Cyber insurers need to tread lightly when using cyber security rating scores — also known as outside-in security-risk assessments — because the data can be skewed and may mislead consumers into believing they’re more protected than they really are, said one cyber insurer.
Cyber security ratings provide an “outside-in” view of a company’s overall cybersecurity posture by giving the client a rating similar to a credit score. Score rating ranges can be expressed by numbers up to 100 or 1,000, or letter grades from A to D, where a higher rating indicates a better security posture.
These rating systems emerged in the early 2000s, said Lindsey Nelson, cyber development leader at CFC Underwriting in a webinar.
“They took off because they took a highly technical area and simplified it for company owners who found a simple score much easier to understand than a long list of strange sounding assets and vulnerabilities.”
But while these cyber ratings have noble goals, they also have potential to prove troublesome for cyber insurers.
“Lots of security professionals still struggle with cyber ratings because they can be misleading, and that’s because the quality of the ratings are completely dependent on the data used to produce them. And that data is often limited,” said Nelson.
For example, if a small company outsources the hosting of their servers to cloud computing providers like Microsoft or Amazon Web Services, the security scan may not be able to detect all parts of the network, Nelson said.
“Our cybersecurity score could be telling us that the client is a 99 out of 100, based on the assets that I can see, but there is a load of assets that it can’t see which may or may not be secure.” This could potentially lead a small business owner into a “false sense of security,” Nelson said.
Conversely, the rating may display a false negative or positive score. “It might release a low score for a company that’s actually got excellent controls, which might raise questions around credibility if it’s not explained properly,” Nelson added.
What’s more, some clients may rely too heavily on their cyber ratings when making business decisions.
“We’ve seen the narrative shift around cyber ratings, [from] ‘this is a tool which can be useful in identifying some of your vulnerabilities,’ to ‘this score is the [ultimate] authority on how secure you as an organization are,’ and…how likely you are to have a claim is dependent solely on this score.’”
To mitigate these problems, cyber insurers need to be upfront with clients about the limitations of cyber ratings.
“We just need to be really careful as a market that we don’t start claiming authority or predicting outcomes based on skewed data sets that we don’t really understand,” said Nelson. “And we need to be totally transparent with customers about what it is that we’re presenting them.”