Ratings are a point-in-time evaluation: A security rating evaluation happens at a particular point in time – it can’t offer insight into what might happen in the future. And it may not even accurately reflect that point in time. As just one example, perhaps when the security ratings evaluation was conducted, an organization in the company’s supply chain company had already been breached without knowing it.
They don’t account for the evolving threat landscape: The FBI reported that in 2020 because of the pandemic, ransomware attacks skyrocketed 400% over the previous year, with ransom payments moving from thousands to millions of dollars. No one could have predicted this scenario. A single change like this in the threat landscape completely changes the risk equation of any company. It’s a vital component to any company’s risk exposure that they must account for, but security ratings don’t.
Ratings are not the right kind of benchmark: Cybersecurity threats are very dynamic and the strategies to combat those risks can vary widely from industry to industry, making it extremely challenging for insurance companies to calculate risk profiles for any given company. For example, the auto insurance industry can tap decades of data across hundreds of millions of drivers to create risk profiles for each individual person. They know that if their customers are between the ages of 16-19, the likelihood of a certain number of accidents has been well-documented and the premium reflects that. There’s no equivalent to this type of benchmarking in the cyber insurance industry, so security ratings represent a tempting substitute because of their ease of use and “instant gratification” with security scores.
Researcher Alissa Knight found pervasive authorization vulnerabilities in an app ecosystem of 48 FHIR apps and APIs that enabled access to patient data. APIs are intended as the backbone of health care interoperability.
The days of third-party risk management being a check-the-box exercise are fast fading, Linda Tuck Chapman, CEO of the Third Party Risk Institute, told Derek Johnson during a SC Media eSummit fireside discussion.