Assessment of Business Cyber Risk Shows Slight Improvement in National Risk Score and Highlights Need for Third-Party Risk Management

Monday, August 19, 2019 - 8:00am

WASHINGON, D.C.—The Q2 Assessment of Business Cyber Risk (ABC) report released today by the U.S. Chamber of Commerce and FICO recorded a National Risk Score of 688, a slight improvement over the previous quarter’s score of 687. Since last quarter, the average score for large firms rose from 643 to 649 and small firms moved from 740 to 736.

While these scores reveal the nation’s cybersecurity risk virtually unchanged, FICO and the Chamber urge businesses to continue to measure and manage risk posed by third parties.

“For years, the Chamber has encouraged organizations to adopt internet security fundamentals, including using the NIST Cybersecurity Framework for enterprise risk management,” said Christopher D. Roberti, senior vice president for cyber, intelligence, and security policy at the Chamber. “But we are seeing that organizations are targeted through third parties and must take steps to integrate a tailored third-party risk management into an overall risk management plan.”

New Business Imperative: Third-Party Risk Management

In addition to data on the National Risk Score, the Q2 ABC report highlights the need for effective third-party risk management (TPRM). A growing percentage of cybersecurity incidents against businesses are the result of initial compromises against third parties, allowing malicious actors to gain access through a trusted relationship, move laterally and escalate privileges, and ultimately attain their target. As a result, TPRM is a high priority for many firms.

Larger and more sophisticated firms will typically have well-developed TPRM programs. The increase of highly publicized breaches, awareness of cyber risk, and emerging and evolving compliance frameworks are driving small and midsize firms to adopt these programs as well.

“Knowing your cyber risk is invaluable, and knowing the cyber risk of third parties you work with is essential,” said Doug Clare, vice president of cybersecurity solutions at FICO. “Third-party risk management is emerging as one of the most important priorities for IT and security departments nationwide, and cybersecurity risk assessments are an increasingly important component of the broader TPRM framework.”

To help businesses recognize and mitigate third-party risk, the ABC report offers four key steps that organizations should include within a broader third-party management framework:

  1. Build a framework for third-party categorization
  2. Develop workflow to address the intersection of risk and criticality
  3. Assess high-impact suppliers frequently
  4. Ensure appropriate risk transfer

More information on these four steps can be found in the report.

About the Assessment for Business Cyber Risk

Based on the FICO® Cyber Risk Score, the U.S. Chamber of Commerce’s Assessment for Business Cyber Risk (ABC) is intended to advance cybersecurity awareness and improve the overall effectiveness of cyber defense programs, including third-party risk management (TPRM) activities.

The ABC’s National Risk Score is the revenue-weighted average of the FICO® Cyber Risk Score for nearly 2,400 small, medium, and large companies. The score calculates the probability of an organization suffering a material data breach within the next 12 months. Just like a FICO credit score, the range is 300 to 850. For individual companies, the higher the score, the lower the likelihood that an organization will experience a data breach within the next 12 months. Similarly, a lower score indicates greater risk of a successful data breach based on five years of historic breach data. The score analyzes billions of cyber risk indicators and uses machine learning to produce a forward-looking metric for measuring cyber risk.

Organizations that choose to learn more about their specific security performance can register for a free subscription at http://cyberscore.fico.com. A new report from Chartis Research named FICO as a category leader in cyber risk quantification.