Is Your Organization Ready for a Moody’s Rating?

Recently, Moody’s Investors Service announced that the credit implications associated with cyber risk could begin to take a higher priority within its credit analysis program.

DatumSec is a fan of the direction Moody’s is taking with this action.

However, the need for cyber risk assessments and cyber risk scoring goes well beyond the decision to lend money; the risk of operational outages and the loss of sensitive data due to cyber attacks and insider threats can travel deep and wide throughout the entire supply chain.

While a cyber risk score could, and perhaps should, be a component of a much larger risk scoring system, every organization should have their own cyber risk score. This risk score can be shared with business partners that are concerned more about the safety of their information systems their data than with their vendor’s credit worthiness.

A proper security posture is as important today as the financial health of a company was yesterday.
— Jonathan Niednagel, Datum Security CEO

These are the key requirements for a scalable 3rd-party risk scoring system:

  • The assessments must consistently look at how a company defines their security policies, enforces them, and operates within those boundaries

  • The assessment results must respect the 3rd-party vendors’ privacy, redacting sensitive information not appropriate for the business partner to see

  • The cost and effort associated with the assessments must not outweigh the value of receiving a risk score

  • The assessment results and resulting risk score must provide enough information for the business partner to make an informed decision

  • The risk scoring system must support the collection and analysis of tens of thousands of 3rd-party vendor assessments

  • The risk scoring system must support customizable risk baselines so companies can easily compare the status of each 3rd-party vendor

Similar to looking at a company’s credit rating for lending decisions, organizations will need to evaluate the risk scores of their 3rd party vendors before they decide to share access to critical business systems and sensitive data with them.
— Jonathan Niednagel, Datum Security CEO

How is your organization objectively handling cyber risk? Are you prepared to share your cyber risk score with rating groups like Moodys? What about your business partners – they’ll be asking for it soon.