Ratings are a point-in-time evaluation: A security rating evaluation happens at a particular point in time – it can’t offer insight into what might happen in the future. And it may not even accurately reflect that point in time. As just one example, perhaps when the security ratings evaluation was conducted, an organization in the company’s supply chain company had already been breached without knowing it.
They don’t account for the evolving threat landscape: The FBI reported that in 2020 because of the pandemic, ransomware attacks skyrocketed 400% over the previous year, with ransom payments moving from thousands to millions of dollars. No one could have predicted this scenario. A single change like this in the threat landscape completely changes the risk equation of any company. It’s a vital component to any company’s risk exposure that they must account for, but security ratings don’t.
Ratings are not the right kind of benchmark: Cybersecurity threats are very dynamic and the strategies to combat those risks can vary widely from industry to industry, making it extremely challenging for insurance companies to calculate risk profiles for any given company. For example, the auto insurance industry can tap decades of data across hundreds of millions of drivers to create risk profiles for each individual person. They know that if their customers are between the ages of 16-19, the likelihood of a certain number of accidents has been well-documented and the premium reflects that. There’s no equivalent to this type of benchmarking in the cyber insurance industry, so security ratings represent a tempting substitute because of their ease of use and “instant gratification” with security scores.
Ponemon Institute research reaffirms that cyberattacks have a direct impact on patient safety risks and mortality, which was exacerbated by COVID-19 and ongoing risk management with third-party vendors.