How cyber risk ratings can support better cyber reliance and regulatory compliance

In the digital age, cybersecurity risks are an ever-present threat. Businesses and governments face constant cyber threats, from state-sponsored cyber espionage to ransomware attacks by criminal gangs. The impact of these threats can be devastating, resulting in economic turmoil and threats to public safety.

In response, policymakers across the globe are looking at how regulation can strengthen an economy’s cyber posture, whether that be the Digital Operational Resilience Act (DORA), recently adopted by the European Parliament, which also makes financial groups accountable for the security of tech vendors they use, or The Network and Information Security Directive (NIS2), which provides legal measures to boost the overall level of cybersecurity in the EU.

Given the growing threat landscape, businesses increasingly support regulation to address and mitigate risks. The 2023 World Economic Forum Global Cybersecurity Outlook shows cyber executives are now more likely to see cybersecurity regulations as an effective tool for reducing cyber risks across a sector.

Many leading organizations have also turned to cyber risk ratings to help them understand and mitigate their cyber risk exposure and better comply with regulations. Cyber risk ratings provide an objective measure of an organization's cybersecurity posture based on various factors, including network security, data protection and incident response capabilities. These ratings help organizations identify areas of weakness in their supply chains and cybersecurity defences and prioritise remediation efforts.

Policymakers are also starting to see the utility of cyber risk ratings across markets and how they could be an effective policy lever to support the growing number of cyber regulatory requirements and improve cyber resilience within economies.

In France, policymakers are taking the lead globally by looking to mandate the use of cyber risk ratings. The French Cyberscore Law, enacted on March 3, 2022, creates the obligation for a cybersecurity certification for digital platforms intended for the public. It comes into force on October 1, 2023.

This groundbreaking act will mandate cyberscores on the 500 largest merchants' websites operating in France. The plan is to extend this to 10,000 strategic companies, such as the electric power grid and healthcare.

Much of the new cyber regulation in the EU is designed to manage digital supply chains and third-party providers.

For instance, DORA aims to ensure that all participants in the financial system have the necessary safeguards to mitigate cyber attacks and other risks. The legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats. Like much of the economy, the financial sector is highly dependent on third-party tech vendors, both big and small.

This was highlighted recently when the CFTC postponed the publication of its weekly Commitments of Traders (CoT) report for the week ending February 17, 2023, due to a cyber attack on a third-party provider, ION Cleared Derivatives. According to data from the Futures Industry Association, this attack impacted a huge market with over $1 trillion of equity, commodity and interest rate futures open in December.

By introducing a mandatory cyber risk rating requirement, France will proactively manage how cyber risk is understood and promote greater digital resilience throughout the supply chain.

This law should serve as a call to action for policymakers across the EU and globally to consider similar measures to improve cybersecurity and digital resilience.

Lenders, such as banks and credit card companies, use credit scores to evaluate the potential risk of lending money to consumers and mitigate losses due to bad debt.

Similarly, cyber risk ratings can provide regulators and the market with an objective measure of an organization's cybersecurity posture, helping to inform regulatory decisions, reduce the risk of cyber incidents and effectively comply with regulations, such as DORA in the EU.

SecurityScorecard believes the EU should consider mandating a cyber risk rating system similar to the French model across all member states. This would create a level playing field for organizations across the EU and ensure that cybersecurity is taken seriously by all actors in the digital ecosystem. This may come in different forms across the various cyber-focused regulatory requirements and may not always be in law, it could come through guidance, regulatory interpretation or, indeed, certification. DORA regulators are developing common draft regulatory technical standards for ICT risk management tools that could include cyber risk ratings.

This is not a one size fits all, but moving towards ensuring cyber risk ratings are a must-have, not a nice to have, will improve cyber reliance and support the EU’s digital ambitions.