So far, 2024 is turning out to be a banner year for headline-making cyber incidents, breaches, and business disruption events due to third-party technology risks. But it is not only headlines that are being generated; these kinds of incidents have victims. Behind every headline, there are also headaches for real people.
According to a recent article in USA Today, there have been more than one billion individuals impacted by cyber incidents in 2024 – a 409% increase over the same period last year. The rate and pace of cyber incidents, and accompanying headlines and headaches, require businesses and their stakeholders to better anticipate and manage cyber incident risk.
On the basis that companies can only manage what they measure, better measurements should yield better results. The goal of the ISS Cyber Risk Score is to create a predictive and actionable measurement of cyber risk to inform a variety of decisions for investors, insurers, and the subject companies themselves. With that in mind, the analytics that underpin the underlying scoring model are regularly updated and enhanced.
A Better Yardstick
An updated and enhanced version of the ISS Cyber Risk Score was released today to provide users with a forward-looking view of cyber incident risk based on an empirical assessment of an organization’s internet-exposed technology assets. The score rank-orders firms from 300 to 850, which is a scaled representation of the likelihood that an organization will suffer a significant, reportable cybersecurity incident over the next 12 months.
In the new ISS Cyber Risk Score model version 5.1, the difference in relative odds across the score band now yields a dynamic range of 32x, meaning organizations that score 300 are 32 times more likely to suffer a significant breach incident over the subsequent twelve-month period than organizations scoring 850. This latest version of the model takes advantage of a richer collection of cyber incident exemplar data, improved signal collection techniques, and improvements in model feature engineering based upon enhanced signal-to-incident outcome correlations discovered by the ISS data science and analytics development teams.
The ISS Cyber Risk Score utilizes a set of engineered features derived from observations of a company’s public Internet-facing properties, which include the set of pay-level domains owned by the organization and the set of IPv4 network prefixes owned (or leased) by the organization. The algorithm considers several categories of technical information, including the extent of assets exposed to the Internet; the configuration of those assets; the exposure of network infrastructure; the presence, condition, and nature of exposed services; the presence of common misconfigurations and security flaws; evidence of endpoint compromise; and the use of best practices in website construction. The size and sector of the subject company also influence the score, as recently examined in another post.
The score is packaged with other details and explanatory tools that help users interpret and action the score for multiple use-cases, including investment portfolio risk assessment, investment stewardship, and issuer engagement.
New Motivations for Measurement
The ability for the ISS Cyber Risk Score model to differentiate ‘goods’ from ‘bads’, i.e. its ability to discern forward-looking cyber incident risk over a 12-month performance period, is the foundation of its utility as a tool in helping companies attain better results through better risk measurements.
The SEC’s new disclosure rules, which took effect in December 2023 have put a new spotlight on the management of cyber security risks, creating an impetus to measure performance, and to understand risk relative to peers. Investors and other stakeholders are looking for independent, empirical evidence of sound company cyber practices to pressure-test what they are now beginning to learn from more robust disclosures.
In addition to the model’s improved predictive performance, the usability of the score has been enhanced through a realignment of the score-to-odds relationships. Incident odds now double with every 100-point drop in the score (or are cut in half with each 100-point increase), making the score easier to understand and the relative difference between scores immediately meaningful for even casual users. Score continuity has also been preserved, with an average score difference of less than 4 points, and with less than 1% of scored firms shifting more than 50 points in either direction.
A newly added Cyber Risk Decile metric provides further insight into relative risk, as measured by the score, in the context of industry-relevant peer groupings. Additionally, new Component Scores describe the relative impact of underlying technical measurements on the ISS Cyber Risk Score for any given firm across five different categories of risk exposure, including Internet Presence, Infrastructure, Software Services, Endpoint Security, and Website Construction.
Proof Points
As illustrated in Figure 1, a recent analysis of reported cyber incidents in calendar years 2022 and 2023 by Russell 3000 Index (R3K) firms highlights the efficacy of the score in discerning cyber risk. Over this time-period, nearly 700 distinct cyber incidents were reported by R3K companies. The average score for firms reporting incidents was 66 points lower than those that did not report incidents. Considering the score-to-odds relationship of the then-current ISS Cyber Risk Score model, this translates to a 72% higher predicted cyber incident risk for those firms actually reporting incidents.
Figure 1: 2022/2023 ISS Cyber Risk Score for R3K Firms; Cyber Incidents vs No Incident
Source: ISS Cyber Risk Score platform database
Notably, as a predictive cyber incident risk tool, the score performed equally well for both first and third-party incident risk.
Availability
Scores and other metrics based on the new ISS Cyber Risk Score model will appear in downstream systems for subscribing clients beginning on July 29th, 2024.