In a collaborative effort, some of the world’s largest insurers have set out to create a consumer ratings service for the cybersecurity industry.
The initiative, launched Tuesday and set to be led by Marsh & McLennan, will attempt to score best products to reduce hacking risks and will create an assessment of the best cybersecurity offerings available to businesses, according to the Wall Street Journal.
The firm will collect and combine scores from participating insurers and will ultimately identify and rate products, offerings and services they believe will be effective in reducing cyber risks. The results will be publicly available on the firm’s website.
Panorays CEO and co-founder Matan Or-El applauded the new initiative calling it a win-win for all.
“Customers will need to up their cybersecurity program, thus reducing their cyber risk to attacks while cyber insurers will process less claims due to the higher standard of security,” Or-El said. “That said, there will undoubtedly be bumps along the way to assess the cyber security technologies.”
Enforcing the collaboration between the insurers is mandatory to ensure that this initiative takes off the ground and becomes effective, he said, noting that keeping up to date with the ever-evolving threatscape is necessary to determine the efficacy of products against new threats.
Traditional and well-established technologies must be evaluated in a similar manner as innovative technologies that address the newer challenges. In addition, the assessment process must scale to accommodate the evaluation of thousands of cybersecurity products.
Not all researchers were on board with the initiative, Jonathan Deveaux, head of enterprise data protection at comforte AG, expressed concern, pointing out that research analyst firms already provide some sort of rating system for the cybersecurity industry and adding another rating system could effect companies.
“Gartner uses the 'Magic Quadrant,' KuppingerCole uses the 'Leadership Compass,' and Forrester uses the 'New Wave' rating system,” Deveaux said. “Now, with global insurers collaborating on a rating system, this leaves a lot of open questions on how this could impact organizations today.”
Deveaux added that there are hundreds of products and solutions available which offer various ways to approach cybersecurity and that some solutions are more effective than others in terms of what the solution does and where it actually secures.
“For example, under the general category of “data security,” the data protection methods vary when it comes to actually securing the data – security professionals today know about Encryption, Tokenization, Data Masking (both dynamic and static) – all of which provide various ways to protect, de-identify, anonymize, or pseudonymization of data,” Deveaux said.
“Also under the general category of 'data security,' some solutions secure access to the data, rather than provide the protection mechanisms to the data itself,” he explained.
There are also frameworks and regulations concerning data security compliance that provide guidance to organizations on how to approach data security concerning governance, internal policy, detection, prevention and response, Deveaux added.
The rating system also raises the question of what will happen if a company follows the system and still suffers a data incident which fails to meet GDPR requirements, he said.
In this case it is unclear what coverage the insurance company meets or if the GDPR fine of up to four percent of annual revenue be covered and paid by the insurance company. At the end of the day, consumers want to know what companies are securing their data, and hopefully the collaborated rating system will lead to better overall security posture on their end.