What Moody’s and Standard & Poor’s are to credit ratings of companies, companies such as FICO and Bitsight are becoming to cyber risk ratings for companies. Businesses have relied on credit ratings to determine investment risk levels and now companies are relying on rating companies to have a standard bench mark of cyber risk. This growth industry of raters includes a number of providers and their customers use their services in a variety of ways.
Uses of Cybersecurity Scores
Insurance companies often use cybersecurity scores to help assign risk level for cyber insurance. Potential impact: Cost for cyber insurance will likely be higher for small businesses with gaps in their cybersecurity than for companies that have strong measures in place.
Businesses use scores to rate their third party providers during selection process. Potential impact: Suppliers may lose bids not on cost or service commitments, but rather on weak cybersecurity.
Businesses use scores to monitor their third party providers’ security risk level and potential impact to them. Potential impact: Large businesses may demand stronger cybersecurity measures from its suppliers and terminate agreements with low scored providers.
Businesses use scores to monitor their competitors’ cybersecurity level. Potential impact: Businesses may find ways to leverage a competitive advantage of their strong cybersecurity v their competitors’ weaker measures.
Companies use their own score to communicate their risk level to the board of directors. Potential impact: This may provide support for cybersecurity management to get the support they need due to increased board awareness.
Data comprising the cybersecurity score is gathered from a variety of publicly accessible information sources, including:
- Hackers’ forums and data available on the Dark Web
- Use of multi-factor authentication by a company
- Known vulnerabilities to a company’s network
- Open ports to a company’s network
- Patching practices
The risk raters also analyzing data that may flow into or out of a network to determine volume of malware, spam, or viruses that may be associated with a company’s network. The raters couple the data collected and analyzed with their proprietary predictive modeling. In some services, the data is monitoring continuously and a rating may quickly change to reflect any fluctuations. For example, if stolen data suddenly appears for sale on the Dark Web, the rating of the impacted company may be quickly decreased.
What You Can Do
If your business uses third party providers, you should think about investigating the services of scoring companies. If you are a supplier to a large company, you should consider talking to your client about how they are using cybersecurity scores for their vendors such as you. Cybersecurity is no longer a private matter within your own company. Future business deals and contracts may be won or lost on cyber security effectiveness, not just price or service levels.