SecurityScorecard for Cybersecurity Risk Profile Benchmarking and 3rd Party Risk Management

What is SecurityScorecard

SecurityScorecard is an information security company that specialised in cybersecurity rating and risk management. It offers a cybersecurity rating platform that provides a range of products and services [1] to help corporate entities identify and manage their own and third parties (i.e business partners, vendors and suppliers) cybersecurity risks. For this article, the focus is on Security Ratings.

Importance of Cybersecurity Rating

According to Gartner, cybersecurity ratings will become as important as credit ratings when evaluating risk of business relationships and companies should leverage security rating services to provide continuous scoring for internal assessments, procurement, partnerships and M&A activities [2]. Fitch Ratings (a credit rating company) has partnered with SecurityScorecard to better assess organizations' cyber health and vulnerabilities and how organizations manage cybersecurity risks [3]. In March 2022, new rules to enhance disclosures regarding cybersecurity risk management by public companies were made by Securities and Exchange Commission (SEC) as it intends to play a more active role in cybersecurity [4]. This disclosure can provide investors with more holistic view of company's overall risk management as cybersecurity risk has became a significant part of enterprise risk management, and this can help investor make more informed decisions about investing in a company. Other than companies' disclosures, cybersecurity rating can provide an alternative source of information to investors to help them assess the potential risks of a company before investing in it. For example, a low rating may indicate that a company may be more vulnerable to cyber incident which can result in financial impact to the company.

Cybersecurity Rating and Risk Mitigation

The cybersecurity rating platform is intended to help organization to gain visibility into its cybersecurity risk profile through scored analysis of factors that represent cybersecurity risk.

It continuously scan for data from a variety of sources including public information, dark web and propriety intelligence feeds to gain insights into cybersecurity risks facing a company. These data gathered is analyzed using a proprietary algorithm to measure a company's cybersecurity risk based on 10 factors and assigns a score (0 to 100) and corresponding grade for each factor [5].

The weighted average of these individual factor scores is then used to compute a total grade score (cybersecurity rating) intended to provide snapshot of a company's cybersecurity risk profile, with higher cybersecurity rating indicating lower cybersecurity risk [6].

The cybersecurity rating is updated on continuous basis upon collection of new data, allowing organizations to identify potential risks and areas of improvement in near real-time. Under each factor, the platform will detail the potential vulnerabilities with their prevailing level of risk and provide general guidance on mitigation. With this, organization can prioritize risk mitigation [7].

Peer Benchmarking and Third Party Risk Management

This cybersecurity rating can be used to benchmark the cybersecurity risk profile of a company against its peers, and evaluate the cybersecurity risk of a company's potential third parties before establishing business relationship. In terms of third party risk management, the platform helps enterprises to monitor and track the cybersecurity risk profile of their third parties over time to identify areas of improvement and take appropriate actions to mitigate risk [8].

API Integration

The SecurityScoreCard API provides an organization with programmatic way to pull ratings and cybersecurity data from it's platform. The API is RESTful, so it can be easily integrated with various programming languages such as Python, Java and etc [9]. Python codes were written to automatically print to PDF the comparison of companies' ratings via "Print to PDF" using selenium library as shown below:

As the existing compare tool (compare companies' ratings) in the SecurityScorecard platform does not provide option to export the ratings in csv/excel, python codes were written to get the ratings through api call into python dataframe using pandas library, color conditioned and then exported to excel as shown below [10]:

If your company monitors the security ratings on a monthly basis, a visualization can be created to compare current month ratings with preceding month ratings via Microsoft PowerBi as shown below:

Sample codes can be found in "https://github.com/cyberanalyst86/securityscorecard".

References

[1] https://securityscorecard.com/product/

[2] https://www.gartner.com/en/documents/3884271

[3] https://www.fitchratings.com/research/banks/fitch-ratings-partners-with-securityscorecard-to-assess-cyber-risk-13-04-2021

[4] https://www.omm.com/resources/alerts-and-publications/alerts/sec-proposes-new-rules-on-cybersecurity/#:~:text=On%20March%209%2C%202022%2C%20the,incident%20reporting%20by%20public%20companies.

[5] https://www.greatamericaninsurancegroup.com/docs/default-source/cyber-risk/securityscorecard-10-risk-factors.pdf?sfvrsn=8eff43b1_4

[6] https://s3.amazonaws.com/ssc-corporate-website-production/documents/resources/securityscorecard-scoring-methodology-2020.pdf

[7] https://support.securityscorecard.com/hc/en-us/articles/360056026771-Address-issue-findings-in-your-Scorecard.

[8] https://axcient.com/blog/what-is-securityscorecard-and-why-should-msps-care-about-vendor-scores/

[9] https://securityscorecard.readme.io/reference/introduction

[10] https://securityscorecard.com/security-rating/color-kit.ru