• December 20, 2016

Make the Grade: Security Ratings Coming Soon

FICO security scores could change the data security game.

Fair Isaac Corp. (FICO), the company that issues your credit scores, wants to provide cybersecurity scores for enterprises. The score is meant to provide an independent assessment of enterprise data security, and it is expected to be used by boards of directors and issuers of cyber insurance to assess the risk of breaches.

The concept of a cybersecurity score is a new twist in the trend toward tighter scrutiny of enterprise data security by outside organizations including business partners, regulators, and insurance companies. Insurers would use the score in cyber breach policy writing and portfolio management.

Shifting Responsibility to the Board

Breaches impact many stakeholders beyond the company attacked. That’s why regulators continue to prod enterprises to step up data security and breach recovery.

For example, new rules require that financial clearing houses and payment systems show by June 2017 how their core operations would recover within two hours from a cyberattack. “The aim is to make sure that responsibility for cyber defense rests in the board room and not in the IT department,” according to a Reuters report.

A third-party evaluation of enterprise data security, such as what FICO has in mind, could become a key indicator of a company’s trustworthiness as a business partner.

In healthcare, new HIPAA rules governing patient health records make vendors and contractors subject to the same strict data privacy rules as the healthcare enterprises they serve. Some larger healthcare organizations have used hundreds of IT service contractors, and now all firms dealing with patient data will be responsible for safeguarding it. Healthcare organizations could conceivably look to a vendor’s FICO cybersecurity score as one indicator in choosing which IT consulting firm or cloud service providers to hire.

Measuring Up

FICO’s system examines more than 250 data points from a company’s IT network, including spam traffic and the configuration of servers and routers. Predictive risk models based partially on a database of past security incidents contribute to the enterprise’s security risk score.

Some security experts caution that the rapidly evolving world of hacking makes devising a reliable security score system to be highly problematic. One Forrester researcher pointed out in the Wall Street Journal that tools and techniques used to monitor cyber risks are new and untested. That may render cybersecurity scores less meaningful than FICO intends, and even enterprises with strong scores could be vulnerable to attack.

Nevertheless, expect more outside entities to want additional information about how well your enterprise is prepared to prevent cyber breaches. One day, a FICO security score could become as important as your company’s bond rating.

Like this story? Learn more about the future of cybersecurity.