Ride the Lightning

Insurance Companies Working Together to Offer Cybersecurity Ratings

April 2, 2019

SC Magazine reported on March 29th that some of the world’s largest insurers have set out to create a consumer ratings service for the cybersecurity industry.

The initiative, launched March 26th, is to be led by Marsh & McLennan. It will attempt to score best products to reduce hacking risks and will create an assessment of the best cybersecurity offerings available to businesses, according to the Wall Street Journal (sub.req.).

The firm will collect and combine scores from participating insurers and will ultimately identify and rate products, offerings and services they believe will be effective in reducing cyber risks. The results will be publicly available on the firm’s website.

Not all researchers were on board with the initiative, Jonathan Deveaux, head of enterprise data protection at comforte AG, expressed concern, pointing out that research analyst firms already provide some sort of rating system for the cybersecurity industry and adding another rating system could effect companies.

“Gartner uses the ‘Magic Quadrant,’ KuppingerCole uses the ‘Leadership Compass,’ and Forrester uses the ‘New Wave’ rating system,” Deveaux said. “Now, with global insurers collaborating on a rating system, this leaves a lot of open questions on how this could impact organizations today.”

Deveaux added that there are hundreds of products and solutions available which offer various ways to approach cybersecurity and that some solutions are more effective than others in terms of what the solution does and what it actually secures.

“For example, under the general category of “data security,” the data protection methods vary when it comes to actually securing the data – security professionals today know about Encryption, Tokenization, Data Masking (both dynamic and static) – all of which provide various ways to protect, de-identify, anonymize, or pseudonymization of data,” Deveaux said.

There are also frameworks and regulations concerning data security compliance that provide guidance to organizations on how to approach data security concerning governance, internal policy, detection, prevention and response, Deveaux added.

The rating system also raises the question of what will happen if a company follows the system and still suffers a data incident which fails to meet GDPR requirements, he said.

Something about this story doesn't sit right with me. As a friend noted, everyone is rushing to get a piece of the cybersecurity gold mine. For now, I'll stick with the tried and true ratings systems.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson