New Insurance Cybersec Ratings Service – Experts Views

As reported by the Wall Street Journal this week, Insurers Creating a Consumer Ratings Service for Cybersecurity Industry. The collaborative effort led by Marsh & McLennan would score best products for reducing hacking risk, and some of the world’s biggest insurers plan to work together on an assessment of the best cybersecurity available to businesses, an unusual collaboration that highlights the rising dangers posed by digital hackers. The program, which was launched Tuesday will evaluate cybersecurity software and technology sold to businesses. Marsh will collate scores from participating insurers, which will individually size up the offerings, and identify the products and services considered effective in reducing cyber risk. The results will be available to the public on Marsh’s U.S. website.

Matan Or-El, CEO & Co-founder at Panorays:  

“We applaud this new initiative taken by the insurance industry. Such an initiative should be a win-win situation for all. Customers will need to up their cyber security program, thus reducing their cyber risk to attacks while cyber insurers will process less claims due to the higher standard of security.   

That said, there will undoubtedly be bumps along the way to assess the cyber security technologies. From the time it takes to evaluate the thousands of existing technologies, and new ones as they are introduced to market, to the testing methodology around each technology. To ensure that this initiative takes off the ground and becomes effective, enforcing the collaboration between the insurers is mandatory. Second, keeping up to date with the ever evolving threatscape is necessary to determine the efficacy of products against new threats. This means that traditional and well-established technologies must be evaluated in a similar manner as innovative technologies that address the newer challenges. Third, the assessment process must be able to scale to accommodate the evaluation of thousands of cyber security products.” 

Jonathan Deveaux, Head of Enterprise Data Protection at comforte AG:

“Research and analyst firms already provide some sort of rating system for the cybersecurity industry. Gartner uses the ‘Magic Quadrant,’ KuppingerCole uses the ‘Leadership Compass,’ and Forrester uses the ‘New Wave’ rating system.  Now, with global insurers collaborating on a rating system, this leaves a lot of open questions on how this could impact organizations today.   

When it comes to evaluating cybersecurity products, what approach would this collaborated effort by global Insurers undertake?  There are hundreds of products and solutions available which offer various ways to approach cybersecurity. Some solutions are more effective than others in terms of what the solution does and where it actually secures.    

For example, under the general category of “data security,” the data protection methods vary when it comes to actually securing the data – security professionals today know about Encryption, Tokenization, Data Masking (both dynamic and static) – all of which provide various way to protect, de-identify, anonymize, or pseudonymization of data.   

Also under the general category of “data security,” some solutions secure access to the data, rather than provide the protection mechanisms to the data itself. These are commonly known as Identity Access Management (IAM) or Privileged Access Management (PAM) solutions, which enable or restrict users from accessing data based on policies, defined roles, “need-to-know,” and other requirements.   

In addition to products, there are also frameworks and regulations around data security compliance (such as NIST, PCI DSS, HITECH, CCPA, and more) that provide guidance to organizations on how to approach data security as a whole with strict consideration to governance, internal policy, detection, prevention, and response.     

In terms of cybersecurity Insurance, take this scenario for example – if Company X follows their Insurance company’s rating system, and still suffers a data incident which fails to meet GDPR requirements, what coverage will the Insurance company meet?  Will the GDPR fine of up to 4% annual revenue be covered and paid by the Insurance company?   

At the end of the day, from a consumer point of view, we want to know that companies are securing our data, and ensuring our data privacy in the best way possible. It is hopeful that a collaborated rating system leads to this result because one thing is for sure… cyber attackers and bad actors don’t care about rating systems.”