3 Reasons Why Cybersecurity Ratings Are a Waste of Money

Michael Berman

2 min read

Apr 23, 2018

Investigating a vendor’s cybersecurity can be a time-consuming hassle. Wouldn’t it be nice if you could pay someone else to monitor and report back on a vendors’ cyber risk? That’s the appeal of cyber-security ratings. Firms provide scorecards on third-party vendors’ cyber risk, supposedly making it easier for financial institutions to manage their own risk.

But these scorecards mostly provide a false sense of security. Here are three reasons why:

They use only public data. Cybersecurity ratings companies comb through publicly available data and plug it into an algorithm to come up with a score. The problem is that just a handful of the things you need to know are available in public documents, leaving many other areas unexamined. The cyber-security firms can tell you if a vendor’s website is restricted or up-to-date, but it can’t get into the non-public facts that matter. After all, if a vendor is experiencing problems, there is a high probability the cause of the problems is not available in public data.
Vendors won’t give you details of a problem. If the cybersecurity ratings company uncovers a problem, you’ll know there’s a potential problem, but the vendor isn’t obligated to remedy the issue. What exactly was the problem? Why is it a problem? Has any security measure been exploited because of the issue? Were they following procedures? They have no obligation to respond or provide complete responses.
The vendor will fix the problem anyway. Name one financial institution that avoided harm by buying a cybersecurity rating. I bet you can’t. When a cybersecurity ratings company finds a problem, the vendor hears about it and fixes it for everyone, not just the client who notified it of the problem. Let someone else buy the cyber-scorecard and tell the vendor to fix the problem. You can win without spending any resources.

[do_widget id=custom_html-6]

Instead of wasting money on cybersecurity ratings, make sure you’re receiving timely, accurate and relevant reports from your vendors and taking the time to review them. Your vendor agreement should be structured so that the audit rights and reports you need to understand and monitor cyber risk will be available to you. They should also include detailed information about breaches, including everything from potential damages to how the vendor will handle them.

Last year the FDIC’s Office of Inspector General’s evaluation Technology Service Provider Contracts with FDIC-Supervised Institutions found that many financial institutions’ contracts fall short when it comes to cyber incident response. Many contracts don’t address vendor responsibility for assessing and responding to incidents, including determining the potential effect on the institution or its customers or reporting and notifying authorities. Even if they require notification, most don’t include information requiring a vendor assess the nature and scope of potential incidents, including information and systems accessed and the possible harm, inconvenience or misuse of data that could result; contain and control incidents to preserve evidence; provide detailed incident response and recovery metrics; and remedy the situation if it failed to meet response and reporting standards.

Rather than paying someone to worry about tracking public information, put your effort into making sure your institution has a vendor agreement that gives you the information you need to control cyber risk and then making the most of that data.

Check out Ncyber, our online FFIEC cybersecurity assessment tool.

Subscribe to the Nsight Blog

All Topics Risk & Compliance Product Insight Banks Lending Compliance Credit Unions Risk Management Fair Lending Nfairlending Cluster: Risk Management Compliance Lending Compliance Management Integrated Risk Blog Nrisk Regulatory Compliance Management News & Updates HMDA Risk Mortgage Lenders Ncomply Vendor Management Business Resiliency CRA Lending Compliance Blog Vendor CFPB Ncontinuity Third-Party Vendor Management Business Continuity Cybersecurity Fintech NVendor Strategic Planning Ncyber Ntransmittal Audits & Findings Company Culture OCC Regulatory Updates Audit Nverify Regulatory Compliance Exams FDIC Compliance Management Findings Nfindings NCUA Contract Management Employee Intranet Contract FRB Business Continuity Management FFIEC Findings Management Ncontracts manager Third-Party Vendors Vendor Risk Enterprise Risk Management ABA Bank Access Control Audit Findings Board Portal Call Report Due Diligence Efficiency Employee Engagement Exam findings FIEC Inc. 5000 Internal Audit Management Nboardportal Verify Wealth Management

Solutions

Risk Solutions

Vendor Solutions

Compliance Solutions

Lending Compliance

Risk Performance Management

Software Solutions

Risk Management Software

Vendor Management Software

Compliance Management Software

Continuity Management Software

Fair Lending Compliance Software

Findings Management Software

Audit Management Software

Cybersecurity Assessment Software

1071 Compliance Software

Employee Network/Intranet Software

Accredited Certification Program

Banks

Credit Unions

Mortgage Lenders

Fintech

Wealth Management

Nsight Blog

Webinars

Ncast Podcast

Regulatory Pulse

Events

Nsider Community

Dig into our Nstitute Certified Vendor Management Professional Training!

Featured Resources

Webinar: What Does Resilience Look Like?

Regulatory Pulse March 2024

Webinar: The Future of Risk Management

9 Fair Lending Compliance Training Essentials

Podcast: Succeeding All Together, Banking and Company Intranets

Book: The Upside of Risk

Resource Hub

About Us

News

Leadership

Partnerships

Join the Team

Ncontracts Highlights

Ncontracts Launches Nstitute & the Certified Vendor Management Professional (NCVMP) Certification

Ncontracts named Top Workplace for Third Consecutive Year in 2023

Ncontracts and CBANC Release New Report

Event: Ngage 2023 Nashville

3 Reasons Why Cybersecurity Ratings Are a Waste of Money

Subscribe to the Nsight Blog

Share this

You May Also Like

Will Your Vendors Fall Victim to Ransomware and Other Cybersecurity Threats?

How to Review Critical Vendors' Cybersecurity

Here We Go Again: Vendor Cybersecurity Breaches Keep Wreaking Havoc