Vendor Analysis: FICO Cyber Risk Quantification Solutions, 2019 Chartis Research Is the Leading Provider of © Copyright Infopro Digital Services Limited 2019
Total Page:16
File Type:pdf, Size:1020Kb
Vendor Analysis: FICO Cyber Risk Quantification Solutions, 2019 Chartis Research is the leading provider of © Copyright Infopro Digital Services Limited 2019. research and analysis on the global market for All Rights Reserved. risk technology. It is part of Infopro Digital, which owns market-leading brands such as Risk and No part of this publication may be reproduced, WatersTechnology. Chartis’ goal is to support adapted, stored in a retrieval system or transmitted enterprises as they drive business performance in any form by any means, electronic, mechanical, through improved risk management, corporate photocopying, recording or otherwise, without the governance and compliance, and to help clients prior permission of Infopro Digital Services Limited make informed technology and business decisions trading as Chartis Research (‘Chartis’). by providing in-depth analysis and actionable advice on virtually all aspects of risk technology. The facts of this document are believed to be Areas of expertise include: correct at the time of publication but cannot be guaranteed. Please note that the findings, • Credit risk. conclusions and recommendations that Chartis • Operational risk and governance, risk and delivers will be based on information gathered in compliance (GRC). good faith, whose accuracy we cannot guarantee. • Market risk. Chartis accepts no liability whatever for actions • Asset and liability management (ALM) and taken based on any information that may liquidity risk. subsequently prove to be incorrect or errors in our • Energy and commodity trading risk. analysis. See ‘Terms and conditions’. • Financial crime including trader surveillance, anti- fraud and anti-money laundering. RiskTech100®, RiskTech Quadrant®, FinTech • Cyber risk management. Quadrant™ and The Risk Enabled Enterprise® are • Insurance risk. Registered Trade Marks of Infopro Digital Services • Regulatory requirements including Basel 2 and Limited. 3, Dodd-Frank, MiFID II and Solvency II. Unauthorized use of Chartis’ name and trademarks Chartis is solely focused on risk and compliance is strictly prohibited and subject to legal penalties. technology, which gives it a significant advantage over generic market analysts. The firm has brought together a leading team of analysts and advisors from the risk management and financial services industries. This team has hands-on experience of implementing and developing risk management systems and programs for Fortune 500 companies and leading consulting houses. Visit www.chartis-research.com for more information. Join our global online community at www.risktech-forum.com. 2 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved Table of contents 1. Report context 5 2. Quadrant context 8 3. Vendor context 11 4. Methodology 16 5. Further reading 19 3 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved List of figures and tables Figure 1: The increasing value of CRQ 7 Figure 2: The operational scope of quantification 7 Figure 3: RiskTech® Quadrant for cyber risk quantification solutions, 2019 9 Figure 4: The FICO ESS – benchmarking example 12 Figure 5: ESS Portrait – example screen 12 Figure 6: ESS Landscape – example screen 13 Figure 7: FICO Cyber Risk Score – third-party risk management example 14 Table 1: Completeness of offering – FICO (cyber risk quantification solutions, 2019) 10 Table 2: Market potential – FICO (cyber risk quantification solutions, 2019) 10 Table 3: FICO – company information 11 Table 4: Evaluation criteria for Chartis’ cyber risk quantification solutions report 17 4 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved 1. Report context This Vendor Analysis is based on the Chartis quadrant report Cyber Risk Quantification Solutions, 2019: Market and Vendor Landscape (published in May 2019). This section summarizes the key theses in that report; subsequent sections take a detailed look at FICO’s quadrant positioning and scoring, and Chartis’ underlying opinion and analysis. Key thesis operations. This is becoming more pressing as FIs’ IT systems and risk-management infrastructures We want quant become more complex. As the frequency and severity of cyber breaches Vendors to the rescue continue to grow, cyber crime is now one of the biggest challenges facing financial institutions Increasingly, Chartis believes, vendors of CRQ (FIs). Adding to their problems, FIs must also solutions will develop specific functionality across address the growing risk of technology outages four key functional and operational areas: the cyber – established FIs’ legacy networks and newer risk score, loss estimation, portfolio optimization, challengers’ untested systems have both fallen and attribution. Vendors currently approach victim to cyber incidents. CRQ from two angles: externally, assessing a firm’s network in relation to that of other firms; Clearly this is an issue, and it’s a costly one and internally, mapping the risk of cyber events too. Overall, breaches and outages can cost occurring on a firm’s own network. By partnering the average FI millions of dollars annually, and cooperating, vendors can start to offer and the figure increases significantly for the comprehensive solutions that will enable them to largest institutions. Facing a rise in threats, exploit the ever-growing CRQ market. institutions of all types are spending big on their cybersecurity systems. Demand-side takeaways Yet amid the fog of spending and hype surrounding the latest cybersecurity defenses, the task of Defining cyber risk quantification systematically quantifying firms’ relative cyber risks has until recently gone unaddressed. This Chartis defines the components of CRQ as: lack of functionality has also prevented FIs and vendors from assessing the relative effectiveness • Cyber risk. The likelihood and severity of a of different cybersecurity systems. Most current loss due to the breach or failure of IT systems. solutions used against malicious attacks and These losses are the business impacts1 that potential system failures – from passwords and might result from the theft of confidential data, firewalls to AI-powered enterprise systems – often the compromise of information integrity, or the do not rigorously quantify the benefits of the loss of systems availability, as well as any costs reduced risk they offer. required to rectify issues. FIs and vendors have sought to quantify cyber • Cyber risk quantification. The evaluation risk before, but increasingly they are spending of cyber risk using mathematical models to such large sums on cybersecurity systems that produce a numerical score or ranking. These they require defensible risk scores for their cyber components can be fashioned into better domains. And only now is there technology tools for risk managers to measure the level available to automate analysis and leverage the vast and location of the cyber risk their FIs carry. datasets required to properly quantify cyber risk. In addition, by viewing security systems through the lens of risk, risk professionals can Demand for cyber risk quantification (CRQ) demonstrate the value of those solutions to the solutions is coming from insurers – keen to assess broader business. the risk in counterparties’ infrastructure – and more general financial services firms, which want to This approach offers CROs, CTOs, and CISOs2 assess the risk in the systems they rely on for their a valuable joint lexicon to communicate their 1 Business impacts may also include regulatory enforcement and reputational damage, although not all systems can or will quantify these. 2 Chief risk officers, chief technology officers and chief information security officers. 5 | Vendor Analysis: FICO; Cyber Risk Quantification Solutions, 2019 © Copyright Infopro Digital Services Limited 2019. All Rights Reserved institution’s stance on risk to all relevant staff in a Tangled infrastructure is risky infrastructure language they already share. The broad demand for CRQ solutions arises because FIs continue The drivers of demand for CRQ solutions to add new systems to their legacy cores. The complexity of FIs’ infrastructure – and its inherent risk – has grown to cope with Until recently, assessments of cyber risk were demands on systems that cover everything from incorporating limited to manual analyses of a firm’s own multiple market data streams to offering extended functionality systems or those of a third party (with its consent), to retail customers. These systems are often provided by third whereby examiners inspected networks on a case- parties – such as market data suppliers in the first instance and by-case basis. FIs relied on manual assessment application developers in the second. using qualitative standards such as ISO 27001 or the NIST Cybersecurity Framework, both of which CRQ is applied broadly at all points in FIs’ provision of services require significant modification to suit specific to support business processes. Regulators such as the US Office organizational contexts. of the Comptroller of the Currency expect banks to ‘practice risk management regardless of whether the bank performs the Modern CRQ techniques attempt to circumvent activity internally or through a third party.’ Firms must thus the persistent obstacles to statistically measuring monitor the risk they carry due to their use of