In a collaborative effort, some of the world’s largest insurers have set out to create a consumer ratings service for the cyber-security industry.
The initiative was launched last week in the US, led by Marsh & McLennan, and will attempt to score best products to reduce hacking risks and will create an assessment of the best cyber-security offerings available to businesses, according to the Wall Street Journal.
The firm will collect and combine scores from participating insurers and will ultimately identify and rate products, offerings and services they believe will be effective in reducing cyber-risks. The results will be publicly available on the firm’s website.
Panorays CEO and co-founder Matan Or-El applauded the new initiative calling it a win-win for all.
"Customers will need to up their cyber-security programme, thus reducing their cyber-risk to attacks while cyber-insurers will process fewer claims due to the higher standard of security," Or-El said. "That said, there will undoubtedly be bumps along the way to assess the cyber-security technologies."
Enforcing the collaboration between the insurers is mandatory to ensure that this initiative takes off the ground and becomes effective, he said, noting that keeping up to date with the ever-evolving threatscape is necessary to determine the efficacy of products against new threats.
Traditional and well-established technologies must be evaluated in a similar manner as innovative technologies that address the newer challenges. In addition, the assessment process must scale to accommodate the evaluation of thousands of cybersecurity products.
Not all researchers were on board with the initiative, Jonathan Deveaux, head of enterprise data protection at comforte AG, expressed concern, pointing out that research analyst firms already provide some sort of rating system for the cyber-security industry and adding another rating system could effect companies.
"Gartner uses the ‘Magic Quadrant,’ KuppingerCole uses the ‘Leadership Compass,’ and Forrester uses the ‘New Wave’ rating system," Deveaux said. "Now, with global insurers collaborating on a rating system, this leaves a lot of open questions on how this could impact organisations today."
Deveaux added that there are hundreds of products and solutions available which offer various ways to approach cyber-security and that some solutions are more effective than others in terms of what the solution does and where it actually secures.
"For example, under the general category of "data security," the data protection methods vary when it comes to actually securing the data – security professionals today know about Encryption, Tokenisation, Data Masking (both dynamic and static) – all of which provide various ways to protect, de-identify, anonymise, or pseudonymisation of data," Deveaux said.
"Also under the general category of ‘data security,’ some solutions secure access to the data, rather than provide the protection mechanisms to the data itself," he explained.
There are also frameworks and regulations concerning data security compliance that provide guidance to organisations on how to approach data security concerning governance, internal policy, detection, prevention and response, Deveaux added.
The rating system also raises the question of what will happen if a company follows the system and still suffers a data incident which fails to meet GDPR requirements, he said.
In this case it is unclear what coverage the insurance company meets or if the GDPR fine of up to four percent of annual revenue be covered and paid by the insurance company. At the end of the day, consumers want to know what companies are securing their data, and hopefully the collaborated rating system will lead to better overall security posture on their end.
This article was originally published on SC Media US.