What’s your cybersecurity rating? (You may have one you don’t know about)

by Mark Parsley

Published: 13 July 2017

The ratings question for corporates has, until now, been whether the time and money required to obtain a credit rating, translates into worthwhile savings on funding costs. Although unsolicited ratings exist, most companies never have to worry about discovering that someone has called their stability or competence out without their input.

This is why unsolicited cybersecurity ratings are starting to cause such a stir in the US – and lately in Europe too. A number of well-funded start-ups have sprung up which use automated data collection and penetration testing to create profiles of the public-facing elements of corporate networks. From these profiles, companies such as BitSights, SecurityScorecard, RiskRecon, Cyence, Corax and Quadmetrics, generate scores – and in some cases probabilities of loss – as cybersecurity assessments. In response, the US Chamber of Commerce and more than two dozen U.S. companies, including several big banks have teamed up to establish shared principles that would allow them to better understand their cyber security ratings and to challenge them if necessary. The companies behind the initiative include JPMorgan, Goldman Sachs, Morgan Stanley, Starbucks, Aetna, Home Depot, Microsoft and Verizon.

The USCC and the companies have developed their “Principles for Fair and Accurate Security Ratings” to “Promote quality and accuracy in the production of security ratings, promote fairness in reporting, include a coordinated process for adjudicating errors or inaccuracies in reported content and establish guidelines for appropriate use and disclosure of the scores and ratings.” The companies worry that the lack of transparency in the methodologies of the ratings companies “create[s the] risks of producing ratings that can potentially be inaccurate, irrelevant or incomplete” and they demand “rating companies should provide validation of their rating methodologies and historical performance of their models.” These demands are interesting given that it is a lack of transparency on cybersecurity from corporates themselves that has led to the creation of the ratings firms. Institutional investors have long been calling for better cybersecurity disclosure. UK fund manager Legal & General Investment Management has called for compulsory cyber audits to be introduced and wants companies to identify and monitor information assets as a strategic issue; document the management of the risk through an audit; and make sure awareness of cyber risk was embedded in the culture of the company.

In the US, the Council of Institutional Investors (CII) has created a roadmap for future shareholder engagement on cybersecurity and laid out five critical questions that investors should be asking board members regarding their company’s cybersecurity practices. Companies have not, in general, responded to these concerns. For example, only 5% of FTSE 100 companies have disclosed having a Director responsible for cyber risks. In the meantime insurers are using these unsolicited ratings when pricing cyber risk insurance policies and banks are using them as part of the vetting process in M&A transactions: No-one wants to overpay for a target whose customer data or intellectual property has been stolen. Yes, there are questions about the quality of the ratings. One UK company spoken to by EuroFinance had spent “days” arguing with one of the raters over what it believed were errors and methodological problems that rendered the final rating meaningless. But then again they requested anonymity and the company releases no public information about its cybersecurity practices.

Until companies realise that cybersecurity is a core part of governance, as well as a core variable affecting financial value, and are transparent about their approach – the unsolicited ratings will prosper. For treasurers they may have a bigger impact on funding and deal-making than old-fashioned credit.