As companies get ever more concerned about the cybersecurity standards of their suppliers, they are looking for a cheap and easy way to establish whether they can trust another company. Audits are time-consuming and expensive, but a number of new companies offer so-called outside-in cybersecurity ratings that promise to provide an accurate appraisal of IT security standards through a mixture of website scans and trawling of publicly available data. Yet, if these are used as the single data point for evaluating a company’s IT security, the ratings are misleading and set false incentives for IT departments. The EU should seize the moment and establish its own agency for company cybersecurity ratings that sets the standards and allows companies to trust their suppliers without prohibitive due diligence costs.
Cybersecurity has truly arrived in the boardroom as a high-priority issue, amid escalating ransomware threats and commercial espionage conducted by state-sponsored hackers. A company’s cybersecurity practices are increasingly important to how business partners or insurers perceive it. Following the Equifax breach, Moody’s announced that it would now take cyber risk into consideration when awarding credit ratings. The adoption of the GDPR forced companies to upgrade their data protection policies, which included closer scrutiny of the cybersecurity measures of their suppliers and partners. In other words, whether a company’s IT security is considered to be up to par is increasingly important to its ability to find business partners, buy insurance policies or secure credit from banks. While this is a welcome development, it highlights a major unsolved problem in cybersecurity: the lack of a universally-agreed-upon system to assess and rate corporate IT security practices.
State of Play
The current system is based on lengthy questionnaires sent by compliance teams to potential business partners. However, there is no reliable and practical way to check whether the answers provided are correct or complete. Insurers selling cyber insurance face the same problem; often they add a telephone interview with the company’s Chief Information Security Officer (CISO) to the process. Yet, insurance industry insiders will privately admit they feel they are “flying blind” when it comes to assessing the cyber risk of many of the companies they cover. At the top end of the market, re-insurers considering covering huge sums worth of cyber risk insurance for major companies will send an auditor to spend a day with the company’s IT team and management. However, this is far too costly a solution for most other purposes.
A number of start-ups have identified this issue and offer a cheap and easy technological solution: so-called “outside-in” ratings agencies promise to provide an accurate and reliable “cyber risk score” for any company without the need to inspect their premises or even talk to their IT team. The basic idea is to run a vulnerability scanner that searches for unpatched potential entry routes into a company’s IT system and to combine the result with a number of other data points to generate a score that is usually modelled on US credit ratings (i.e. between 250 and 900). Companies like Bitsight, Secure Scorecard or RiskRecon use different combinations of data – from monitoring online hacker chats to company size – as a proxy for exposure risk and then run bespoke algorithms to create their scores. Some claim to have an edge because their scoring process is supported by sophisticated artificial intelligence, while others claim to have access to more proprietary data sets than their rivals.
While each “cyber risk score” is created in a different way, these companies all claim to provide an accurate assessment of any company’s IT security with a simple click. For businesses, this is an almost-irresistible proposition: an insurer can offer policies without needing to employ expensive cyber specialists to make these judgement calls, and companies can run third-party assessments without sending questionnaires or conducting lengthy discussions. It is no surprise that these agencies are already ubiquitous in the insurance industry and boast of having secured thousands of customers in other industries as well. A company might not be aware that these agencies exist, but a report detailing its “cyber risk score” will still be sold to business partners or competitors.
Cyber Risk Scores: A Useful Tool?
Foreseeing serious issues with this emerging sector, the US Chamber of Commerce persuaded the leading players in the new industry to sign a voluntary pledge in 2017 promising every company the right to see its own rating report and make appeals at no cost. Moreover, the companies promised transparency surrounding the models, data and algorithms they use to create the scores. However, industry sources complain that some agencies have become less and less transparent about how their models work, treating them as commercial secrets. This lack of transparency is a problem: the easy availability and low cost of these “cyber risk scores” are increasingly tempting companies and insurers to rely on them alone when making decisions about prospective business partners or clients. While the tools may be useful as part of a wider cybersecurity audit (for example, raising the alarm about a worrying number of unpatched vulnerabilities), the increasing tendency to use them as the sole data point driving business decisions should concern policymakers and business leaders.
There are two major problems with this trend. First, cyber risk scores provide a very limited view of corporate IT practices – they have been compared to judging the fire risk of a company by looking at a photograph taken from the other side of the street. Second, widely using these products to make important decisions may create false incentives. For example, an IT security department running its own honeypot for threat research purposes would receive a significantly lower score because the rating software would only detect a company computer that was completely exposed without establishing that the exposure was deliberate. Just by switching off the honeypot, the company could increase its cybersecurity score. At the same time, all elements of good IT security practices that cannot be observed electronically from the outside do not influence a company’s risk score one way or the other and may thus fall by the wayside. Therefore, if cyber risk scores created by outside-in ratings agencies become a standard business tool, the job of an IT department will increasingly be to manage how the company’s network appears to the leading rating agencies. A grim parallel would be the way personal credit scores dictate bank customers’ access to credit in the United States, creating a situation where financially literate adults routinely make financial decisions that make no sense on their own solely to improve their personal credit ratings. Tellingly, the Fair Credit Reporting Act, which was meant to curb the worst excesses of this system, was cited by the US Chamber of Commerce as the inspiration for their 2017 “Fair Cybersecurity Ratings” initiative.
These false incentives work in similar ways for company IT security and this is a serious problem. Even IT professionals who fully understand the limitations of these tools and are willing to explain them to the C-suite will face an uphill battle. A CISO telling the board that the rating score is irrelevant and should not be used to guide the work of the IT security team will be up against banks, insurers or potential business partners citing the same low cyber risk score as a reason not to engage in business relationships.
The Need for Oversight
Venture capitalists, well aware of the obvious temptations of these products, are anticipating huge growth of the market and are pouring money into companies they believe can become market leaders and set the standards. Bitsight, UpGuard and Security Scorecard have all had successful multi-million dollar funding rounds in the last three years, acquiring the capital necessary to grow their businesses quickly, while Cyence was acquired by Wireguard Software for $275 million. Each company’s goal is to leverage their strong position in the insurance market to establish their product as the industry standard for self-assessment, third-party management, due diligence or banking credit. The companies that will come to dominate this market can expect it to be a significant and secure source of income for many years. Thus, the situation today is comparable to that just prior to the rise of the big bond rating agencies in the United States in the 1960s, when Moody’s, S&P and Fitch realised that players in the growing corporate bond market needed easy ways to determine the risk associated with each new issue. Together, they formed an oligopoly, ultimately dominating credit rating globally, as no comparable companies arose in Europe or elsewhere. The 2010 financial crisis brought the painful realisation that these ratings companies had immense power over European companies’ and even states’ financial viability but little accountability regarding how they created their scores.
A similar concentration of power can be expected once specific outside-in ratings agencies establish themselves as market leaders in cyber risk scoring. They will be the ones that get to decide what good company IT security looks like, worldwide. While there are European companies trying to gain a foothold in this market, it is unlikely they will be able to compete, in the long run, with those companies favoured by the big investors of Silicon Valley.
Time for an EU Rating Agency?
Since market forces are likely to lead to a concentration of power outside Europe, there are good reasons to support the development of a trusted and secure Digital Single Market by setting up an EU-run Cybersecurity Rating Agency. Such an agency could develop standards and ratings for different company sizes and sectors and prevent complete reliance on outside-in ratings. These efforts should be integrated with and enhance the current efforts at the EU level to develop cybersecurity certification schemes for companies. Once the agency is up and running, regulation requiring all companies to have cybersecurity risk ratings will be much more feasible and straightforward for businesses to comply with. The new agency should seek to benefit from the knowledge and competences assembled at ENISA and EIOPA but must be formally independent of them, with its statute committing it to the goal of creating reliable and cost-effective cybersecurity ratings. Moreover, it should be bound to similar principles for fair ratings as those developed by the US Chamber of Commerce in 2017, such as transparency and an easy appeals process for companies to challenge their rating.
The EU has great ambitions for cybersecurity, promising “paradigm shifts” that will put it “at the centre of society” or establish it as the “digital anchor” of the European project. A European Cybersecurity Rating Agency would offer a great opportunity to transform Europe’s grand ambitions related to cyber sovereignty and a secure Digital Single market into concrete policy that directly benefits European companies and their customers.
About the Author
Jan Martin Lemnitzer
Jan Martin Lemnitzer teaches cyber security at the Department of Digitalisation, Copenhagen Business School. He holds a PhD from the London School of Economics and was formerly Director of Studies at the Changing Character of War programme, Oxford University and Assistant Professor at the Center for War Studies, University of Southern Denmark. He has published widely on the emergence of global norms from the middle of the 19th century until today. He was co-organiser of the 2018 Odense Cyber Security conference (together with the ECFR) funded by the Danish Tech Ambassador and researches the emergence of cyber norms, national cyber strategies, the potential of cyber security ratings and insurance, and the question of neutrality in cyber space.