24 September, 2021

Cyber Security Rating – a rising challenge for EU industries

The financial crash that occurred in the United States in 1837 prompted the need for risk assessment for investors. The power of financial rating agencies in influencing investors has grown in importance over the past decades, due to a number of significant events (the collapse of Enron in the US; the US Subprime mortgage crisis; the late 2000 financial crisis; and the Greek national debt crisis). Following increased complaints and impact of such agencies, this has led to the creation in Europe of the European Securities and Markets Authorities (ESMA). Since 2010, credit rating agencies need therefore to comply with ESMA rules.

Cyber rating is now being introduced in continuity with financial rating. In 2015, Standard and Poor’s was the first agency to announce that it was taking cyber risk into consideration when calculating its rating. Cyber rating initiatives in general have been booming over the past five years and there are now several US-based agencies that produce cyber ratings, such as Security ScoreCard, BitSight, Panorays, VisibleRisk etc.

Those credit rating agencies are looking for KPIs that assess cyber security risk coverage. Today, companies are more and more using these ratings when considering to enter into business arrangements; they can influence the decision of a company to work with another. It appears that EU governments are also increasingly working with cyber rating agencies. Developing ratings in our complex and interconnected world is understandable and welcome, as long as the methodologies used are transparent, reliable and robust, considering their huge business impact especially on EU companies.