Recently, Moody’s Investors Service announced that the credit implications associated with cyber risk could begin to take a higher priority within its credit analysis program.
DatumSec is a fan of the direction Moody’s is taking with this action.
However, the need for cyber risk assessments and cyber risk scoring goes well beyond the decision to lend money; the risk of operational outages and the loss of sensitive data due to cyber attacks and insider threats can travel deep and wide throughout the entire supply chain.
While a cyber risk score could, and perhaps should, be a component of a much larger risk scoring system, every organization should have their own cyber risk score. This risk score can be shared with business partners that are concerned more about the safety of their information systems their data than with their vendor’s credit worthiness.
These are the key requirements for a scalable 3rd-party risk scoring system:
The assessments must consistently look at how a company defines their security policies, enforces them, and operates within those boundaries
The assessment results must respect the 3rd-party vendors’ privacy, redacting sensitive information not appropriate for the business partner to see
The cost and effort associated with the assessments must not outweigh the value of receiving a risk score
The assessment results and resulting risk score must provide enough information for the business partner to make an informed decision
The risk scoring system must support the collection and analysis of tens of thousands of 3rd-party vendor assessments
The risk scoring system must support customizable risk baselines so companies can easily compare the status of each 3rd-party vendor
How is your organization objectively handling cyber risk? Are you prepared to share your cyber risk score with rating groups like Moodys? What about your business partners – they’ll be asking for it soon.