R D P A R T Y R I S K M A N A G E M E N T S P E C I A L E D I T I O N

2Q2 2019 | Assessment of Business Cyber Risk

Contents_______

Introduction4

Cybersecurity Expert Sees Third-Party Risk as Growing Problem

6

Case Study | Your Company Has Good Cybersecurity, but What About Your Partners?

8

Recommendations for Third-Party Risk Management11

The National Risk Score16

The FICO® Cyber Risk Score18

Methodology20

Press22


Introduction_______Cybersecurity is a top priority for the U.S. Chamber of Commerce. In today’s world, economic security and national security are linked. Attacks in cyberspace are being carried out by a wide range of actors—pranksters, criminals, hacktivists, and nation-states. Bad actors can compromise critical infrastructure, sensitive government information, intellectual property, business networks, and personal and health information.

Creating opportunities for improved knowledge and richer discourse is an important objective of the U.S. Chamber’s cybersecurity initiatives. The Assessment of Business Cyber Risk (ABC) promotes awareness and enhances dialogue on risk management by enabling U.S. businesses to understand cyber risk of a data breach within the context of similarly sized businesses—and to compare their situations with the ABC benchmarks. We believe this assessment to be useful as businesses work to improve the security posture of their networks and understand the potential risks they face via third-party relationships.

Businesses best manage activities that can be measured effectively. To optimize their security posture, enterprise leader must understand and manage the business and security considerations in a landscape of constantly evolving threats. This, in turn, requires companies to balance the relative risks and rewards of all activities that might impact their security, including their relationships with other organizations.

It remains true that a large proportion of security incidents experienced by businesses are the result of third-party relationships. According to Ponemon Institute’s 2018 report, Data Risk in the Third-Party Ecosystem, more than 60% of U.S. chief information security officers (CISOs) indicated their firm had been the victim of a third party breach incident. The survey also found that 75% of firms believed that their risk of third party incidents is increasing.1 Accurately and efficiently assessing third-party cybersecurity risk has become a critical priority for many businesses. Similarly, emerging and evolving data privacy directives are likely to ensure that improved management of third-party risk remains a focus for management and boards of directors in the foreseeable future.

Based on the FICO® Cyber Risk Score, the ABC is intended to advance cybersecurity awareness and improve the overall effectiveness of cyber defense programs, including third-party risk management (TPRM) activities. The FICO® Cyber Risk Score provides an empirical assessment of security risk using a scoring range of 300 to 850, with higher scores reflecting a lower risk of a data breach. Whether looking at your own organization’s score or that of other entities, it is important to emphasize that a lower score—whether for a company or a sector—is an indication of observable risk factors and does not necessarily imply that insufficient diligence is being applied by those entities (e.g., large financial institutions leverage a layered approach to manage risk across an expansive attack surface). Rather, such entities simply have a higher risk profile (i.e., they face greater risk of attack) due to the nature of their business activities.

Promoting awareness and enhancing dialogue

Improve the overall effectiveness of cyber defense programs


To properly address risks, the risks must first be understood—and then relevant information and assessments leveraged to inform decision making. Business leaders make decisions about third parties based on many factors, including quality, reliability, and associated costs; however, organizations increasingly seek to understand the security posture and cyber track record of firms with which they do business. This may involve qualitative assessments, security audits, and standards attestations; it may also involve quantitative risk assessments, scores, and ratings. The ABC and the FICO® Cyber Risk Score offer valuable insights into relative risk that may help organizations assess third party exposure. Combined with other assessment tools, they are a useful asset when evaluating and monitoring third-party risk.

To help businesses identify and mitigate third-party risk, the ABC offers four key steps, among others, that organizations should include within a broader third-party management framework:

• Build a Framework for Third-Party Categorization. Third-party categorization helps inform supply-chain risk managers of which third parties require a deeper assessment based on their role in the evaluating organization’s business activities, and the size and criticality of the relationship.

• Develop Workflow to Address the Intersection of Risk and Criticality. Based on an established third-party categorization framework, risk managers can utilize cybersecurity risk quantification tools, to include the FICO® Cyber Risk Score, to group organizations into portfolios where cyber risk and impact/criticality can be considered together.

• Frequent Assessments of High-Impact Suppliers. Based on the combination of criticality and risk, managers of third-party risk should establish a cadence for reviewing critical information.

• Ensure Appropriate Risk Transfer. Comprehensive third-party risk management programs frequently include insurance-based risk transfer. A simple approach to risk transfer considers the intersection of supplier risk and criticality, and imposes insurance requirements on those suppliers whose combination requires additional protection. Risk mitigation is also an option, either through requiring increased controls at the third party or implementing controls at the primary organization.

Putting aside information and communication technology supply chains, organizations’ business relationships rely on a complex, globally distributed, and interconnected third-party ecosystem. This ecosystem is comprised of various entities with outsourcing, diverse distributed routes, and assorted technologies, laws, regulations, policies, and processes interacting at digital and business speeds. Because supply chains differ significantly across and within organizations, these third-party risk management recommendations should not be viewed as a one size fits all solution to third-party risk management; rather they should be tailored to individual organizational context and implemented as part of an overall enterprise risk management plan.

Identify and mitigate third-party risk

1 Opus Global, Inc., 2017, 6 Trends From the Ponemon 2017 Third-Party Data Risk Study Your Organization Can’t Afford to Ignore, 16 May 2019, www.opus.com/ponemon-2017

http://www.opus.com/ponemon-2017


Cybersecurity Expert Sees Third-Party Risk as Growing Problem_______The U.S. Chamber asked Chris Wallace, director of cyber risk at T-Mobile, about third-party cyber risk, how T-Mobile quantifies that risk, and what companies can do about it. Here are some of his thoughts.

What is third-party risk management (TPRM) in cybersecurity, and why is it so important?

Cybersecurity from a vendor and supplier standpoint is becoming very important, largely because we’ve seen a trend in attacks from attacking the company you want to attack, to attacking companies adjacent to the company that you want to attack.

A lot of those [third-party] companies will have similar access to what they [criminals] are looking for, but [they possess] fewer hurdles than the company itself.

Do you use a risk ratings product to evaluate the security of your chain? If so, can you walk me through how that’s done?

We use the FICO® Cyber Risk Score (CRS) as supporting data, but we ourselves will do our own risk analysis and assessment on a vendor or supplier. …We’ll use the FICO tool to support not only our analysis, but we have other companies that we share that data with as well.

If you know your own CRS, isn’t that enough? Why do you need to know the CRS of your partners? What’s the value in that?

Getting trust over the supply chain is significantly harder than just saying to a third party: “Hey, make sure you’re good!” If you look at the whole, entire supply chain—where we don’t have direct control, or even influence—it becomes pretty scary, pretty quickly. You want to get some level of comfort and analysis around it so you can make decisions eyes wide open and say, “These are the risks; we know about them, and we are working on them.” It is also important to understand the holistic picture of the parties you are dealing with. There are unique risks associated with large banks, for example, yet such firms are generally considered to be very capable and well-defended.


If you discover that one (or several) of the companies in your supply chain has a score significantly below the National Risk Score, what might you do in response?

I want to set thresholds so that if and when they fall below or above any score, we would take appropriate action. If it’s positive, we want to make sure that was something done by them.

If it’s negative, we want to figure out what happened there. We want to engage with this vendor to have a discussion about it and jointly work to mitigate risk.

What are some common best practices for large and midsize organizations to manage third-party risk?

Before, we were being engaged a day or a week before a product launch, when someone would say: “Can you look at this from a cybersecurity standpoint?” And we would have to say, “No,” or, “We can’t do it quickly enough.” Once we sat down with the business units and understood the processes for onboarding a vendor or releasing a product, we were able to get involved earlier. But that’s only half the battle; then you have to come up with a process that makes sense.


Your Company Has Good Cybersecurity, but What About Your Partners?_______With cybersecurity as a growing priority, many companies understand their own security posture but fail to understand the risks presented by their partners and contractors. The FICO® Cyber Risk Score (CRS), included in the quarterly Assessment of Business Cyber Risk (ABC) report, provides a baseline against which companies can compare their own breach risk with that of their supply chain.

Because cybersecurity is a growing priority, many companies understand their own security posture—but they fail to understand the risks presented by their partners and contractors, according to cybersecurity experts. The CRS, included in the quarterly ABC report, provides a baseline against which companies can compare their own breach risk with that of their supply chain.

“A first party can inherit myriad cybersecurity risk from a third party inadvertently, through their third parties or supply chain,” says Mingyan Liu, professor of electrical engineering and computer science at the University of Michigan, Ann Arbor, co-founder of Quadmetrics, and key contributor of the intellectual property and methods that underpin the FICO® Cyber Risk Score. “For example, if a cloud service platform provider gets breached or goes down, the first party who uses that service will suffer a business interruption. So, the risk propagates along the entire chain of business relationships.”

The risks a company “inherits” from its suppliers and business partners can be very significant. In some cases, companies have suffered a breach when hackers successfully penetrated subcontractors or third-party vendors and then used those stolen credentials to access sensitive customer data.

“If a third party goes down, it affects you. If you’re unable to access customer records or process transactions because a third party is down, that ultimately impacts your revenue,” says Josh Ladeau, global head of tech and cyber at Aspen Insurance. “Same thing for a supply chain: If you’re unable to receive the goods necessary in order to conduct business, that interferes with production and your bottom line.”

A first party can inherit myriad cybersecurity risk from a third party inadvertently

A first party can inherit myriad cybersecurity risk from a third party inadvertently, through their third parties or supply chain.


Risk ratings, such as the FICO® Cyber Risk Score, have emerged as a means to enable the complex task of cybersecurity risk management. These tools provide a clear method to compare organizations based on their cybersecurity risk management programs. With a single score or rating, an organization can measure apples to apples and objectively determine which third party potentially poses more risk. While a risk rating may not provide a full picture of an organization’s cybersecurity risk management program—due to the limitations of publicly available information—ratings allow organizations that manage complex supply chains to identify which third parties potentially pose more risk, and identify where they should apply more security resources.

“Third-party risk represents one of the most dangerous and impactful sources of risk,” says Curt Dalton, security strategy and risk lead for North America at Accenture Security. “If you’re following the media, third-party risk is a regular entrant onto the front page.”

Liu says the FICO® Cyber Risk Score (CRS) lets companies do three things:

• Discover and get a handle on who their suppliers actually are.

• Evaluate how good their partners are at maintaining their own cybersecurity.

• Understand the business relationship between themselves and a third party. That is, does a partner supply an always-on cloud platform for your business? Or does it offer cleaning and maintenance services for your office buildings? And as a consequence, how might a breach at their company affect your business?

If a company learns that the cybersecurity of one of its partners isn’t performing adequately, it has a number of remedies: Engage with the partner, take no action, or end the relationship entirely. Ladeau recommends reaching out promptly to a partner whose cybersecurity—perhaps unknown to them—might not be as good as they thought.

“As a buyer, especially a large buyer, you’re able to drive behavior in a vendor or a supply chain,” Ladeau says. “You’re able to engage hands-on with that third party to potentially nip something in the bud.”

One of the benefits of the CRS is that it evolves as cyber threats evolve. In cybersecurity, assessments that are only six months old can be considered ancient and not current enough to counter the latest methods used by the savviest cyber criminals.

“When it comes to third-party risk, much of the industry is still using the legacy approach of sending out questionnaires once per year and triaging those results. That singular, slice-in-time assessment approach has to evolve,” Dalton says. “It has to evolve to a more proactive approach that provides continuous monitoring.”

Ladeau also stressed that the human element is important—even the best plan will fail if it is not implemented correctly, maintained properly, and adjusted over time.

Risk ratings have emerged as a means to enable the complex task of cybersecurity risk management

The Cyber Risk Score evolves as cyber threats evolve


“Let’s say there is a process for third-party cybersecurity. What does that ongoing process look like?” Ladeau says. “You put together a committee, do all this work, you create a document—and that document goes on a shelf. Four years down the road—nobody’s kicked the tires. The ability to continually assess those relationships is vital.”

Liu says that firms can use the CRS—along with other tools—to evaluate their security and that of their partners to find a level of security that is right for their organization.

“To be able to quantify risk is very important,” Liu says. “You will never get a system that is 100% secure, unless you don’t communicate at all. Businesses should focus on risk assessment as much as they do on securing their own systems: How secure is secure enough?”

“Businesses should focus on risk assessment as much as they do on securing their own systems: How secure is secure enough?”

Mingyan LiuProfessor of Electrical Engineering and Computer Science University of Michigan


Recommendations for Third-Party Risk Management (TPRM)_______Larger and more sophisticated firms will typically have well-developed TPRM programs; however, many midsize and even some small firms are adopting these programs due to highly publicized breaches, increased cyber risk awareness, and compliance frameworks (e.g., European Union’s General Data Protection Regulation).

Increasingly, certain aspects of risk, are subject to continuous monitoring

Step One: Build a framework for vendor categorization

Many formalized TPRM programs include processes for assessing different aspects of risk, both during the establishment of the business relationship and periodically thereafter. Increasingly, certain aspects of risk—including cyber risk—are subject to continuous monitoring, providing the supply chain risk management professional with the ability to recognize and mitigate risks as they evolve over time. This also allows firms and suppliers to engage in dialogue that not only reduces overall risk but also extends and preserves important business relationships.

Cybersecurity risk assessments are an increasingly important component of the broader TPRM framework. They are performed within a larger construct of third-party management and often cover multiple pillars of risk within the governance and compliance fields, to include “know-your-business-partner,” supply chain anti-money laundering compliance, and financial and trade credit risk assessments, among others. In this report, we will be discussing key steps in the assessment of cyber risk within a wider third-party management framework. These steps include: (1) building a framework for third-party categorization; (2) developing workflow to address the intersection of risk and criticality; (3) frequently assessing high-impact suppliers; and (4) ensuring appropriate risk transfer.

Effective risk management requires managers of third-party risk to define business requirements, business relationships, and risk factors in order to generate a framework for third-party categorization. This framework will normally take into account how a third-party is utilized by the organization as well as other factors inherent to the supplier. The purpose of categorization is to decide which third-parties require a deeper assessment, based on their role in the evaluating organization’s business, and on the size and criticality of the relationship (e.g., a catering contractor for a local office party versus a business partner that impacts every customer relationship of the assessing organization). Criticality is defined as the overall importance to the goals of the organization, combined with the impact that inadequate operation or loss would have on the organization. As the assessment takes shape, suppliers are ranked, which allows the organization to implement risk- and impact-appropriate management processes. A successful third-party risk management system will allocate time and resources to deeper assessments in areas where impact is greatest, based on the combination of risk and supplier criticality.


To determine a third-party's criticality, organizations should develop a framework specific to their business objectives, their staffing, and their needs. In general, risk managers may consider:

• What is the nature of the supplier relationship (i.e., what services are being supplied)?

• Is this a new relationship or an established one?

• What is the size of the supplier relationship?

• What is the financial strength of the supplier?

• Where does the supplier operate (e.g., regions, cloud)?

• What data are shared with the supplier?

• Which certifications and standards are maintained by the supplier?

• Are alternative suppliers available, and how quickly could they be engaged if necessary?

• Would compliance exposure occur in the event of a breach at the supplier?

• How is the supplier insured?

Once the questions above are answered, a third-party risk manager can establish a risk profile to help drive further actions. After this framework is developed, and to further address cybersecurity risk, organizations can move to the second step: assessing third-parties through a risk-aware, impact-appropriate workflow.

A successful third-party risk management system will allocate time and resources to deeper assessments in areas where impact is greatest.


Based on an established third-party categorization framework, vendor risk managers can utilize cybersecurity risk quantification tools, including the FICO® Cyber Risk Score, to group organizations into portfolios where cyber risk and impact/criticality can be considered together. According to the combination of risk and criticality, a differentiated workflow may then be applied. This allows the organization to base decisions not only on the absolute risk enumerated by a cyber assessment (qualitative and/or quantitative), but also on criticality and overall impact to the business.

Once third-parties are assigned to a portfolio, risk managers can develop the strategy and workflow for engagement and undertake a risk- and impact-appropriate set of actions for remediation, improvement, or replacement. The first step is determining whether additional information is needed to assess cyber risk. Here, the firm may elect to set a score threshold—or a set of thresholds based on categorization and impact—to determine whether additional data are required. The next step may be to review adjacent risk elements, such as financial stability, to understand the overall health of the business and how this may affect cyber risk.

For each of the elements of a third-party risk workflow, the organization must determine thresholds for risk—absolute or within a benchmark category—based on their business requirements and risk appetite.

With respect to cyber risk specifically, decisions and actions may include the following:

• Perform regular and recurring on-site audits

• Collect additional data via a detailed cybersecurity questionnaire to better understand:

• Processes

• Infrastructure

• Skills and organizational structures

• Mitigating controls

• Obtain evidence of ongoing compliance with standards (e.g., service organization controls reports)

• Prescribe actions for remediation

• Determine when risk—absolute or relative—is too high, and institute steps to engage alternative suppliers

• Promote awareness by inviting third parties to review their FICO® Cyber Risk Score or other cyber assessment tool

By setting appropriate thresholds based upon risk and criticality, an organization may deploy its limited risk assessment and risk management resources where they are most needed. This also helps to avoid spending time and money assessing third parties with limited risk or impact. Where third parties are both high-impact and high-risk, more intense and more frequent scrutiny can be applied. Where impact and risk are low, less intense and less frequent review may be warranted.

Step Two: Develop workflow to address the intersection of risk and criticality


After completing the processes outlined in the previous steps, a risk manager could implement a comprehensive program that vets current and prospective third parties for the impact and risk that they represent in the context of the vendor contract. Continuous third-party risk mitigation is the next stage in the risk management process. Based on the combination of criticality and risk, managers should establish a cadence for reviewing critical information. This may include a full reassessment of high-impact suppliers on an annual basis, or it may involve a less-frequent full-scale review, supplemented by continuous monitoring of key risk assessment inputs such as financial health and cybersecurity performance.

Tools, such as the ABC National Risk Score, which offers a general rating of cyber risk for benchmarking, and the FICO® Cyber Risk Score, which gives company-specific metrics, may be leveraged together to provide a directionally correct view of relative risk. To better mitigate risk, firms are increasingly leaning on cyber scoring and/or cyber rating services to track overall risk as well as observable—and potentially actionable—conditions and behaviors that contribute to that risk. Feedback from cyber scoring or rating services shed light onto whether a specific supplier is performing as well as similarly situated peers, whether that supplier is improving or weakening over time, and whether the supplier’s relative risk is decreasing or increasing. While this kind of analysis may appear simple or self-evident, it should prompt a more detailed analysis when merited, and it can be leveraged to drive a productive dialogue between firms when discrepancies or changes in the score indicate the need for constructive discourse.

Step Three: Frequent assessments of high-impact suppliers

Risk

Criticality

Lighter scrutiny /infrequent review

More scrutiny /frequent review

Trade-Offs

Developing processes that consider risk and critically enable third-party risk managers to apply resources and effort where they are needed the most.


Comprehensive risk management programs frequently include insurance-based risk transfer. Risk mitigation is also an option, either through requiring increased controls at the third party or implementation controls at the primary organization.

A simple approach to risk transfer considers the intersection of third-party risk and criticality, and imposes insurance requirements on those parties whose combination of risk and criticality requires additional protection. The amount of coverage that a firm is required to carry can be ascertained in part based on information collected in the third-party categorization process, including information such as the amount and type of data shared with the supplier. Estimates of the cost “per record” for a breach vary widely, ranging from $100 per record to $350 per record, depending on the nature of the data. Depending on business requirements, some classes of third-parties may be required to carry specific breach coverage as a part of the risk management program. Firms may require that they be named as additional insureds in supplier policies for those coverage areas.

Cyber insurance is a rapidly growing area of specialty coverage for carriers. The Cyber Insurance Market Report, published by Allied Market Research, forecasts that the global market for cyber risk coverage is expected to garner $14 billion by 2022, registering a compound annual growth rate of nearly 28% during the period 2016 to 2022. Another reason to consider your firm’s risk relative to the ABC National Risk Score is that brokers, carriers, and reinsurers also increasingly leverage standardized cyber breach risk quantification metrics as an additional tool for underwriting and pricing cyber breach insurance. We will focus further on the cyber breach risk insurance market in next quarter’s ABC report.

Step Four: Ensure appropriate risk transfer


The National Risk Score_______The National Risk Score is a revenue-weighted average of the FICO® Cyber Risk Score for 2,376 companies that make up the sample described in Section VII, Methodology. A higher score indicates a lower likelihood that an organization will experience a data breach in the next 12 months; a lower score indicates greater risk of a successful data breach, based on a five-year sample of data collected.

For an individual organization, and depending on size and sector, a score of 688 represents a level of risk that is considered moderate to low.

The score for large firms increased 6 points from the first quarter of 2019. The score for small firms decreased 4 points while the score for medium firms decreased 3 points. These changes are not statistically significant, but the point spread between companies in different size categories remains both significant and interesting. Larger firms with more data and larger, more complex networks continue to be subject to higher levels of risk.

A breakdown of the size classification of companies is set forth below:

Analysis

(Less than 250 employees) (250-1,999 employees) (2,000 or more employees)

A lower score does not imply that an organization is destined to suffer a breach event, and a high score does not indicate that an organization is impervious to the risk of a breach.

National Risk Score

HIGH RISK LOW RISK

300 850

775

500

650

688

736HIGH RISK LOW RISK

300 850

775

500

650

Small


300 850

775

500

650

Medium


300 850

775

500

650

Large


A word about riskAs noted previously, risk is a function of both threat landscape and enterprise vulnerability. Larger organizations generally face more sophisticated and persistent threats across a more expansive threat surface. The scores reflect the probability of a data breach, based on their externally-facing systems. It does not account for layered controls that may exist within an organization. A lower score does not imply that an organization is destined to suffer a breach event, and a higher score does not indicate that an organization is impervious to the risk of a breach—it only implies that the likelihood of that organization to experience a breach is lower.

Organizations can use the ABC and their individual cyber risk score as a basis for the following:

• Objective self-assessment

• Third-party and supply chain risk assessment

• Comparative assessments (between organizations or over time)

• Discussions with insurance carriers and brokers

Why Are Larger Companies at Greater Risk?

Larger networks (>65,000 IP addresses)

Tend to have more data on more people

Operate in sensitive areas like health care, finance, and retail

Are more well-known brands generally


The FICO® Cyber Risk Score_______The FICO® Cyber Risk Score is an empirically derived metric that relies on a comprehensive and diverse set of cybersecurity risk signals, collected at internet scale, to measure the forward-looking security risk of any organization.

The signals leveraged by the algorithm comprise sector-related background risk information as well as key technical and behavioral risk indicators including the scale and nature of the subject’s internet-exposed systems, the health and hygiene of IT systems and network infrastructure, and the maintenance of software and services exposed by the organization.

The time-series compilation of these signals allows FICO to assess not only the condition, but also the organizational effectiveness in attaining and maintaining best-practice security processes. These current and historical data signals are compared to past behaviors of organizations that have—and have not—suffered a material breach. This allows FICO to develop strong predictors of forward-looking risk.

These predictors are augmented by information indicating evidence of network or endpoint compromise. Rather than simply inventorying temporal vulnerabilities or issues, these indicators are used, in the aggregate, to help form an understanding of an organization's network hygiene practices, consistency in policy, and network management track record.

Together, this information is used to train a supervised machine-learning model that produces a risk score which quantifies the likelihood of a future breach event, based on more than five years of historical data. The objective outcome of this model is the measurement of material data breach risk over a forward-looking 12-month period, and the resulting score (ranging from 300 to 850) indicates FICO’s assessment of the relative risk faced by the evaluated organization. The score-to-odds relationship is linear and doubles with each 84-point increment in the score (i.e., a company with a score of 500 is approximately twice as likely to suffer a material breach event in the next 12 months as a company with a score of 584).

The FICO® Cyber Risk Score is engineered to provide actionable insights regarding security risk that encompass both technical and policy-related shortcomings. As in other risk management disciplines, multiple perspectives often yield better results. The FICO® Cyber Risk Score, and the underlying data that it leverages, can provide a valuable second opinion that offers a clearer understanding of your cybersecurity risk as well as insights for possible actions to reduce risk; unlike most second opinions, this assessment is free.

About

Providing actionable insights


Benefits of FICO® Cyber Risk Score

BenchmarkLearn how your company’s cybersecurity rates compare to others.

RemediateHave a low score? Learn concrete steps and methods to improve it.

Supply-Chain SecurityLearn how well your trusted partners scored in cybersecurity.

It’s FreeBest of all, it’s free. Just sign up to receive your complimentary score.

FICO® Cyber Risk Score availability

FICO is committed to ensuring transparency and fairness in the security rating process. To help organizations better understand their specific situation, FICO offers free subscription access to a company-specific view of cyber risk.

Organizations can register for a complimentary, ongoing, no-cost subscription at https://cyberscore.fico.com.

This subscription to the FICO® Cyber Risk Score allows organizations to monitor the results of efforts to continually improve their security posture and reduce their risk of a security breach. With this subscription, organizations can also compare their performance within their sector and/or with organizations operating at a comparable scale—with an enhanced understanding of their relative risk posture. We would also encourage companies to use these tools to engage in meaningful dialogue with supply-chain partners and advance the goal of collaboration in managing cyber risk.

https://cyberscore.fico.com


Methodology_______The Assessment of Business Cyber Risk (ABC) National Risk Score is an aggregate measure of security risk encompassing small, medium, and large companies across key sectors of the U.S. economy. The ABC uses a random sample of U.S. businesses and their FICO® Cyber Risk Scores. The FICO® Cyber Risk Score is an empirically derived metric that relies on a comprehensive and diverse set of cybersecurity risk signals, collected at internet scale, to measure the forward-looking security risk of any organization. The quarterly ABC metric is a weighted average of included businesses’ cyber risk scores.

The businesses included in the ABC are part of a rotating panel selected from the Dun & Bradstreet database using a stratified sample design. Each quarter, the FICO® Cyber Risk Scores of 2,376 businesses are compiled to create the reported metrics. Based on user feedback, we have intentionally excluded from the pool those organizations whose primary, or substantial, business is the provision of IP address space to other firms.

While it is important to assess the risk of these firms individually, the inclusion in the ABC metrics of internet service providers (ISPs), infrastructure as a service providers (IaaS), telecoms, and cloud infrastructure providers with large IP address footprints controlled by IT and security teams outside their direct control could increase the likelihood of double-counting assets when such assets would be more appropriately attributed to the subscribing organizations. For these reasons, we have elected to exclude companies in this class and have adjusted the ABC and its various sub-indices.

The sample design divides U.S. enterprises into 30 strata defined by the North American Industry Classification System codes for 10 industry sectors: (1) energy and utilities, (2) finance and banking, (3) health care, (4) construction, (5) transportation, (6) media and technology, (7) retail and consumer services, (8) materials and manufacturing, (9) agriculture and food, and (10) business services. The scope of the 10 sectors together represents virtually all categories of commercial entities operating in the U.S. market, with the exception of ISPs, IaaS, and most telecoms (as noted above). Care has been taken to ensure that companies in the sector sample are representative of the diversity of organizations within the sector definition and include companies of different sizes, based on the number of employees.

There are three size classes: size class small (fewer than 250 employees), size class medium (250–1,999 employees), and size class large (2,000 or more employees). The goal of the size gradations used to define the strata is to highlight the differences in security risks and outcomes for organizations of different sizes. The specific values chosen as boundaries between small, medium, and large organizations in the ABC strata

Included businesses

Classification


were selected to ensure that representative samples could be consistently tracked over time and to reflect a common-sense point of view when describing large and small enterprises.

By design, the specified sample sizes allow for comparisons between industry sectors, with 95% confidence level and 90% power; comparisons between size classes small, medium, and large businesses across sectors, with 95% confidence level and 90% power; and comparisons between size classes small, medium, and large businesses within a sector, with 90% confidence level and 80% power. The sample size for an industry sector is allocated equally across the three size classes within that sector. Although not proportional to size design, this allows the sampling plan to represent the potential for greater internet security risk from larger businesses. The statistical weighting accounts for the sample design to provide an unbiased estimate of enterprise security risk for the ABC.

The 30 strata values provided in the report are average scores for the companies selected to represent each stratum. The sector and size roll-up values, as well as the overall ABC metric, are revenue-weighted averages, such that these metrics reflect the overall impact that the component strata have on the U.S. economy.

Sample size

The ABC uses a random sample of U.S. businesses and their FICO® Cyber Risk Score. The FICO® Cyber Risk Score is an empirically derived metric that relies on a comprehensive and diverse set of cybersecurity risk signals, collected at internet scale, to measure the forward-looking security risk of any organization.


Press_______

FICO

FICO (NYSE: FICO) powers decisions that help people and businesses around the world prosper. Founded in 1956 and based in Silicon Valley, the company is a pioneer in the use of predictive analytics and data science to improve operational decisions. FICO holds more than 190 U.S. and foreign patents on technologies that increase profitability, security, customer satisfaction, and growth for businesses in financial services, telecommunications, health care, retail, and many other industries. Using FICO solutions, businesses in more than 100 countries do everything from protecting 2.6 billion payment cards from fraud, to helping people get credit, to ensuring that millions of airplanes and rental cars are in the right place at the right time.

Learn more at http://www.fico.com.

Press inquiries:Katie O’[email protected]

U.S. Chamber of Commerce

The U.S. Chamber of Commerce is the world’s largest business federation, representing the interests of more than 3 million businesses of all sizes, sectors, and regions, as well as state and local chambers and industry associations.

Learn more at https://www.uschamber.com/cyber-abc.

Press inquiries:Kathleen WardU.S. Chamber of [email protected]

http://www.fico.com

mailto:[email protected]

https://www.uschamber.com/cyber-abc#/

mailto:[email protected]


Learn more about your FICO® Cyber Risk Score by registering for a complimentary subscription at https://cyberscore.fico.com.

https://cyberscore.fico.com

assessment of business cyber risk€¦ · of quadmetrics, and key contributor of the intellectual...

Documents