Cyber Risk Quantification Solutions: Market and Vendor Landscape 2019

We want quant

As the frequency and severity of cyber breaches continue to grow, cyber crime is now one of the biggest challenges facing financial institutions (FIs). Adding to their problems, FIs must also address the growing risk of technology outages – established FIs’ legacy networks and newer challengers’ untested systems have both fallen victim to cyber incidents.

Clearly this is an issue, and it’s a costly one too. Overall, breaches and outages can cost the average FI millions of dollars annually, and the figure increases significantly for the largest institutions. Facing a rise in threats, institutions of all types are spending big on their cybersecurity systems.

Yet amid the fog of spending and hype surrounding the latest cybersecurity defenses, the task of systematically quantifying firms’ relative cyber risks has until recently gone unaddressed. This lack of functionality has also prevented FIs and vendors from assessing the relative effectiveness of different cybersecurity systems. Most current solutions used against malicious attacks and potential system failures – from passwords and firewalls to AI-powered enterprise systems – often do not rigorously quantify the benefits of the reduced risk they offer.

FIs and vendors have sought to quantify cyber risk before, but increasingly they are spending such large sums on cybersecurity systems that they require defensible risk scores for their cyber domains. And only now is there technology available to automate analysis and leverage the vast datasets required to properly quantify cyber risk.

Demand for cyber risk quantification (CRQ) solutions is coming from insurers – keen to assess the risk in counterparties’ infrastructure – and more general financial services firms, which want to assess the risk in the systems they rely on for their operations. This is becoming more pressing as FIs’ IT systems and risk-management infrastructures become more complex.

Vendors to the rescue

Increasingly, Chartis believes, vendors of CRQ solutions will develop specific functionality across four key functional and operational areas: the cyber risk score, loss estimation, portfolio optimization, and attribution. Vendors currently approach CRQ from two angles: externally, assessing a firm’s network in relation to that of other firms; and internally, mapping the risk of cyber events occurring on a firm’s own network. By partnering and cooperating, vendors can start to offer comprehensive solutions that will enable them to exploit the ever-growing CRQ market.

To evaluate the vendor landscape and explain the structure of the market we use Chartis’ RiskTech Quadrant®. The RiskTech Quadrant® uses a comprehensive methodology of in-depth independent research and a clear scoring system to explain which technology solutions meet an organization’s needs. The RiskTech Quadrant® does not simply describe one technology solution as the best risk management solution; it has a sophisticated ranking methodology to explain which solutions would be best for buyers, depending on their implementation strategies.

This report covers the following providers of CRQ solutions: Aon, BitSight, Corax, CyberPoint, eFortresses, FICO, foreseeti, IBM, Marsh, RiskLens, RiskRecon, RiskSense, SecurityScorecard, UpGuard and Willis Towers Watson1.

We aim to provide as comprehensive a view of the vendor landscape as possible within the context of our research. Note, however, that not all vendors we approached responded to our requests for briefings, and some declined to participate in this research.

1Note that references to specific vendors within the text of this report do not constitute endorsements of their products by Chartis.