Security ratings services have become a popular way for companies to assess their own cybersecurity posture, as well as that of their partners. And, while they are useful for establishing a data baseline of competence, they are often relied on as something more than that. For example, they’re used in boardrooms as “eye candy” to portray the state of company cyber-risk, with supply chain partners to manage third-party risk and, even more frightening, by insurance companies to create risk profiles for cyber-insurance policies.
Unfortunately, when companies use these ratings in this way it’s like saying “the weather will be beautiful today” just by looking at the outdoor temperature – an incomplete assessment that’s often dreadfully wrong. And in the end, what does your company’s “A-” or “B-” rating actually mean? Does it truly reflect the security of the company? Usually not. And, because of this, cyber insurance companies using these scores rely on an inaccurate assessment of target-company risk.
Diving a little deeper into this issue, here are three reasons why cyber insurance companies should rethink their use of security ratings:
- Ratings are a point-in-time evaluation: A security rating evaluation happens at a particular point in time – it can’t offer insight into what might happen in the future. And it may not even accurately reflect that point in time. As just one example, perhaps when the security ratings evaluation was conducted, an organization in the company’s supply chain company had already been breached without knowing it.
- They don’t account for the evolving threat landscape: The FBI reported that in 2020 because of the pandemic, ransomware attacks skyrocketed 400% over the previous year, with ransom payments moving from thousands to millions of dollars. No one could have predicted this scenario. A single change like this in the threat landscape completely changes the risk equation of any company. It’s a vital component to any company’s risk exposure that they must account for, but security ratings don’t.
- Ratings are not the right kind of benchmark: Cybersecurity threats are very dynamic and the strategies to combat those risks can vary widely from industry to industry, making it extremely challenging for insurance companies to calculate risk profiles for any given company. For example, the auto insurance industry can tap decades of data across hundreds of millions of drivers to create risk profiles for each individual person. They know that if their customers are between the ages of 16-19, the likelihood of a certain number of accidents has been well-documented and the premium reflects that. There’s no equivalent to this type of benchmarking in the cyber insurance industry, so security ratings represent a tempting substitute because of their ease of use and “instant gratification” with security scores.
So, what can cyber insurance companies do to more accurately calculate risk? While there’s no silver bullet, at this point, the insurers need to spend time and money developing more accurate risk profiles, so they can offer policies that are profitable for them and useful to customers.
This process requires both manual and automated risk evaluation. Calculating risk has to be tailored to the specific company, its industry and partners, the current cyber threat landscape, and other external factors that threat actors will take advantage of, like a global pandemic. Only then will cyber insurance companies get a good handle on risk evaluation and become a relied upon and successful industry.
Tom Richards, co-founder and chief strategy officer, GroupSense