The Cybersecurity and Infrastructure Security Agency (CISA) recently included security ratings or scoring as part of its cyber risk reduction initiative. But what's behind the numbers?
Sachin Bansal, general counsel at SecurityScorecard, spoke with SC Media about ratings, and how they can be used to strengthen the supply chain and determine cyber insurance premiums.
The idea of creating some kind of security rating system has been discussed for quite a while. What does CISA’s recommendation mean toward that goal?
This was significant because CISA recognized that security ratings are part of the de facto standard of care for medium and large companies. Government agencies don't make endorsements necessarily but they're identifying security ratings as a cyber risk metric. It's significant in a number of ways because they're highlighting the need for measurement to occur in cybersecurity that’s agreed upon – an objective, quantitative, driven way of being cyber resilient. How do you measure? How do you know how cyber healthy you are, how cyber resilient you are or your vendors are? How are you, compared to your peers? And so one way, not the only way, is through security ratings.
CISA focuses on critical infrastructure, which includes a number of sectors such as health care and energy and transportation and includes the government. They’re identifying a need for reducing risk in multiple sectors of our economy, which will improve both our national security and our economic security.
A rating is more than just a number. What’s involved?
Yes. So, there's a score, but underneath the score there are a number of factors that drive the score. It's important to know what the score is and what's underlying it. In a credit rating example, you’ll be interested in knowing if that business filed for bankruptcy, are their loans that they have or loans that they've defaulted on. In the cyber ratings context, it's a reading from the outside in. Non-obtrusively, it's not a penetration. It's what a hacker sees of a company. And so, it's a rating based on their holistic cyber health, like their internal network management capabilities, how often they are updating their browsers, and so forth.
The analogy is this: if you were driving in a neighborhood and you saw a bunch of houses, but one house in particular had graffiti, newspapers piling up and broken windows. That's all observable from the outside in; you would draw certain inferences based on that. So similarly, if we were to see from our data that there is a company that has outdated browsers, they have patches that they haven't released and they have a malware beaconing out onto the internet, that's an indication of poor cyber hygiene.
But looking from the outside might not tell the whole tale, right?
Now, a company might say, ‘we've got terrific internal security and you don't know what's on the inside.” It's a very valuable data point. Going back to the house analogy, the owner of the house could say ‘well you don't know that there is an armed SWAT team inside; there's an attack dog and infrareds happening. But the chances of that are quite low. So similarly, for us, if you're finding low network security, if you're finding poor DNS help, if you're finding issues with employee workstation, remote workstations, malware and so forth, the internal security is not likely to be as interesting.
How often are the ratings updated and what can that mean when it comes to securing supply chains?
Scores on your vendors allows you to see who's falling behind. These scores are updated every day because the internet changes every day. The way vendor due diligence has been done, at most, in medium and large companies is through contracts. Basically, you sign a vendor contract, and say you have to send us your yearly pen test, you have to send us your yearly SOC report. We have the right to audit you, we have the right to send you a questionnaire.
What might ratings mean in terms of liability if something does happen? Are companies that use ratings to monitor or even select their partners in a better position if a cybersecurity incident does occur?
The ratings are being used by multiple different factors right in the cybersecurity ecosystem. There are forward-leaning cyber insurers that are using cyber ratings to help them price cyber insurance they're underwriting. Our understanding is that some insurers are recognizing the a good ratings track record, whether it be for that company or for its suppliers, as a way as a way of impacting their cyber insurance either upward or downward. The analogy is if you have a good driving record or a bad driving record, it's going to impact your auto insurance.
A number of agencies and government stakeholders at the state and federal levels are starting to use security ratings for themselves, for their own service providers. They're also using it for investigative purposes, such as if they believe there has been a data breach that could violate a state consumer protection or data or state data privacy law. They can be part of those investigations. So, they can be used in an offensive and a defensive manner.
Has the SolarWinds campaign helped move the needle?
There's a particular focus on the need for cyber risk metrics, such as security ratings, in the aftermath of SolarWinds. The attack itself is not as interesting as the breadth and depth of the companies and government agencies that were affected. It has prompted a focus by policymakers and Congress and regulators on the importance of supply chain supply chain.