FICO Extends Cybersecurity Score to Rate 4th Party Risks

Silicon Valley analytics firm FICO announced that its new release of the FICO Enterprise Security Score quantifies the breach risks introduced by 4th parties — a partner or vendor’s vendors. The identification of 4th party risks is an increasingly important consideration for breach insurance carriers, who are concerned about hidden, aggregate risk exposures across their portfolio of insureds.

A report in the Financial Times this month noted that some 80 percent of large companies suffer a cyber breach every year, and the annual global damage estimate could be more than $400 billion. These risks become concentrated as organizations continue to adopt common cloud service providers to manage significant portions of their IT workloads. As new IT vulnerabilities are being exposed and exploited, identifying and quantifying these common, concentrated exposures in a portfolio of businesses can be critical to understanding and forecasting potential losses under different risk scenarios.

The FICO Enterprise Security Score now helps breach insurers and enterprise vendor management teams identify the vendor dependencies of their clients and business partners, including deployed IT components, and see the Enterprise Security Score of these 4th party relationships. The service also helps users identify common 4th party dependencies across a portfolio of 3rd party relationships.

“You can’t really understand your 3rd party risks without also understanding the downstream dependencies those organizations have with their own suppliers,” said Doug Clare, vice president of cybersecurity solutions at FICO. “Our customers tell us they need to understand these 4th party risks – specifically, and in aggregate. We worked with cyber insurance carriers to develop the new capabilities.”

“The ability to assess aggregate risks based on real data is becoming increasingly important to insurers,” said Mark Greisiger, president of NetDiligence. “Cyber policyholders outsource so much of their computing/data resources that it’s a growing blind-spot for underwriters. Granular information regarding actual 4th party cyber risk dependencies would help insurers more accurately quantify their portfolio exposure.”

The FICO Enterprise Security Score performs a complex assessment of an organization’s network assets, applies advanced predictive algorithms, and then condenses the results down to a three-digit score that rank-orders based on the odds of breach for the organization. Companies can use this score to understand and track their own performance, or evaluate the security risk of their vendors and other business partners. FICO was part of a consortium of industry leaders that developed new guiding principles for cyber security ratings.