How cyber risk ratings can support better cyber reliance and regulatory compliance

 Cyber risk ratings could optimise cyber security.

Cyber risk ratings could optimise cyber security. Image: Photo by FLY:D on Unsplash

Dan Morgan
Senior Government Affairs Director for Europe & APAC, SecurityScorecard
Share:
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale

Listen to the article

  • Businesses and governments face constant cyber threats, from state-sponsored cyber espionage to ransomware attacks by criminal gangs.
  • Many leading organizations have turned to cyber risk ratings to help them understand and mitigate their cyber risk exposure and better comply with regulations.
  • In France, policymakers are taking the lead globally by looking to mandate the use of cyber risk ratings.

In the digital age, cybersecurity risks are an ever-present threat. Businesses and governments face constant cyber threats, from state-sponsored cyber espionage to ransomware attacks by criminal gangs. The impact of these threats can be devastating, resulting in economic turmoil and threats to public safety.

In response, policymakers across the globe are looking at how regulation can strengthen an economy’s cyber posture, whether that be the Digital Operational Resilience Act (DORA), recently adopted by the European Parliament, which also makes financial groups accountable for the security of tech vendors they use, or The Network and Information Security Directive (NIS2), which provides legal measures to boost the overall level of cybersecurity in the EU.

Discover

What is the Forum doing to avert a cyber pandemic?

Businesses understand the need for regulation

Given the growing threat landscape, businesses increasingly support regulation to address and mitigate risks. The 2023 World Economic Forum Global Cybersecurity Outlook shows cyber executives are now more likely to see cybersecurity regulations as an effective tool for reducing cyber risks across a sector.

Many leading organizations have also turned to cyber risk ratings to help them understand and mitigate their cyber risk exposure and better comply with regulations. Cyber risk ratings provide an objective measure of an organization's cybersecurity posture based on various factors, including network security, data protection and incident response capabilities. These ratings help organizations identify areas of weakness in their supply chains and cybersecurity defences and prioritise remediation efforts.

Policymakers are also starting to see the utility of cyber risk ratings across markets and how they could be an effective policy lever to support the growing number of cyber regulatory requirements and improve cyber resilience within economies.

Have you read?

Cyber risk ratings as a regulatory tool

In France, policymakers are taking the lead globally by looking to mandate the use of cyber risk ratings. The French Cyberscore Law, enacted on March 3, 2022, creates the obligation for a cybersecurity certification for digital platforms intended for the public. It comes into force on October 1, 2023.

This groundbreaking act will mandate cyberscores on the 500 largest merchants' websites operating in France. The plan is to extend this to 10,000 strategic companies, such as the electric power grid and healthcare.

Addressing third-party risk through regulation

Much of the new cyber regulation in the EU is designed to manage digital supply chains and third-party providers.

For instance, DORA aims to ensure that all participants in the financial system have the necessary safeguards to mitigate cyber attacks and other risks. The legislation will require firms to ensure that they can withstand all types of ICT-related disruptions and threats. Like much of the economy, the financial sector is highly dependent on third-party tech vendors, both big and small.

This was highlighted recently when the CFTC postponed the publication of its weekly Commitments of Traders (CoT) report for the week ending February 17, 2023, due to a cyber attack on a third-party provider, ION Cleared Derivatives. According to data from the Futures Industry Association, this attack impacted a huge market with over $1 trillion of equity, commodity and interest rate futures open in December.

By introducing a mandatory cyber risk rating requirement, France will proactively manage how cyber risk is understood and promote greater digital resilience throughout the supply chain.

Loading...

Mandate EU-wide cyber risk ratings

This law should serve as a call to action for policymakers across the EU and globally to consider similar measures to improve cybersecurity and digital resilience.

Lenders, such as banks and credit card companies, use credit scores to evaluate the potential risk of lending money to consumers and mitigate losses due to bad debt.

Similarly, cyber risk ratings can provide regulators and the market with an objective measure of an organization's cybersecurity posture, helping to inform regulatory decisions, reduce the risk of cyber incidents and effectively comply with regulations, such as DORA in the EU.

SecurityScorecard believes the EU should consider mandating a cyber risk rating system similar to the French model across all member states. This would create a level playing field for organizations across the EU and ensure that cybersecurity is taken seriously by all actors in the digital ecosystem. This may come in different forms across the various cyber-focused regulatory requirements and may not always be in law, it could come through guidance, regulatory interpretation or, indeed, certification. DORA regulators are developing common draft regulatory technical standards for ICT risk management tools that could include cyber risk ratings.

This is not a one size fits all, but moving towards ensuring cyber risk ratings are a must-have, not a nice to have, will improve cyber reliance and support the EU’s digital ambitions.

Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Share:
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

About Us

Events

Media

Partners & Members

  • Join Us

Language Editions

Privacy Policy & Terms of Service

© 2024 World Economic Forum