FICO Extends Cybersecurity Score to Rate 4th Party Risks

New capabilities identify concentrations of risk throughout the supply chain and across common cloud services

Silicon Valley analytics firm FICO today announced that its new release of the FICO^® Enterprise Security Score quantifies the breach risks introduced by 4^th parties — a partner or vendor’s vendors. The identification of 4^th party risks is an increasingly important consideration for breach insurance carriers, who are concerned about hidden, aggregate risk exposures across their portfolio of insureds.

A report in the Financial Times this month noted that some 80 percent of large companies suffer a cyber breach every year, and the annual global damage estimate could be more than $400 billion. These risks become concentrated as organisations continue to adopt common cloud service providers to manage significant portions of their IT workloads. As new IT vulnerabilities are being exposed and exploited, identifying and quantifying these common, concentrated exposures in a portfolio of businesses can be critical to understanding and forecasting potential losses under different risk scenarios.

The FICO Enterprise Security Score now helps breach insurers and enterprise vendor management teams identify the vendor dependencies of their clients and business partners, including deployed IT components, and see the Enterprise Security Score of these 4^th party relationships. The service also helps users identify common 4^th party dependencies across a portfolio of 3^rd party relationships.

“You can’t really understand your 3^rd party risks without also understanding the downstream dependencies those organisations have with their own suppliers,” said Doug Clare, vice president of cybersecurity solutions at FICO. “Our customers tell us they need to understand these 4^th party risks – specifically, and in aggregate. We worked with cyber insurance carriers to develop the new capabilities.”

“The ability to assess aggregate risks based on real data is becoming increasingly important to insurers,” said Mark Greisiger, president of NetDiligence. “Cyber policyholders outsource so much of their computing/data resources that it’s a growing blind-spot for underwriters. Granular information regarding actual 4^th party cyber risk dependencies would help insurers more accurately quantify their portfolio exposure.”

The FICO^® Enterprise Security Score performs a complex assessment of an organisation’s network assets, applies advanced predictive algorithms, and then condenses the results down to a three-digit score that rank-orders based on the odds of breach for the organisation. Companies can use this score to understand and track their own performance, or evaluate the security risk of their vendors and other business partners. FICO was part of a consortium of industry leaders that developed new guiding principles for cybersecurity ratings.