Microsoft today began scoring the security settings of commercial customers that use Office 365, and at least one insurer said the ratings would be considered in the pricing of cybersecurity policies.
Microsoft’s Secure Score API had been in preview availability since early August. At the time, users were measured on just 27 security configurations and behaviors that impact the security of data in an organization’s Office 365 environment.
Today’s general release grades users on up to 77 factors, and instructs them on how changes in behaviors and security settings – like activating multi-factor authentication – can impact their scores.
“The core idea is that it is useful to rationalize and contextualize all of your cloud security configuration and behavioral options into one simple, analytical framework, and to make it very easy for you to take incremental action to improve your score over time,” said a blog post by Microsoft program manager Brandon Koeller. “Rather than constructing a model with findings slotted into critical, moderate, or low severity, we wanted to give you a non-reactive way to evaluate your risk and make incremental changes over time that add up to a very effective risk mitigation plan.”
Microsoft launched the general availability to coincide with the RSA digital-security conference, which starts Monday at the Moscone Center in San Francisco.
In a blog post today announcing the broader release, Microsoft suggested four use cases for the score data:
- Monitor and report on your secure score in downstream reporting tools.
- Track your security configuration baseline.
- Integrate the data into compliance or cybersecurity insurance applications.
- Integrate Secure Score data into your SIEM or CASB to drive a hybrid or multi-cloud framework for security analytics.
Secure Score will allow administrators to compare their security scores with those of 85 million other commercial customers of Office 365, according to a report in the Wall Street Journal.
Also according to that article, Hartford Financial Services Group Inc., is the first company to publicly announce it will consider Microsoft’s security score as a factor in determining premiums for cyberinsurance.
“It gives us insight and comfort that you are doing some risk management,” Tom Kang, Hartford’s head of cyberinsurance, told the Wall Street Journal.
Kang would not say how much weight the score would be given.
Corporate cyberinsurance is the fastest-growing insurance product in America, with PriceWaterhouseCoopers projecting premiums to grow from the current $3 billion a year, to $7.5 billion by 2020, the journal reported.
Send tips and news to [email protected].