Big four accounting firms join in cyber-risk effort

Computerworld - A consortium of companies that includes the Big Four accounting firms and at least one large insurer is quietly working on a cybersecurity risk measurement framework for large enterprises, Computerworld has learned.

The Risk Preparedness Index is being developed by the newly formed Global Security Consortium, which so far includes PricewaterhouseCoopers, Ernst & Young LLP, Deloitte & Touche LLP, KPMG International and insurance giant AIG International Inc.

The RPI was originally being developed to provide a risk measurement model for use within the insurance and accounting industries. But the goal now is for the index to provide the basis for a much more broadly applicable system for measuring and rating organizational risk preparedness, according to a source close to the GSC.

The GSC has been in active discussions with several industry groups, including The Open Group standards body, for several months in a bid to gain endorsements and wider support for the effort to build the framework.

A GSC spokesman declined to comment on the current status of that effort. But the source close to the body confirmed that the GSC is working on delivering the framework and said it will be available by this summer.

All of the Big Four accounting firms were unable to provide comments on their participation by press time.

"[The RPI] will allow third-party auditors to come in and make a judgment as to whether or not you are complying with established cybersecurity practices," explained Larry Clinton, chief operating officer at the Internet Security Alliance. ISA members that score above a certain level on the RPI could qualify for lower insurance rates.

The Arlington, Va.-based ISA is a collaborative effort between the CERT Coordination Center at Carnegie Mellon University in Pittsburgh and the Electronic Industries Alliance, a federation of trade associations.

Robert A. Parisi Jr., senior vice president and chief underwriting officer for AIG's eBusiness Risk Solutions group, said he wasn't aware of the specifics of the arrangement with the ISA. But ISA members assessed by means of tools such as the RPI will be viewed as "highly desirable risks and ones that we want to price in a highly competitive fashion because we view them as doing the right thing," Parisi said.

"This is an attempt to come up with a kind of universally agreed upon set of values and benchmarks that can be applied across industries" for measuring a company's exposure to cyber risk, Parisi said. "When you have all of the big accounting firms applying a certain standard, it carries a certain amount of weight," he added.

The relative lack of broadly applicable quantitative risk-measurement tools for the critical infrastructure and for enterprise IT has been a long-lamented issue among security professionals.