The Equifax case, named after the American credit risk company that was recently the subject of a massive data leak, is a good case study to illustrate this subject. The first reason for this is its sheer scale: Potentially affecting 140 million customers, with a -20.7 drop in stock value in 2 trading sessions, more than 30 proceedings brought before the courts, etc. The second reason is the very basic nature of its causes: A web application that had still not been ‘patched’ more than 2 months after the update had been released. The third reason is the company’s catastrophic crisis management: 6 weeks for notification of the leak to be issued; vulnerability of the very website that allowed users to check whether their data had been affected; and an attempt to buy customers’ silence in exchange for a free product. The fourth and final reason is that this case sheds new light on the principle of cybersecurity ratings. Not long before, one of America’s leading ratings agencies, BitSight, had awarded Equifax an F for its application security and a D for its patching responsiveness. The leaked rating report – a good piece of publicity for BitSight – thus offered post-mortem confirmation of the usefulness and effectiveness of cybersecurity ratings.
The ratings boom
The use of ratings, which began in the financial sector, is gradually being extended to all kinds of areas: Social and environmental responsibility, human resource management, ethical and financial compliance, and now cybersecurity. Like ‘compliance’, it is the product of globalisation and deregulation. In order to compensate for the lower effectiveness of national rules and the absence of genuine supranational regulation, it aims to recreate trust between market players through de facto standards, the authority of which derives mainly from industry recognition. This, coupled with the explosion of ‘cyber’ risks (defined in the insurance field as IT events due to error or malicious intent and resulting in intangible damage to an organisation’s assets), which are transnational by definition, explains the logical extension of ratings to the cybersecurity sector, first in the United States and now in Europe. The field is even attracting the attention of the American market and investment funds, judging from the size of the funds secured (49 million USD for BitSight in 2016, 29 million USD for CyberGRX in 2016) and the rapid growth of companies. The market is currently shared by a handful of American companies: BitSight, CyberGRX, SecurityScorecard, FICO (a credit risk company that bought up QuadMetrics in 2016), RiskRecon, UpGuard and iTrust (the US company and not the French company with the same name).
How does it work?
The principle of cybersecurity ratings is simple: To offer an external, automatic and independent rating solution based on a measurement standard using only information that is freely accessible from outside the company, without requiring its consent. This includes examining web application vulnerabilities, the reputation of corporate IP addresses, DNS configurations, the quality of SSL certificates and their configuration, the rate at which web servers are updated, and leaked information about the company in the dark web. All this data makes it possible to develop a rating representing the organisation’s level of security, and to follow this over time. BitSight thus gives an overall score ranging from 250 to 900 and A to F for each of the points examined, with indicators grouped around the 5 security functions identified by the NIST reference tool (identify, protect, detect, respond, recover).
How are ratings used and for what benefits?
- Monitoring and improving performance. Although ratings cannot replace a ‘risk-focused’ approach combining internal and external audits, they can nevertheless make a real contribution to operational planning for long-term performance monitoring and improvement. In order to do so, they must be detailed and easy to explain. At a more strategic level, ratings also provide information systems security managers with useful indicators to present to their executive committees. Surely all information systems security managers must have dreamed of possessing simple, objective indicators to compare their company with competitors, justify budget requests and bring out the value of their work!
- Managing supplier risk. With the advent of extended enterprises and the development of cloud computing, the value chain is increasingly fragmented, with all the risks that this entails. For instance, it is estimated that 63% of information leaks involve subcontractors. The role of the air conditioning provider in the Target case is a good example of this. The European General Data Protection Regulation and the principle of accountability indicates that this will be a growing function, and one that should sustain the ratings market in the long term.
- Assessing risk upstream of cyber insurance underwriting. Insuring against cyber risks is difficult, since such risks are hard to model, geographically dispersed, and associated with non-linear accumulation. Furthermore, the existing data is scattered and, above all, not widely shared. Being able to access ratings before underwriting would thus be a boost for the cyber insurance market (see the white paper on this by the ParisTech Telecoms Alumni Association).
- Evaluating a target in an M&A process.
- Evaluating a business sector’s level of maturity.
- Evaluating a country’s level of security. For the last few months, BitSight has thus been offering a ‘sovereign rating’, based on the ratings of a country’s main companies and public agencies.
What are the limitations?
While it is true that ratings offer real benefits for companies, it is nevertheless important to be aware of their limitations. Ratings can only really be of practical use if they are first developed through a transparent and explainable process in terms of the data collected, weightings used and indicators. A ‘black box’ score would be of no use at all. Another limitation is the fact that these scores are generally limited to externally observable data, with a restricted number of indicators. Processes and behaviours are therefore not taken into account. In addition, these ratings are mainly developed based on an analysis of the company’s vulnerabilities. Threats, i.e. the internal or external context, are not taken into account. Finally, useful and meaningful comparisons can only be made between comparable organisations (in terms of business sector, area of exposure, size, etc.). Ratings must therefore adhere to a certain number of principles. To address this issue, some 40 major American companies met with the leading cybersecurity rating agencies in July 2017 and agreed upon a series of principles and best practices. These include transparency, conflict management through a mediation system, independence and confidentiality. After BitSight’s report on Equifax was leaked to the media, this last point introduces a debate: Should a company’s rating be public? It is, indeed, difficult to conceive of it remaining confidential for long, given the viral dimension of the phenomenon. Companies that achieve good ratings may even see an interest in bringing their security commitments to the fore, which would have a positive effect on overall security levels. There is nevertheless a real confidentiality risk here, not so much with regard to the ratings themselves, but to the technical information used to determine them. Although this information is freely available, its concentration in a single point potentially provides any hackers gaining access to it with a way of mapping all the sensitive points of a company, or even a country.
What are the risks?
This technical challenge is coupled with a major sovereignty challenge, given the American oligopoly that has been established over the last three years. We are reminded of a quote from the 1970s: “There are only two powers capable of destroying a country’s economy: the American air force, with a carpet of bombs… and Moody’s degrading its rating.” Indeed, although the bad debt crisis has somewhat undermined the credibility of the financial agencies, their normative power still remains very real. The same can be said when it comes to cybersecurity: These ratings could be manipulated for political and financial reasons, to favour a particular company bidding for a contract, undermine the value of a company in an M&A operation, play down a country’s economic attractiveness, etc. The lack of European agencies thus means that cybersecurity ratings could become a new tool to further America’s commercial dominance, in the image of the Foreign Corrupt Practices Act (FCPA) of 1977, which has gradually become the universal standard for ethical and financial compliance. It is thus important for Europe to quickly get a handle on this issue and create a European ratings standard, so as not to depend solely on American agencies. In this respect, a new agency, CyRating, has just been set up in France, with resolutely European ambitions.