From finance to cybersecurity

The major rating agencies, such as Moody’s and Standard & Poor’s, are well known to the general public—especially after the 2008 financial crisis. They now shape financial markets, de facto, through their generation of comparison grids, which are used, at global scale, to rate the solvency risks associated with companies.

And today, it’s clear that this approach of third-party organizations producing corporate ratings isn’t just limited to the financial sector: it’s gradually being extended into the sphere of cybersecurity.

Cyber rating agencies are now assigning “cyber scores” to companies which quantify the levels of cyber risk that companies are exposed to. The players doing this are mainly American (BitSight, Security ScoreCard, Panorays, and UpGuard, for example), but European start-up, Cyrating, also generates ratings by collecting and analyzing publicly available information, including:

• The vulnerabilities present on the company’s websites and the robustness of the TLS encryption in use;
• The reputation of the company’s public IP addresses, computed from a range of data, such as the number of complaints about spam, their appearance on blacklists used by internet and email service providers, bounce rates, etc.
• Whether corporate email address protection measures (such as DMARC, DKIM, and SPF) are in place;
• DNS analysis (whois, root and NS servers, verification of Start of Authority, MX records, etc.);
• Whether company data is present on the Dark Web.

Apart from this public-domain data, cyber rating platforms capture and analyze a large amount of exchanged data to determine, for example, , or the versions of browsers being used.

The algorithms used to do such analysis are particular to each cyber rating platform; and the platforms then monetizes the results by offering access to results as a subscription-based service.

Companies, then, get to know their rating by subscribing to a cyber rating platform service!

These scores are widely accessible, given that the rating can also be viewed by other players who subscribe to the platform. Firms can therefore compare themselves with competitors . Cyber insurers are also starting to take such ratings into account when calculating . But, more worryingly, it’s also easy to imagine that ratings might facilitate reconnaissance for cyber attackers, by helping them to target lower-rated companies—whose defensive measures are likely to be weaker.

Given all this, it seems essential that firms integrate the question of cyber ratings into their cybersecurity governance.

Some obvious limitations to the current cyber rating model

To put it bluntly, a large part of the cyber community has serious reservations about cyber ratings; this mistrust can be summarized in the following view:

“How much confidence can be placed in a security level assessment carried out by a third-party algorithm, using only a selection of the relevant parameters, and with no control mechanism for the quality of information collected? “

 There is still considerable work to do to perfect the model, which has a number of inherent flaws; these, if not addressed, risk rendering the rating irrelevant:

• doesn’t reflect a firm’s overall level of security. Many factors are ignored: internal network segmentation, system and data protection measures, detection capability, etc.;
• The rating can be “polluted” by false positives: IP addresses or domain names that do not belong to the company (registration errors), traffic originating from sandboxes considered to be malicious, etc. This therefore requires the to carry out a degree of detailed work (the sorting of IP addresses, excluding certain data) in order to obtain as accurate a result as possible;
• A lack of transparency about rating algorithms makes it difficult to evaluate the elements that have led to a given score, and to identify parameters where corrections are needed.

It’s misleading to reduce a company’s entire level of security to a single score. Moreover, in the future, it wouldn’t be surprising to see players like Qualys propose the taking into account of the results of internal tests conducted on a company’s IS, in order to refine its rating system.

A wide range of use cases

However, these limitations shouldn’t obscure the opportunities offered by subscribing to a cyber rating service.

The main argument advanced by cyber rating players is that a score represents a powerful and easy-to-understand indicator for senior management—a concept already well-established in finance but still lacking in cybersecurity. An improvement in the rating could also be used to justify and quantify the effectiveness of any corrective action plan applied to the company’s IS services.

In addition, cyber rating platforms make it possible to see how all the companies that have been assessed score, which enables a company to:

• Calibrate its performance against competitors on a common basis; and, potentially, to make an asset of cybersecurity for marketing purposes;
• Assess its suppliers’ levels of cybersecurity maturity on a more objective basis than that of questionnaires completed for a Security Assurance Plan.

Cyber rating: an essential issue for companies

Given the challenges firms face, and the opportunities on offer, it seems inevitable that cyber ratings will take off, something noted by ANSSI (the French National Cybersecurity Agency) in its strategic review of cyber defense: ” The major players in the field will therefore become benchmarks whose market position will be difficult to challenge.”

Despite the current limitations, it’s vital that companies—some of whom are already talking about giving countries financial-sector-type cyber ratings—identify how such ratings could be used as an asset increase awareness about cybersecurity among senior management, without, of course, stigmatizing .