Email Security

    Cybersecurity Rating Services Score Supply Chain Risk

    A growing market sector helps companies assess business partners’ cyber resilience and vulnerabilities.

    by Karen Lynch

    Key Points

    • Cybersecurity ratings do for security what credit ratings do for finance.
    • They can externally assess the cyber vulnerabilities of any company large or small.
    • Supply chain risk management is their biggest application.

    Cybersecurity ratings are poised to take their place beside credit ratings as credentials for doing business in the digital economy. Much like Moody’s, Fitch and Standard & Poor’s rate corporate financial risk, cybersecurity rating services are emerging that score companies’ security risk profiles. The comparison is particularly apt because both types of risk can jeopardize a company’s prospects and drag down anyone doing business with it.

    Based on a company’s cybersecurity rating, it may be viewed as a more or less attractive supplier, customer, acquisition target or insurance policy holder. Security professionals also use the ratings day to day to monitor their own companies’ risk profiles and those of their supply chain partners.

    The cybersecurity rating market is still going through some growing pains, according to global market researcher Forrester, which cites uneven performance among the seven leading rating services in such areas as accuracy, transparency and integration with other IT management platforms.[1] Meanwhile, Gartner has concluded, “Security and risk management leaders should leverage security rating services to provide continuous, real-time scoring for internal assessments, procurement, partnerships and M&A activities.”[2]

    To explain cybersecurity ratings, we interviewed Alex Rich, vice president of marketplace business development at SecurityScorecard, one of the leading rating services and a Mimecast partner.[3]

    Rating Security From the Outside-In

    Cybersecurity ratings can provide an outside-in perspective on any company’s cyber vulnerabilities, Rich said. Businesses use them to assess companies that might have an impact on their bottom line, from customers to competitors. The ratings are also used to complement the internal monitoring of their own security operations.

    Businesses that license these services can choose which companies they want regular reports on, including their own. SecurityScorecard alone rates 1.5 million companies, providing a continuous flow of scores along with identification of specific issues and recommendations for addressing them.

    Cybersecurity rating services use a combination of global internet sensors, open source intelligence feeds, software vulnerability databases and other tools and methods to analyze companies’ security defenses and their exposures. They measure factors such as the quality of application, endpoint and network security, as well as activities like software patching.[4] At SecurityScorecard, collecting and running these data points through its algorithms can produce a score for any newly selected company within 10 minutes. 

    Using Rating Services: A Case in Point

    Say, for example, that a company’s procedure for patching software vulnerabilities is falling short. A cybersecurity rating service would see that company’s open vulnerabilities on the internet and, over time, tally how often and for how long vulnerable software remains unpatched. This data could show whether the company demonstrates poor cyber hygiene and the risk of cyberattack, noncompliance with security regulations and other issues.

    A business that has licensed the rating service for some or all of its suppliers might take the next step of integrating it into its third-party risk management platform. In this case, if a supplier’s rating falls below a “C,” the platform might automatically send the supplier an alert or even temporarily cut the supplier off from the licensee’s network. An overall rating of “C” would make the supplier 4.3 times more likely to experience a breach, according to SecurityScorecard’s scale, and an “F” would multiply the likelihood by 7.7.

    Ratings Contribute to Supply Chain Visibility

    The supply chain example above represents one of the most prevalent uses for security ratings. And for good reason: As supply chain attacks have captured headlines across the world, the European Union Agency for Cybersecurity (ENISA) estimated they have quadrupled in 2021.[5] 

    Supply chains often share network access and sensitive data. “This creates a dynamic where, for all intents and purposes, suppliers become extensions of your attack perimeter,” Rich said. But while a security team may have good visibility and control over their company’s own networks and devices, they usually can’t monitor or control their suppliers’.

    Cybercriminals often attack weakly defended companies in supply chains to ultimately reach bigger targets. Nearly two-thirds of supply chain attacks exploit the trust of customers in their suppliers, ENISA said. To manage supply chain cybersecurity risk, ENISA recommends monitoring outside-in as well as inside-out. 

    Both buyers and vendors in supply chains use cybersecurity ratings. While big buyers keep track of suppliers this way, vendors also use the ratings to help win business.

    Reporting Ratings to Insurers, Regulators, Board Members

    Cybersecurity ratings are used in contexts beyond the supply chain and self-monitoring scenarios above, including:

    • Cyber insurance: Used by insurers to determine coverage and premiums.
    • Competitive benchmarking: Helps establish reputation.
    • M&As: Supports due diligence on acquisition targets.
    • Compliance: Provides third-party validation to regulators.
    • Board reporting: Supports CISOs’ communications with senior management and boards of directors.

    The Bottom Line

    The emerging cybersecurity rating services market is serving a growing number of companies in several situations, whether they’re seeking to determine the resilience of an M&A target or just getting an external assessment of their own cybersecurity systems. The most prevalent use is for better visibility of vulnerabilities in the supply chain, where cybercriminals often attack smaller vendors to reach bigger targets.

    [1]Cybersecurity Risk Ratings Platforms, Q1 2021,” Forrester

    [2]Innovation Insight for Security Rating Services,” Gartner

    [3]SecurityScorecard and Mimecast Have Partnered,” SecurityScorecard

    [4]A Deep Dive in Scoring Methodology,” SecurityScorecard

    [5]Understanding the Increase in Supply Chain Security Attacks,” European Agency for Cybersecurity

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Haut de la page