Security ratings help expose connections that can put organizations at cyber risk

BitSight scores can help companies make data-driven decisions about partners, third-party vendors, insurance

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

It’s safe to say that the vast major­i­ty of com­pa­nies can, and prob­a­bly should, be doing a lot more to improve the secu­ri­ty pos­ture of their busi­ness networks.

What most orga­ni­za­tions prob­a­bly do not real­ize is that there is an enti­ty pay­ing very close atten­tion to just who is con­sis­tent­ly fol­low­ing secu­ri­ty best practices—and who isn’t.

Relat­ed: A network’s ‘vital signs’ offer insight into secu­ri­ty risks

That enti­ty is Bit­Sight Tech­nolo­gies, a six-year-old, Cam­bridge, Mass­a­chu­setts, risk assess­ment ven­dor that does this by ana­lyz­ing a vari­ety of sources that mon­i­tor which com­pa­nies reg­u­lar­ly update encryp­tion cer­tifi­cates, patch sys­tem vul­ner­a­bil­i­ties in a time­ly man­ner, and gen­er­al­ly adhere to oth­er best secu­ri­ty practices.

Keep­ing tabs on security

Bit­Sight goes through all of this trou­ble in order to assign a secu­ri­ty rat­ing to each com­pa­ny it reviews. Rang­ing from 200 to 900, a Bit­Sight secu­ri­ty rat­ing is much like a cred­it score. Bit­Sight has issued secu­ri­ty rat­ings for some 80,000 com­pa­nies, and is adding 500 more each week.

Why does Bit­Sight do this, and, per­haps more impor­tant­ly, why should any orga­ni­za­tion care about a Bit­Sight secu­ri­ty rat­ing? Two rea­sons: third-par­ty part­ner­ships and cyber insurance.

First of all, BitSight’s pri­ma­ry cus­tomers are large enter­pris­es that fac­tor secu­ri­ty rat­ings into deci­sions on which third-par­ty sup­pli­ers they will choose to do busi­ness with, says Jake Olcott, vice pres­i­dent of busi­ness devel­op­ment at BitSight.

Today, if you’re a first par­ty doing busi­ness with a third par­ty, the idea of doing cyber dili­gence pri­or to enter­ing into a busi­ness rela­tion­ship is cer­tain­ly on your mind,” Olcott told me, when we met at the RSA cyber­se­cu­ri­ty con­fer­ence recently.

Mon­i­tor­ing busi­ness partners

Olcott says “once you’ve decid­ed to enter into that busi­ness rela­tion­ship, you also care about the cyber­se­cu­ri­ty per­for­mance of that third par­ty dur­ing the life­time of the busi­ness rela­tion­ship. That’s real­ly why a lot of folks are using our rat­ings today—to con­tin­u­ous­ly mon­i­tor their crit­i­cal third par­ties most­ly through­out the life­time of the busi­ness relationship.”

I asked Olcott if third-par­ty sup­pli­ers were clued in to this trend, and thus find­ing them­selves com­pelled to improve their secu­ri­ty pos­tures in order to earn high­er secu­ri­ty ratings.

We’re absolute­ly see­ing that,” he says. “Orga­ni­za­tions want to rep­re­sent good cyber­se­cu­ri­ty hygiene to their cus­tomers, and one way to do that is by show­ing a quan­ti­ta­tive, objec­tive mea­sure­ment of their cyber­se­cu­ri­ty posture.”

The sec­ond rea­son BitSight’s secu­ri­ty rat­ings are gain­ing trac­tion is because of the rapid­ly emerg­ing cyber insur­ance mar­ket. Allied Mar­ket Research projects that the cyber insur­ance mar­ket is on track to climb to $14 bil­lion by 2022, rep­re­sent­ing a com­pound annu­al growth rate of 28 per­cent dur­ing its fore­cast peri­od 2016–2022.

Help for insur­ance companies

Clear­ly a lot of com­pa­nies would love to off­set ris­ing cyber expo­sures by pur­chas­ing a cyber lia­bil­i­ty pol­i­cy. How­ev­er, cyber risks are unlike any oth­er busi­ness risk to come down the pike pre­vi­ous­ly. Cyber risks are com­plex, con­stant­ly evolv­ing and seem­ing­ly impos­si­ble to quan­ti­fy. Bit­Sight is in the van­guard of secu­ri­ty ven­dors focused on solv­ing that prob­lem, some­thing that’s nec­es­sary for the cyber insur­ance mar­ket to ful­ly reach its bloom.

Sev­en of the 10 largest cyber­se­cu­ri­ty insur­ance com­pa­nies are using Bit­Sight rat­ings to under­write cyber­se­cu­ri­ty insur­ance poli­cies,” Olcott says. “An insur­ance com­pa­ny will col­lect infor­ma­tion from the appli­cant about their cyber­se­cu­ri­ty pos­ture, and also look at a Bit­Sight secu­ri­ty rat­ing. Tak­ing those data points togeth­er, they will come to a pre­mi­um assess­ment for the appli­cant and issue a policy.”

I asked Olcott to explain how a good vs. poor rat­ing actu­al­ly affects pre­mi­um prices and pol­i­cy cov­er­ages. Here’s how he answered:

I would say a good rat­ing in our sys­tem would be 700 and above, and I would look at it this way: An orga­ni­za­tion that we rate a 500 or low­er is actu­al­ly five times more like­ly to expe­ri­ence a breach than an orga­ni­za­tion that we rate a 700 or above. So if you’re an insur­ance com­pa­ny, it’s not that you wouldn’t under­write a pol­i­cy for an orga­ni­za­tion that is a 500 or low­er. It’s that you want to under­stand the risk that you’re tak­ing. You don’t want your entire book of busi­ness to be of com­pa­nies that are per­form­ing below a 500.”

Olcott had a lot more to share. Give a lis­ten to the full pod­cast accom­pa­ny­ing this story.

More sto­ries relat­ed to third-par­ty cyber risk:
As threats mul­ti­ply, cyber insur­ance and tech secu­ri­ty indus­tries start to merge
Chal­lenges and oppor­tu­ni­ties ahead for cyber insur­ance industry

New expo­sures for SMBs spurs new need for cyber lia­bil­i­ty insurance