Public outrage over major data losses once served as a powerful incentive for companies to get cybersecurity right. Now, a steady drumbeat of major data losses has made consumers numb. However major breaches — and the resulting fines — could still wipe out a business.
In response, investment ratings service Moody’s recently announced that it would start building cybersecurity risk into credit ratings, likening the dangers of a major breach to those of an earthquake, hurricane, or natural disaster — material events that could curtail or end a company’s operations.
The development could not come at a better time, and it is crucial Moody’s get it right. The accuracy and efficacy of Moody’s ratings will hinge on the types and sources of data behind them.
Two sources of truth
The key for Moody’s is to create a system that gathers comprehensive and reliable data to inform the public, including data from companies directly and from external sources.
There are two ways to get that information. The first is to turn to third-party vendors that perform assessments of cyber hygiene externally. These companies tend to rely on publicly available information, such as open and unprotected ports, DNS flaws, the amount of botnet traffic leaking data from the inside, SSL certificate issues, and whether there are any publicly known vulnerabilities on web and app servers. It can be gathered without input or assistance from the company being rated.
The second class of information is a company’s own data. This is the information the company gathers through internal scanners and other tools, and will likely offer the most thorough and complete view of a company’s posture – like verified operating system vulnerabilities, misconfigurations, widespread use of default passwords, and unauthenticated services. Moody’s must use both.
Potential pitfalls in rating cyber risk
External data will be more valuable for some companies than others. A large chain of retailers, for example, with a robust consumer web presence and a large network of cash registers feeding data into a corporate headquarters will tend to have a larger attack surface.
In an ideal world, Moody’s would be able to demand whatever internal data it needed as part of its scope of work. Companies that offer cyber insurance, for example, have this type of leverage when a company wants to secure a policy.
In reality, there’s no guarantee that a company will provide a complete picture of its operations. A company could, perhaps reasonably, deny Moody’s access to some information because of its own security concerns.
Yet gaps in one can be filled with insights from the other. External data provides coverage for a crucial segment of the company’s network and acts as a check on the possibility that the company isn’t providing comprehensive information. The internal data serves as the detailed information that external sources can’t know.
The next challenge for Moody’s will be to weave these sources of data — most of which will come from different vendors with formatting and data definitions that aren’t consistent — into a coherent ratings system that is meaningful across a wide array of industries.
Don’t forget about ground truth
These various sources must view data through the lens of the facts on the ground. Moody’s must develop an understanding of the security environment as a whole and the environment at any given time, asking the right questions to apply ratings within the proper context.
For example, let’s say there is a breach. What were the root causes and points of entry at the firm and at other firms that experienced a similar breach? How did the attack go from incident to breach? What lack of controls lead to the impact of the breach? These answers can come from forensics firms, FOIA requests, and public reports such as the recently issued House Oversight report on the Equifax Data Breach, which Moody’s will also need to pull in to accurately apply any sort of rating system.
The coming breach fatigue
The quality of the information Moody’s obtains will have a direct impact on the quality of its ratings. If Moody’s can build a platform that integrates the data of the internal and external vendors, it will be able to build a credible rating much faster.
It could not come at a more fortuitous time. We’re rapidly approaching a time when the constant cadence of major breaches has ceased to shock. Public outrage over a breach — or fear of it — tended to influence corporate behavior. If the public is no longer outraged, what’s to keep companies in line?
Done right, Moody’s ratings have a significant chance of filling that gap. It just needs the right data to do it.