NEW YORK (July 6, 2023) — ISS ESG, the sustainable investment arm of Institutional Shareholder Services Inc. (ISS), today announced upcoming enhancements to its ISS ESG Cyber Risk Score to be released later this month, which provides users with a forward-looking view of cyber risk based on an assessment of an organization’s internet-exposed assets.
The ISS ESG Cyber Risk Score rank-orders organizations on a 300 to 850 scale, based on the assessed likelihood that an organization will suffer a material cybersecurity incident within the next 12 months. Similar to scales commonly used for credit scores, the high end of the scale (850) represents low risk whereas the low end of the scale (300) represents high risk. The score is bolstered with other details and explanatory tools that help users interpret and action the score for multiple use-cases, including investment risk assessment, cyber breach insurance underwriting, third-party risk management, as well as corporate-level self-assessment.
In the enhanced ISS ESG Cyber Risk Score model 5.0, the difference in relative odds across the score band has been improved so that it now yields a dynamic range of 31x, meaning organizations that score 300 are 31 times more likely to suffer a material breach incident over the subsequent twelve-month period than organizations scoring 850. The objective of any predictive model is to help users make better decisions by more accurately forecasting future outcomes. The ability for this model to differentiate ‘goods’ from ‘bads’ by discerning forward-looking risk, is a key differentiator in the market.
Further, the enhanced ISS ESG Cyber Risk Score offering has also been upgraded with an update to one of the key explanatory tools relating to incident type likelihood. This new rank ordering of common incident types allows users to better understand the types of security events more likely (and less likely) to impact the subject organization. While the Cyber Risk Score quantifies the overall risk of a significant cyber breach incident in the next 12 months, the Incident Type Likelihood element provides insight into the most likely vectors for a cyber compromise.
The augmented Incident Type Likelihood 2.0 model rank-orders four incident type categories that any organization may find itself facing, namely: social engineering and phishing, ransomware or malware, vulnerability exploit, and third-party breach. The model works by comparing the firmographic characteristics of the subject organization with a deep pool of breach exemplars to gain an understanding of the common firmographic features of organizations by incident type. The resulting rank-ordered list is generated each time the Cyber Risk Score is refreshed, and is included for corporate users accessing the score via the corporate user interface or via downloadable reports.
Along with the enhanced Cyber Risk Score itself, the augmented Incident Type Likelihood feature provides a new level of granularity and performance over the previous model.
Executive Director, Communications, ISS