That lack of public information about the cyber-preparedness of businesses is all the more striking given the relative severity of the threat. More than half the adult population of the United States was affected by the breach of Equifax last year.
Unfortunately, we have become inured to these hacks. Our response to breaches has become routine: more calls for regulation, followed by congressional hearings and failed regulatory proposals. Consumers go about their lives, numbed by the frequency and the lack of consequences. Meanwhile, the hacks get worse.
This cycle stems in part from a lack of information about the security practices of businesses. But forcing companies to explain how they are keeping the bad guys out would only help the bad guys.
The simple grading system used by restaurant regulators can and should be a model to inform the public about the digital security of businesses that store sensitive consumer data. A letter grade is a crude measure to assess a complex issue like cybersecurity to be sure, but what the metric lacks in nuance it makes up for with brute force.
Current measures to assess cyber-preparedness are either not compulsory or too complex. The federal government’s National Institute of Standards and Technology framework is widely respected, but it’s voluntary, underused and not easily digestible for the average consumer. Only seven Fortune 500 companies mentioned it in their annual filings with the Securities and Exchange Commission last year, and only one said it had adopted it.
MSCI — an index provider and independent research firm for institutional investors — ranks companies on cybersecurity. More than a year before Equifax’s breach was revealed, MSCI scored Equifax a 0 out of 10 on privacy and data security. As prescient as it was, consumers would have had difficulty absorbing such a rating, which is just one of several components that MSCI uses to arrive at an environmental, social and governance, or E.S.G., rating of overall corporate citizenship.
A new grading system should start with the basics: Are companies on top of data security, and if hacked, do they know how to reduce the impact?
Each year, the Ponemon Institute, an independent research group, and IBM look at the cost of the average data security breach, as well as the average cost of each piece of data compromised. In 2017, the average cost of a data breach in the United States was $7.35 million, or $141 per record compromised. But if a company has an incident response team, uses encryption, trains its employees, has a business continuity program and monitors cyber-threat intelligence, that reduces the cost of the average data breach by nearly 47 percent. Using these five factors — weighed for their impact of cost reduction — is a simple starting point.
There are plenty of details to be worked out about a cybersecurity grading system. But the one nonnegotiable aspect would be that, once assigned, letter grades must be made highly accessible to the public. Companies should be required to display their grades prominently at their physical locations, on their websites, on certain documents (mortgage applications, for example) and on credit card readers.
A grading system would not solve every cybersecurity problem, nor prevent every breach. But our sad state of affairs — in which we are equal parts fearful, apathetic and ignorant about digital security — must change. Providing clearer information to the public is the most productive next step we can take.