Vendor Analysis: FICO Cyber Risk Quantification Solutions, 2019 Chartis Research Is the Leading Provider of © Copyright Infopro Digital Services Limited 2019

Vendor Analysis: FICO Cyber Risk Quantification Solutions, 2019 Chartis Research is the leading provider of © Copyright Infopro Digital Services Limited 2019. research and analysis on the global market for All Rights Reserved. risk technology. It is part of Infopro Digital, which owns market-leading brands such as Risk and No part of this publication may be reproduced, WatersTechnology. Chartis’ goal is to support adapted, stored in a retrieval system or transmitted enterprises as they drive business performance in any form by any means, electronic, mechanical, through improved risk management, corporate photocopying, recording or otherwise, without the governance and compliance, and to help clients prior permission of Infopro Digital Services Limited make informed technology and business decisions trading as Chartis Research (‘Chartis’). by providing in-depth analysis and actionable advice on virtually all aspects of risk technology. The facts of this document are believed to be Areas of expertise include: correct at the time of publication but cannot be guaranteed. Please note that the findings, • Credit risk. conclusions and recommendations that Chartis • Operational risk and governance, risk and delivers will be based on information gathered in compliance (GRC). good faith, whose accuracy we cannot guarantee. • Market risk. Chartis accepts no liability whatever for actions • Asset and liability management (ALM) and taken based on any information that may liquidity risk. subsequently prove to be incorrect or errors in our • Energy and commodity trading risk. analysis. See ‘Terms and conditions’. • Financial crime including trader surveillance, anti- fraud and anti-money laundering. RiskTech100®, RiskTech Quadrant®, FinTech • Cyber risk management. Quadrant™ and The Risk Enabled Enterprise® are • Insurance risk. Registered Trade Marks of Infopro Digital Services • Regulatory requirements including Basel 2 and Limited. 3, Dodd-Frank, MiFID II and Solvency II. Unauthorized use of Chartis’ name and trademarks Chartis is solely focused on risk and compliance is strictly prohibited and subject to legal penalties. technology, which gives it a significant advantage over generic market analysts.

The firm has brought together a leading team of analysts and advisors from the risk management and financial services industries. This team has hands-on experience of implementing and developing risk management systems and programs for Fortune 500 companies and leading consulting houses.

Visit www.chartis-research.com for more information.

Join our global online community at www.risktech-forum.com.

1. Report context 5

2. Quadrant context 8

3. Vendor context 11

4. Methodology 16

5. Further reading 19

Figure 1: The increasing value of CRQ 7

Figure 2: The operational scope of quantification 7

Figure 3: RiskTech® Quadrant for cyber risk quantification solutions, 2019 9

Figure 4: The FICO ESS – benchmarking example 12

Figure 5: ESS Portrait – example screen 12

Figure 6: ESS Landscape – example screen 13

Figure 7: FICO Cyber Risk Score – third-party risk management example 14

Table 1: Completeness of offering – FICO (cyber risk quantification solutions, 2019) 10

Table 2: Market potential – FICO (cyber risk quantification solutions, 2019) 10

Table 3: FICO – company information 11

Table 4: Evaluation criteria for Chartis’ cyber risk quantification solutions report 17

This Vendor Analysis is based on the Chartis quadrant report Cyber Risk Quantification Solutions, 2019: Market and Vendor Landscape (published in May 2019). This section summarizes the key theses in that report; subsequent sections take a detailed look at FICO’s quadrant positioning and scoring, and Chartis’ underlying opinion and analysis.

Key thesis operations. This is becoming more pressing as FIs’ IT systems and risk-management infrastructures We want quant become more complex.

As the frequency and severity of cyber breaches Vendors to the rescue continue to grow, cyber crime is now one of the biggest challenges facing financial institutions Increasingly, Chartis believes, vendors of CRQ (FIs). Adding to their problems, FIs must also solutions will develop specific functionality across address the growing risk of technology outages four key functional and operational areas: the cyber – established FIs’ legacy networks and newer risk score, loss estimation, portfolio optimization, challengers’ untested systems have both fallen and attribution. Vendors currently approach victim to cyber incidents. CRQ from two angles: externally, assessing a firm’s network in relation to that of other firms; Clearly this is an issue, and it’s a costly one and internally, mapping the risk of cyber events too. Overall, breaches and outages can cost occurring on a firm’s own network. By partnering the average FI millions of dollars annually, and cooperating, vendors can start to offer and the figure increases significantly for the comprehensive solutions that will enable them to largest institutions. Facing a rise in threats, exploit the ever-growing CRQ market. institutions of all types are spending big on their cybersecurity systems. Demand-side takeaways Yet amid the fog of spending and hype surrounding the latest cybersecurity defenses, the task of Defining cyber risk quantification systematically quantifying firms’ relative cyber risks has until recently gone unaddressed. This Chartis defines the components of CRQ as: lack of functionality has also prevented FIs and vendors from assessing the relative effectiveness • Cyber risk. The likelihood and severity of a of different cybersecurity systems. Most current loss due to the breach or failure of IT systems. solutions used against malicious attacks and These losses are the business impacts1 that potential system failures – from passwords and might result from the theft of confidential data, firewalls to AI-powered enterprise systems – often the compromise of information integrity, or the do not rigorously quantify the benefits of the loss of systems availability, as well as any costs reduced risk they offer. required to rectify issues.

FIs and vendors have sought to quantify cyber • Cyber risk quantification. The evaluation risk before, but increasingly they are spending of cyber risk using mathematical models to such large sums on cybersecurity systems that produce a numerical score or ranking. These they require defensible risk scores for their cyber components can be fashioned into better domains. And only now is there technology tools for risk managers to measure the level available to automate analysis and leverage the vast and location of the cyber risk their FIs carry. datasets required to properly quantify cyber risk. In addition, by viewing security systems through the lens of risk, risk professionals can Demand for cyber risk quantification (CRQ) demonstrate the value of those solutions to the solutions is coming from insurers – keen to assess broader business. the risk in counterparties’ infrastructure – and more general financial services firms, which want to This approach offers CROs, CTOs, and CISOs2 assess the risk in the systems they rely on for their a valuable joint lexicon to communicate their

1 Business impacts may also include regulatory enforcement and reputational damage, although not all systems can or will quantify these. 2 Chief risk officers, chief technology officers and chief information security officers.

5 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved institution’s stance on risk to all relevant staff in a Tangled infrastructure is risky infrastructure language they already share. The broad demand for CRQ solutions arises because FIs continue The drivers of demand for CRQ solutions to add new systems to their legacy cores. The complexity of FIs’ infrastructure – and its inherent risk – has grown to cope with Until recently, assessments of cyber risk were demands on systems that cover everything from incorporating limited to manual analyses of a firm’s own multiple market data streams to offering extended functionality systems or those of a third party (with its consent), to retail customers. These systems are often provided by third whereby examiners inspected networks on a case- parties – such as market data suppliers in the first instance and by-case basis. FIs relied on manual assessment application developers in the second. using qualitative standards such as ISO 27001 or the NIST Cybersecurity Framework, both of which CRQ is applied broadly at all points in FIs’ provision of services require significant modification to suit specific to support business processes. Regulators such as the US Office organizational contexts. of the Comptroller of the Currency expect banks to ‘practice risk management regardless of whether the bank performs the Modern CRQ techniques attempt to circumvent activity internally or through a third party.’ Firms must thus the persistent obstacles to statistically measuring monitor the risk they carry due to their use of third-party services, operational risk – a lack of data and a lack an increasingly pressing responsibility as FIs come to rely more of unbiased analytics. As CRQ represents a on loosely regulated FinTech firms that may lack mature risk quantification of operational risk, FIs remain wary management oversight. of relying too much on cyber risk models. As a result, demand for solutions is currently immature, although it is growing rapidly as FIs realize the importance of adequately understanding their Supply-side takeaways cyber risk exposure. CRQ on the increase, but it must be robust There are two key sources of demand for CRQ solutions: CRQ is becoming a formalized component of risk management in financial services, and risk • Insurance firms, which use CRQ to assess management departments will own it if solutions the cyber risk that exists in a counterparty’s can demonstrate statistical rigor. CRQ’s nascent infrastructure. adoption is somewhat akin to the early years of value at risk (VaR), a metric developed for gauging market • More generally, financial services firms – risk. While many trading desks implemented VaR, including insurers – will use CRQ to assess awareness of the technique outside discrete groups the cyber risk in the native and/or third-party of quantitative analysts was low, until J.P.Morgan systems that form the infrastructure on which opened up access to its VaR methodology and their institutions rely. hived it off into RiskMetrics3. CRQ is undergoing a similar process – FIs increasingly acknowledge Quantification: why now? its usefulness (see Figure 1), and an ecosystem of vendors that are exploiting recent technological As FIs’ employees come to rely more on technology, advances is growing to support this demand. standardized CRQ methods will be more in demand. Quantitative risk assessments will help FIs’ boards Yet risk managers will resist incorporating CRQ into grapple with cyber risk by aggregating possible bad their portfolios unless measurement methodologies outcomes into layers of risk that are appropriate to are shown to be robust and consistent across a given level of the risk management hierarchy. This business contexts. FIs have seen cybersecurity as clear-eyed view of risk can overcome the superiority a set of binary outcomes – attackers get in, or they bias that often manifests in cybersecurity, whereby don’t; a breach occurs, or it doesn’t. This is not the staff often believe that their institution is better language of risk, which deals in probabilities. The protected from breaches compared to its peers. A myriad of functionality that helps firms’ security board that knows the relative cyber risks it faces divisions defend their networks obscures the value will be well placed to set and execute a secure of a CRQ tool. Vendors must focus on ensuring that and efficient technology strategy. The penalties for their scores are explainable and have predictive observing risks and choosing to dismiss them are value. They must also speak the language of risk, not likely to be high. just cybersecurity, in designing and deploying their

3 https://www.msci.com/documents/10199/5915b101-4206-4ba0-aee2-3449d5c7e95a

6 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved systems. Wide adoption of any given system among Figure 1: The increasing value of CRQ FIs will occur only if vendors demonstrate their solutions’ accuracy and defensibility to risk experts. Quantifying risk allows organizations to attack Developing the right functionality problems at various levels of Business strategy strategic complexity… Cyber risk represents the first type of operational risk for which quantification methodologies properly Insurance exploit the vast amounts of data now available (and other risk-mitigation strategies) to develop a more statistically defensible, data- Operational optimization and planning intensive methodology. Vendors have overcome the historical obstacles to quantifying operational risk: a lack of data – much of it unstandardized – and Security systems and policy strategy human bias. Network optimization The internet’s constituent networks contain multitudes of information, most of it in standard Source: Chartis Research formats. Increases in data transfer speeds mean that relevant information, like server security data, they also prove strong in tracking changes configurations and routing tables (akin to maps in a firm’s risk score over time. This maintained of connected computers), can be collected and history also allows retrospective analysis of attacks updated frequently. Vastly higher data storage that exploited vulnerabilities not publicly known densities give vendors commercially viable at the time. This enables analysts to devise more warehouses in which to trap this stream. Machine accurate risk scores for networks identified as learning techniques offer tools capable of processing harboring those vulnerabilities, once their details these variable, complex and large data sets. become known.

Chartis predicts that, as CRQ matures, vendors will Advanced CRQ deployments will allow FIs to be pushed to develop certain functionality, across weight the relative benefits of different controls by four main operational areas (see Figure 2). simulating their protective benefits to the network. CRQ, used mindfully, will also help FIs’ systems Vendor landscape development, by allowing cyber risk to be assessed from the design stage through to implementation. Vendors currently approach quantification from one of two angles: Vendors of all types stand to gain from cooperation. By combining complementary • Externally, assessing the risk in a firm’s network datasets and analytical approaches, vendors will be in relation to other networks; or better placed to develop and exploit the growing field of CRQ. • Mapping and analyzing networks internally, calculating the risk of different cyber events Figure 2: The operational scope of quantification occurring on that particular network.

Both external and internal approaches quantify cyber risk. Vendors using the external approach, however, quantify the cyber risk of a firm’s network relative to that of other firms. In contrast, those offering an internal method quantify the risk of a particular Loss Portfolio Attribution attack succeeding on a firm’s network relative to estimation optimization other attacks on the same infrastructure. Both produce quantitative risk scores, but one presents network risk, while the other presents attack risk.

Solutions that employ external analysis excel at giving risk scores for third parties. These solutions Cyber risk score are designed primarily to support comparisons across different firms and of different characteristics of those firms. Due to their extensive time series Source: Chartis Research

Introducing the Chartis the highest ratings or other designation. Chartis ® Research’s publications consist of the opinions of RiskTech Quadrant its research analysts and should not be construed as statements of fact. This section of the report contains: How are quadrants used by technology vendors? • The Chartis RiskTech® Quadrant for CRQ solutions for 2019. Technology vendors can use Chartis’ quadrants to achieve several goals: • An examination of FICO’s positioning and its scores as part of Chartis’ analysis. • Gain an independent analysis and view of the provider landscape in a specific area of risk, • A consideration of how the quadrant reflects the financial and/or regulatory technology. broader vendor landscape. • Assess their capabilities and market positioning Summary information against their competitors and other players in the space. What does the Chartis quadrant show? • Enhance their positioning with actual and The RiskTech® Quadrant uses a comprehensive potential clients, and develop their go-to- methodology that involves in-depth independent market strategies. research and a clear scoring system to explain which technology solutions meet an organization’s In addition, Chartis’ Vendor Analysis reports, like needs. The RiskTech® Quadrant does not simply this one, offer detailed insight into specific vendors describe one technology option as the best CRQ and their capabilities, with further analysis of their solution; rather it has a sophisticated ranking quadrant positioning and scoring. methodology to explain which solutions are best for specific buyers, depending on their implementation strategies. Chartis Research RiskTech®

The RiskTech® Quadrant is a proprietary Quadrant for cyber risk methodology developed specifically for the risk quantification solutions, 2019 technology marketplace. It takes into account vendors’ product, technology and organizational Figure 3 illustrates Chartis’ view of the CRQ capabilities. Section 4 of this report sets out the vendor landscape, highlighting FICO’s position. generic methodology and criteria used for the RiskTech® Quadrant.

How are quadrants used by technology buyers?

Chartis’ RiskTech and FinTech quadrants provide a view of the vendor landscape in a specific area of risk, financial and/or regulatory technology. We monitor the market to identify the strengths and weaknesses of different solutions, and track the post-sales performance of companies selling and implementing these systems. Users and buyers can consult the quadrants as part of their wider research when considering the most appropriate solution for their needs.

Note, however, that Chartis Research does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with

8 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved Figure 3: RiskTech® Quadrant for cyber risk quantification solutions, 2019

Best of breed Category leaders

FICO

BitSight

RiskSense Aon Marsh Willis Towers Watson

TENTIAL RiskLens IBM foreseeti

T P O Corax RiskRecon SecurityScorecard CyberPoint

ARK E UpGuard M

eFortresses

Point solutions Enterprise solutions

COMPLETENESS OF OFFERING Source: Chartis Research

Quadrant Dynamics oo Vendors that provide cyber risk scores for use by their clients, whether they are insurers or General quadrant takeaways other financial services firms looking to assess third-party cyber risk. The CRQ quadrant comprises two broad groups: • Vendors that assess cyber risk from an internal • Those vendors that assess cyber risk from perspective. These vendors’ solutions quantify an external perspective, and whose solutions the relative cyber risk of different slices of a quantify the cyber risk in a firm’s network firm’s internal network, or a firm’s current cyber relative to that of other firms. An external risk relative to its historical cyber risk. Such an approach is well suited to quantifying third-party approach is optimal for assessing first-party risk. This group splits further into: cyber risk.

oo Vendors that employ CRQ to support their own insurance operations.

9 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved Vendor positioning in context – Table 1: Completeness of offering – FICO (cyber risk quantification completeness of offering solutions, 2019)

FICO scored well on the CRQ quadrant’s Completeness of offering criterion Coverage completeness of offering axis, due to the rigor of its cyber risk scoring methodology and its expansive underlying data set, which incorporates Scoring/event risk quantification High 100 billion internet-wide data points, including 40 million malicious IP addresses. FICO’s solution Risk modeling and aggregation Medium uses this network node-level information, arrayed in a five-year historical time series, to examine Allocation, attribution, and impact analysis Medium changes in firms’ security postures over time. This provides the foundation for the quantification of Visualization and analytics High cyber risk based on a firm’s organizational security practices (such as time to patch). Financial quantification Medium

Machine learning (ML) applied to this dataset Source: Chartis Research derives correlations between breaches and given security configurations, as well as a firm’s higher- order behavioral factors. This supports a 24x Table 2: Market potential – FICO (cyber risk quantification solutions, dynamic range – a very high degree of granularity 2019) separating the least risky firms from the most risky. Married with firmographic information Market potential criterion Coverage this method enables a financial loss-oriented quantification of cyber risk, a key functional area for those users, such as insurers, looking to assess Business model High third-party risk. Customer satisfaction Medium Table 1 shows Chartis’ rankings for FICO’s coverage against each of the completeness of Market penetration High offering criteria. Growth strategy High Vendor positioning in context – market potential Financials High

On the market potential axis, FICO scored well for Source: Chartis Research market penetration. Though today’s CRQ solutions are relatively new, FICO has leveraged the strength of its brand in credit scoring to appeal to financial services firms using a familiar framework.

FICO’s growth strategy is strong, and the company has a robust plan to embed its CRQ solution in financial services firms. This is supported by an educational program aimed at explaining its solution to risk and insurance functions – a crucial component in boosting wider uptake and deeper deployment.

Table 2 shows Chartis’ rankings for FICO’s coverage against each of the market potential criteria.

Overview of relevant solutions/ outcome odds which are provided by FICO in a capabilities detailed model report. Users can access the FICO Cyber Risk Score Table 3 gives an overview of FICO and its via the FICO Enterprise Security Suite (ESS; see CRQ solution. Figure 4). This cloud-based application suite provides access to three separate portals, each The FICO Cyber Risk Score is designed to serving different users’ needs: ESS Portrait, quantify cyber risk and provide a forward-looking ESS Portrait Premium and ESS Landscape. ESS benchmark of an organization’s security posture. Portrait (see Figure 5) provides the Cyber Risk It is based on empirical data analysis and derived Score of a user’s organization, for free. It is for from a ML model that is formulated to forecast self-assessment purposes and is used to monitor a well-defined objective outcome – the likelihood score results over time. ESS Portrait Premium is that an organization will suffer a material breach an enhanced version of ESS Portrait and provides event in the next 12 months. Like other operational access to the Cyber Risk Score, as well as a risk metrics engineered by FICO, the output is a more detailed view of an organization’s specific three-digit score ranging from 300 to 850, which security risk indicators. Finally, ESS Landscape reflects relative risk and translates directly to allows users to view the FICO Cyber Risk Score of third-party organizations. With ESS Landscape

Table 3: FICO – company information

Company FICO

Headquarters San Jose, California, US

Other offices Global offices include:

North America – San Diego, San Rafael, Miami, Bozeman, Austin, Ann Arbor, New York City, Montreal, Toronto and Roseville, MN.

Latin America – Brazil and Chile.

EMEA – UK, Turkey, Germany, Italy, South Africa, Spain and Russia.

Asia-Pacific – Singapore, Australia, China, India, Japan, Korea, Malaysia, Philippines and Thailand.

Description Founded in 1956 and based in Silicon Valley, FICO uses data science to help its clients improve their operational decisions in risk management, fraud control, security, logistics and marketing. FICO solutions are used by businesses in more than 100 countries across a range of applications, including fraud protection, credit scoring and logistics.

Solution The FICO Cyber Risk Score relies on a comprehensive and diverse set of cybersecurity risk signals, collected at internet-scale, to measure organizations’ forward-looking security risk. It is engineered to provide insights into security risk that encompass both technical and policy- related shortcomings.

By analyzing time-series compilations of risk signals and comparing them to past behaviors of organizations that have, and have not, suffered a material data breach, FICO is able to produce an empirically derived score that forecasts the likelihood of a breach event over a subsequent 12-month period.

Source: FICO

Source: FICO users can monitor cyber risk across the supply Given FICO’s heritage in risk quantification and ML, chain, including partner assessments, procurement the underpinnings of the FICO Cyber Risk Score assessments, and potential merger and acquisition leverage a rich set of IP in feature engineering, targets. Within ESS Landscape cyber insurance designed to expose and amplify signals used to underwriters are provided with tailored dashboards quantify forward-looking risk outcomes. Notable designed to support the underwriting process and features of the solution include: aggregate risk assessment across their portfolios (see Figure 6). • Empirically derived. The FICO Cyber Risk Score is built using a supervised analytic model. This means that the algorithm that computes the

Figure 5: ESS Portrait – example screen

Source: FICO

score leverages mathematical relationships enables it to immediately generate scores for between signal data, inferred behaviors, companies worldwide. and real-world security outcomes from both breached and non-breached organizations. In aggregate, the FICO Cyber Risk Score assesses both the condition and scale of internet-facing • Focused on risk quantification. While network assets, as well as the behavior and vulnerability inventories are important, they can performance of organizations in managing their also serve to mask underlying risk. As a result, security posture. Rather than grading the current organizations may confuse security activity state of the network, FICO evaluates forward- (e.g., patching cadence) with effectiveness, looking risk by employing a ML model that is and distract security teams from focusing on trained to a well-defined objective outcome – the impactful change. likelihood of a material data breach event in the next 12 months. This provides an easy to interpret • Depth and breadth of signals. The key risk result that applies across self-assessment, third- signals leveraged by the FICO Cyber Risk party risk management (see Figure 7), and cyber Score are based on a deep database of time- insurance underwriting. series historical information, collected by FICO, which spans the entire internet address space for six years. This allows FICO to correlate conditions and behaviors to cyber incidents, regardless of delays in disclosure, and

13 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved Figure 7: FICO Cyber Risk Score – third-party risk management example

Source: FICO

Client leading practices time required to recognize misconfigurations, or the frequency with which compromised hosts are The FICO Cyber Risk Score serves as an found on an organization’s network. These signals impartial assessment of the effectiveness of an help form an understanding of network hygiene organization’s security controls and adherence practices, consistency in policy, and the network to network management best practices, at a management track record of an organization. time when new regulations, such as the EU Examples of these signals include: General Data Protection Regulation (GDPR), are requiring increased scrutiny of third-party data • Internet surface. The nature and scale of processors. It offers an internet-scale alternative internet-exposed IT assets associated with an to static questionnaires, allowing for faster vetting organization through the various IP address of new partners and ongoing monitoring of registries, as corrected and adjusted through the existing relationships. asset curation process.

Risk indicators used in the FICO Cyber Risk • Endpoint posture. This may include indicators Score of compromise such as increased spam or botnet activity, which may indicate users’ In producing its Cyber Risk Score, FICO derives willingness to click on untrusted links or email signals from time-series observations of the attachments. The frequency and duration of internet-facing assets on an organization’s network. these incidents help account for the strength of These signals help inform an understanding of network management practices as well as end- how both conditional and behavioral indicators user behavior. are related to breach outcomes. Conditional indicators relate to items such as the presence of • Infrastructure posture. The long-term presence misconfigurations and compromised hosts – i.e., of latent threats that may cause harm to the condition of network components. Behavioral an organization, or other organizations. For indicators relate to the performance of the people example, the potential for infrastructure to tasked with managing a network, such as the

14 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved be leveraged in a distributed denial-of-service outcome odds across a model’s score range. For (DDOS) attack. example, the FICO Cyber Risk Score operates on a scale of 300-850 (higher scores indicate lower • Services posture. Services represent the risk), with a dynamic range of 24x. This means that policies and configurations used to manage a an organization scoring 300 is 24 times as likely to network. Examples of risk indicators include suffer a material cyber event in the next 12 months unsecure protocols that are externally exposed, as an organization scoring 850. expired security certificates, and databases responding to external probes. It’s important to note that even organizations receiving the best score (i.e., 850) are not • Firmographic data. While not risk indicators in impervious to internal and external threats and themselves, the size, sector and location of an subsequent data breach. However, their odds organization help inform and weight risk signals of suffering a breach are significantly lower in order to reflect an organization’s inherent risk. than organizations receiving lower scores. This granularity of risk separation helps risk Ensuring scoring accuracy professionals better categorize the severity of forward-looking risk rather than merely reviewing FICO offers real-time, self-service network asset the latest inventory of misconfigurations and curation. This means that users curate the assets transient network threats. (i.e., validate the IP address blocks that define the footprint of the organization) that are used Operationalizing the Cyber Risk Score in the creation of an organization’s score. The score can be focused on an entire organization, a Cyber risk quantification is intended to support business unit or subsidiary of an organization, or a better decisions by providing an easy to interpret geographic region of an organization. benchmark of network hygiene and adherence to network management best practices. For How the model works most organizations this information can support decisions related to incremental security The data used to create the Cyber Risk Score investments, training needs, and triaging of vendor ML models, as well as the data used to derive relationships. In the cyber insurance space this an organization’s score, is continuously collected information is being used to inform underwriting and captured by FICO at internet scale. This data processes and manage aggregate portfolio risk. asset contains six years of history on the global IP address space. This gives FICO a perspective of organizational behavior in the time period leading up to the breach event – whenever that might have been. This forms the basis for predicting future outcomes as time-series indicators associated with organizations that have, and have not, suffered a breach. This helps FICO identify the signals most indicative of increased risk.

Model performance

The goal of any risk model is to quantify the likelihood of a targeted outcome. In the case of the FICO Cyber Risk Score the model is focused on determining the odds of a future material data breach event. While several statistical methods can be used to assess model performance, the measures are intended to assess a model’s ability to separate goods and bads with the fewest false positives (or false negatives) while focused on a given operating point in the score distribution.

One of the measures used to assess the predictive performance of a model is dynamic range. The dynamic range measures the relative

Overview external. Vendors that sell risk scores formed the bulk of those we assessed, although we also Chartis is a research and advisory firm that looked at vendors that provide modeling suites, as provides technology and business advice to the well as those that use CRQ modeling for insurance global financial services industry. Chartis provides underwriting. Note also that some vendors did not independent market intelligence regarding respond to our invitation to brief us for this report. market dynamics, regulatory trends, technology trends, best practices, competitive landscapes, market sizes, expenditure priorities, and mergers Briefing process and acquisitions. Chartis’ RiskTech and FinTech Quadrant™ reports are written by experienced We conducted face-to-face and/or web-based analysts with hands-on experience of selecting, briefings with each vendor4. During these developing and implementing financial technology sessions, Chartis experts asked in-depth, solutions for a variety of international companies in challenging questions to establish the real a range of industries including banking, insurance strengths and weaknesses of each vendor. and capital markets. The findings and analyses Vendors provided Chartis with: in our quadrant reports reflect our analysts’ considered opinions, along with research into • A business update – an overview of solution market trends, participants, expenditure patterns, sales and client satisfaction. and best practices. • A product update – an overview of relevant Chartis seeks to include RiskTech and FinTech solutions and R&D roadmaps. vendors that have a significant presence in a given target market. The significance may be due to • A product demonstration – key differentiators market penetration (e.g., a large client base) or of their solutions relative to those of their innovative solutions. Chartis uses detailed ‘vendor competitors. evaluation forms’ and briefing sessions to collect information about each vendor. If a vendor chooses In addition to briefings, Chartis used other third- not to respond to a Chartis request for information, party sources of data, such as conferences, Chartis may still include the vendor in the report. academic and regulatory studies, and publicly Should this happen, Chartis will base its opinion available information. on direct data collated from technology buyers and users, and from publicly available sources. Evaluation criteria Chartis’ research clients include leading financial services firms and Fortune 500 companies, leading We develop specific evaluation criteria for consulting firms and financial technology vendors. each piece of quadrant research from a broad The vendors evaluated in our quadrant reports can range of overarching criteria, outlined below. By be Chartis clients or firms with whom Chartis has using domain-specific criteria relevant to each no relationship. individual risk, we can ensure transparency in our methodology, and allow readers to fully appreciate Chartis evaluates all vendors using consistent the rationale for our analysis. The specific criteria and objective criteria, regardless of whether or used for CRQ are shown in Table 4. not they are Chartis clients. Chartis does not give preference to its own clients and does not request Completeness of offering compensation for inclusion in a quadrant report, nor can vendors influence Chartis’ opinion. • Depth of functionality. The level of sophistication and amount of detailed features in the software product (e.g., advanced risk Selection criteria models, detailed and flexible workflow, domain- specific content). Aspects assessed include: Chartis selected a set of vendors that cover the innovative functionality, practical relevance two main approaches to CRQ – internal and of features, user-friendliness, flexibility, and

4 Note that vendors do not always respond to requests for briefings; they may also choose not to participate in the briefings for a particular report.

16 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved embedded intellectual property. High scores are Table 4: Evaluation criteria for Chartis’ cyber risk quantification given to those firms that achieve an appropriate solutions report balance between sophistication and user- friendliness. In addition, functionality linking risk Completeness of offering Market potential to performance is given a positive score.

• Breadth of functionality. The spectrum of Scoring/event risk quantification Business model requirements covered as part of an enterprise risk management system. This will vary for Risk modeling and aggregation Market penetration each subject area, but special attention will be given to functionality covering regulatory Allocation, attribution, and impact Financials requirements, multiple risk classes, multiple analysis asset classes, multiple business lines, and multiple user types (e.g. risk analyst, business Visualization and analytics Customer satisfaction manager, CRO, CFO, Compliance Officer). Functionality within risk management systems Financial quantification Growth strategy and integration between front-office (customer- facing) and middle/back office (compliance, Source: Chartis Research supervisory and governance) risk management systems are also considered. Market potential

• Data management and technology • Business model. Includes implementation infrastructure. The ability of risk management and support and innovation (product, business systems to interact with other systems and model and organizational). Important factors handle large volumes of data is considered to include size and quality of implementation team, be very important. Data quality is often cited approach to software implementation, and post- as a critical success factor and ease of data sales support and training. Particular attention is access, data integration, data storage, and given to ‘rapid’ implementation methodologies data movement capabilities are all important and ‘packaged’ services offerings. Also evaluated factors. Particular attention is given to the use are new ideas, functionality and technologies of modern data management technologies, to solve specific risk management problems. architectures and delivery methods relevant to Speed to market, positioning, and translation risk management (e.g., in-memory databases, into incremental revenues are also important complex event processing, component-based success factors in launching new products. architectures, cloud technology, and Software as a Service). Performance, scalability, security and • Market penetration. Volume (i.e. number of data governance are also important factors. customers) and value (i.e. average deal size) are considered important. Rates of growth relative • Risk analytics. The computational power of the to sector growth rates are also evaluated. Also core system, the ability to analyze large amounts covers brand awareness, reputation, and the of complex data in a timely manner (where ability to leverage current market position to relevant in real time), and the ability to improve expand horizontally (with new offerings) or analytical performance are all important factors. vertically (into new sectors). Particular attention is given to the difference between ‘risk’ analytics and standard ‘business’ • Financials. Revenue growth, profitability, analytics. Risk analysis requires such capabilities sustainability, and financial backing (e.g. the ratio as non-linear calculations, predictive modeling, of license to consulting revenues) are considered simulations, scenario analysis, etc. key to scalability of the business model for risk technology vendors. • Reporting and presentation layer. The ability to present information in a timely manner, the • Customer satisfaction. Feedback from quality and flexibility of reporting tools, and ease customers is evaluated, regarding after-sales of use, are important for all risk management support and service (e.g. training and ease of systems. Particular attention is given to the implementation), value for money (e.g. price ability to do ad-hoc ‘on-the-fly’ queries (e.g., to functionality ratio) and product updates (e.g. ‘what-if’ analysis), as well as the range of ‘out of speed and process for keeping up to date with the box’ risk reports and dashboards. regulatory changes).

17 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved • Growth strategy. Recent performance is Best-of-breed evaluated, including financial performance, new product releases, quantity and quality of • Best-of-breed providers have best-in-class point contract wins, and market expansion moves. solutions and the ability to capture significant Also considered are the size and quality of market share in their chosen markets. the sales force, sales distribution channels, global presence, focus on risk management, • They are often distinguished by a growing client messaging, and positioning. Finally, business base, superior sales and marketing execution, and insight and understanding, new thinking, a clear strategy for sustainable, profitable growth. formulation and execution of best practices, and High performers also have a demonstrable track intellectual rigor are considered important. record of R&D investment, together with specific product or ‘go-to-market’ capabilities needed to deliver a competitive advantage. Quadrant construction process • Because of their focused functionality, best-of- Chartis constructs its quadrants after assigning breed solutions will often be packaged together scores to vendors for each component of the as part of a comprehensive enterprise risk completeness of offering and market potential technology architecture, co-existing with other criteria. By aggregating these values, we produce solutions. total scores for each vendor on both axes, which are used to place the vendor on the quadrant. Enterprise solutions

Definition of quadrant boxes • Enterprise solution providers typically offer risk management technology platforms, Chartis’ quadrant reports do not simply describe combining functionally rich risk applications with one technology option as the best solution in comprehensive data management, analytics a particular area. Our ranking methodology is and BI. designed to highlight which solutions are best for specific buyers, depending on the technology they • A key differentiator in this category is the openness need and the implementation strategy they plan and flexibility of the technology architecture and a to adopt. Vendors that appear in each quadrant ‘toolkit’ approach to risk analytics and reporting, have characteristics and strengths that make them which attracts larger clients. especially suited to that particular category, and by extension to particular users’ needs. • Enterprise solutions are typically supported with comprehensive infrastructure and service Point solutions capabilities, and best-in-class technology delivery. They also combine risk management • Point solutions providers focus on a small content, data and software to provide an number of component technology capabilities, integrated ‘one stop shop’ for buyers. meeting a critical need in the risk technology market by solving specific risk management Category leaders problems with domain-specific software applications and technologies. • Category leaders combine depth and breadth of functionality, technology and content with the • They are often strong engines for innovation, required organizational characteristics to capture as their deep focus on a relatively narrow significant share in their market. area generates thought leadership and intellectual capital. • They demonstrate a clear strategy for sustainable, profitable growth, matched with • By growing their enterprise functionality and best-in-class solutions and the range and utilizing integrated data management, analytics diversity of offerings, sector coverage and and Business Intelligence (BI) capabilities, financial strength to absorb demand volatility in vendors in the point solutions category can specific industry sectors or geographic regions. expand their completeness of offering, market potential and market share. • They will typically benefit from strong brand awareness, a global reach, and strong alliance strategies with leading consulting firms and systems integrators.

Cyber Risk Quantification Spotlight: quantifying cyber Financial Crime Risk Solutions, 2019; Market risk in financial institutions Management Systems: AML and Vendor Landscape and Watchlist Monitoring; Market Update and Vendor Landscape, 2019

Financial Crime Risk Financial Crime Risk Artificial Intelligence in Management Systems: Management Systems: Trade Financial Services, 2019: Enterprise Fraud; Market Surveillance – Transaction Demand-Side Analysis Update 2018 Monitoring; Overview and Vendor Landscape, 2019

For all these reports, see www.chartis-research.com