A 'Credit Score' for Your Cyber Risk?

It’s safe to say that the vast majority of companies can, and probably should, be doing a lot more to improve the security posture of their business networks. What most organizations probably do not realize is that there is an entity paying very close attention to just who is consistently following security best practices—and who isn’t. That entity is BitSight Technologies, a six-year-old risk assessment vendor that does this by analyzing a variety of sources that monitor which companies regularly update encryption certificates, patch system vulnerabilities in a timely manner and generally adhere to other best security practices. Keeping tabs on security BitSight goes through all of this trouble to assign a security rating to each company it reviews. Ranging from 200 to 900, a BitSight security rating is much like a credit score. BitSight has issued security ratings for some 80,000 companies, and is adding 500 more each week. Why does BitSight do this, and, perhaps more importantly, why should any organization care about a BitSight security rating? Two reasons: third-party partnerships and cyber insurance. See also: Urgent Need on ‘Silent’ Cyber Risks   First of all, BitSight’s primary customers are large enterprises that factor security ratings into decisions on which third-party suppliers they will choose to do business with, says Jake Olcott, vice president of business development at BitSight. “Today, if you’re a first party doing business with a third party, the idea of doing cyber diligence prior to entering into a business relationship is certainly on your mind,” Olcott told me, when we met at the RSA cybersecurity conference recently. Monitoring business partners Olcott says, “Once you’ve decided to enter into that business relationship, you also care about the cybersecurity performance of that third party during the lifetime of the business relationship. That’s really why a lot of folks are using our ratings today—to continuously monitor their critical third parties mostly throughout the lifetime of the business relationship.” I asked Olcott if third-party suppliers were clued in to this trend, and thus finding themselves compelled to improve their security postures in order to earn higher security ratings. “We’re absolutely seeing that,” he says. “Organizations want to represent good cybersecurity hygiene to their customers, and one way to do that is by showing a quantitative, objective measurement of their cybersecurity posture.” The second reason BitSight’s security ratings are gaining traction is because of the rapidly emerging cyber insurance market. Allied Market Research projects that the cyber insurance market is on track to climb to $14 billion by 2022, representing a compound annual growth rate of 28% during its forecast period of 2016-2022. Help for insurance companies Clearly, a lot of companies would love to offset rising cyber exposures by purchasing a cyber liability policy. However, cyber risks are unlike any other business risk to come down the pike previously. Cyber risks are complex, constantly evolving and seemingly impossible to quantify. BitSight is in the vanguard of security vendors focused on solving that problem, something that’s necessary for the cyber insurance market to fully bloom. “Seven of the 10 largest cybersecurity insurance companies are using BitSight ratings to underwrite cybersecurity insurance policies,” Olcott says. “An insurance company will collect information from the applicant about their cybersecurity posture, and also look at a BitSight security rating. Taking those data points together, they will come to a premium assessment for the applicant and issue a policy.” See also: Protecting Institutions From Cyber Risks   I asked Olcott to explain how a good vs. poor rating actually affects premium prices and policy coverages. He said: “I would say a good rating in our system would be 700 and above, and I would look at it this way: An organization that we rate a 500 or lower is actually five times more likely to experience a breach than an organization that we rate a 700 or above. So if you’re an insurance company, it’s not that you wouldn’t underwrite a policy for an organization that is a 500 or lower. It’s that you want to understand the risk that you’re taking. You don’t want your entire book of business to be of companies that are performing below a 500." This post originally appeared on ThirdCertainty.