The major rating agencies, such as Moody’s and Standard & Poor’s, are well known to the general public\u2014especially after the 2008 financial crisis. They now shape financial markets, de facto<\/em>, through their generation of comparison grids, which are used, at global scale, to rate the solvency risks associated with companies.<\/p>\n And today, it\u2019s clear that this approach of third-party organizations producing corporate ratings isn\u2019t just limited to the financial sector: it\u2019s gradually being extended into the sphere of cybersecurity.<\/p>\n Cyber rating agencies are now assigning “cyber scores”<\/strong> to companies which quantify the levels of cyber risk that companies are exposed to. The players doing this are mainly American (BitSight, Security ScoreCard, Panorays, and UpGuard, for example), but European start-up, Cyrating, also generates ratings by collecting and analyzing publicly available information, including:<\/p>\n Apart from this public-domain data, cyber rating platforms capture and analyze a large amount of exchanged data to determine, for example, , or the versions of browsers being used.<\/p>\n The algorithms used to do such analysis are particular to each cyber rating platform; and the platforms then monetizes the results by offering access to results as a subscription-based service.<\/p>\n Companies, then, get to know their rating by subscribing to a cyber rating platform service!<\/strong><\/p>\n These scores are widely accessible, given that the rating can also be viewed by other players who subscribe to the platform. Firms can therefore compare themselves with competitors . Cyber insurers are also starting to take such ratings into account when calculating . But, more worryingly, it’s also easy to imagine that ratings might facilitate reconnaissance for cyber attackers, by helping them to target lower-rated companies\u2014whose defensive measures are likely to be weaker.<\/p>\n Given all this, it seems essential that firms integrate the question of cyber ratings into their cybersecurity governance.<\/strong><\/p>\n To put it bluntly, a large part of the cyber community has serious reservations about cyber ratings; this mistrust can be summarized in the following view:<\/p>\n “How much confidence can be placed in a security level assessment carried out by a third-party algorithm, using only a selection of the relevant parameters, and with no control mechanism for the quality of information collected?\u00a0\u201c<\/em><\/p>\n \u00a0<\/em>There is still considerable work to do to perfect the model, which has a number of inherent flaws<\/em>; these, if not addressed, risk rendering the rating irrelevant:<\/p>\n It\u2019s misleading to reduce a company\u2019s entire level of security to a single score. Moreover, in the future, it wouldn\u2019t be surprising to see players like Qualys propose the taking into account of the results of internal tests conducted on a company’s IS, in order to refine its rating system.<\/p>\n However, these limitations shouldn\u2019t obscure the opportunities offered by subscribing to a cyber rating service<\/strong>.<\/p>\n The main argument advanced by cyber rating players is that a score represents a powerful and easy-to-understand indicator for senior management<\/strong>\u2014a concept already well-established in finance but still lacking in cybersecurity. An improvement in the rating could also be used to justify and quantify the effectiveness of any corrective action plan<\/strong> applied to the company\u2019s IS services.<\/p>\n In addition, cyber rating platforms make it possible to see how all the companies that have been assessed score, which enables a company to:<\/p>\n Given the challenges firms face, and the opportunities on offer, it seems inevitable that cyber ratings will take off<\/em>, something noted by ANSSI (the French National Cybersecurity Agency) in its strategic review of cyber defense: ” The major players in the field will therefore become benchmarks whose market position will be difficult to challenge.\u201d<\/em><\/p>\n Despite the current limitations, it\u2019s vital that companies\u2014some of whom are already talking about giving countries financial-sector-type cyber ratings\u2014identify how such ratings could be used as an asset increase awareness about cybersecurity among senior management, without, of course, stigmatizing .<\/p>\n","protected":false},"excerpt":{"rendered":" From finance to cybersecurity The major rating agencies, such as Moody’s and Standard & Poor’s, are well known to the general public\u2014especially after the 2008 financial crisis. They now shape financial markets, de facto, through their generation of comparison grids,…<\/p>\n","protected":false},"author":1346,"featured_media":11882,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3270,2777],"tags":[3185,3183,3186,3102,3184],"coauthors":[3135,3136],"class_list":["post-12120","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyberrisk-management-strategy-en","category-cybersecurity-digital-trust","tag-cyber-en","tag-cyberating","tag-evaluation-en","tag-governance","tag-risk-estimation"],"acf":[],"yoast_head":"\n\n
Some obvious limitations to the current cyber rating model<\/h1>\n
\n
A wide range of use cases<\/h1>\n
\n
Cyber rating: an essential issue for companies<\/h1>\n