Rating the Cybersecurity Rating Firms: How Accurate Are They?

September 6, 2017 by Russ Banham

In just a few years, a growing crop of cybersecurity ratings firms has sprouted to assess the vulnerability of businesses to withstand cyber attacks, scoring them on a scale from good to bad. Key markets for the firms are insurance carriers and brokers, each using the ratings for different reasons. Executive SummaryCybersecurity rating firms are helping insurance buyers and sellers gauge the relative risks between companies. But while the ratings firms collect and analyze large swaths of cybersecurity data to score companies, the particular technology and processes to do this work are still proprietary, leading some users and analysts to proceed with caution.

Executive Summary

Cybersecurity rating firms are helping insurance buyers and sellers gauge the relative risks between companies. But while the ratings firms collect and analyze large swaths of cybersecurity data to score companies, the particular technology and processes to do this work are still proprietary, leading some users and analysts to proceed with caution.

The insurance sector has long been eager to get a more refined sense of cyber risks on an industry-by-industry basis to more closely underwrite the exposure. The challenge has been the paucity of data, given that cyber attacks are a relatively new phenomenon, with the types of incidents evolving faster than the ability to predict the next one. This makes it hard to get a clear and confident sense of the potential financial costs to risk insurer capital.

Consequently, insurers have been wary about underwriting cyber risk policies with broad coverage terms and conditions. The complexity of the threat is so large and unwieldy that insurers struggle in modeling and quantifying potential loss frequency and severity. That’s where the cyber risk rating firms enter the picture.