Ratings are a point-in-time evaluation: A security rating evaluation happens at a particular point in time – it can’t offer insight into what might happen in the future. And it may not even accurately reflect that point in time. As just one example, perhaps when the security ratings evaluation was conducted, an organization in the company’s supply chain company had already been breached without knowing it.
They don’t account for the evolving threat landscape: The FBI reported that in 2020 because of the pandemic, ransomware attacks skyrocketed 400% over the previous year, with ransom payments moving from thousands to millions of dollars. No one could have predicted this scenario. A single change like this in the threat landscape completely changes the risk equation of any company. It’s a vital component to any company’s risk exposure that they must account for, but security ratings don’t.
Ratings are not the right kind of benchmark: Cybersecurity threats are very dynamic and the strategies to combat those risks can vary widely from industry to industry, making it extremely challenging for insurance companies to calculate risk profiles for any given company. For example, the auto insurance industry can tap decades of data across hundreds of millions of drivers to create risk profiles for each individual person. They know that if their customers are between the ages of 16-19, the likelihood of a certain number of accidents has been well-documented and the premium reflects that. There’s no equivalent to this type of benchmarking in the cyber insurance industry, so security ratings represent a tempting substitute because of their ease of use and “instant gratification” with security scores.
DHS CISO Kennth Bible joined the agency "in the peak of the response actions" post SolarWinds hack. He ultimately established a four-prong strategy for supply chain risk management that pushes industry partners to take ownership of their own cybersecurity hygiene to overcome the approach of "bending metal — building something, then deciding how we wanted to address cybersecurity."
Would-be purveyors of “buy now, pay later" (BNPL) programs must consider the potential fraud and attack scenarios that are emerging in the new category — and take steps to mitigate the risks, experts say.