Microsoft to Rate Corporate Cybersecurity
Hartford Financial says it will use the Office 365 Secure Score when setting cyberinsurance rates
Microsoft on Friday will begin grading its commercial customers’ Office 365 security settings in an effort to fortify its software and services that are frequent targets of hackers.
One insurance company, Hartford Financial Services Group Inc., plans to take the security score into account when setting cyberinsurance rates for customers.
No money is changing hands, the companies said. Microsoft declined to say whether it approached other insurance companies to use the dashboard-like service.
Amid a continuing flood of cyberattacks, tech companies frequently cajole customers into beefing up their use of security features. Alphabet Inc.’s Google, Facebook Inc. and Twitter Inc., for example, all encourage users to enable multifactor authentication, a common security step that requires people to provide more than just a username and password to log in.
Microsoft in recent years has pushed to burnish its reputation for security. The Windows 10 operating system is more secure than its predecessors, in large part because it includes free upgrades that are installed automatically in the background, ensuring it has the latest protections.
Microsoft is debuting the Secure Score ahead of the annual RSA digital-security conference in San Francisco, which gets under way Monday.
The company will suggest ways to improve security and include a tool to model how security changes affect scores. Security scores can climb, for example, when customers enable multifactor authentication.
Secure Score only considers a business customer’s use of security features in Office 365. That means it might register lower scores for customers who choose to use rival security products instead of enabling security features included in their Office 365 subscription, the company said.
Businesses can compare their scores to the other 85 million commercial customers using Office 365, the online version of Microsoft’s email, word-processing and spreadsheet applications.
“It’s essentially like a health checkup,” said Bret Arsenault, Microsoft’s chief information security officer.
In testing, Microsoft found that customers who checked their security settings boosted their scores on average by 18% over those who didn’t visit the security dashboard.
Hartford plans to take Secure Score into account when pricing its cyberinsurance coverage. The company already looks at a variety of factors, from the industry in which clients operate to the physical security of their buildings, said Tom Kang, head of cyberinsurance for the company.
He declined to disclose the weight Secure Score tallies would get in pricing decisions. The actual score itself is less relevant than the fact that the customer is focused on security configurations, Mr. Kang said. “It gives us insight and comfort that you are doing some risk management,” he said.
PricewaterhouseCoopers forecasts that the roughly $3 billion corporate cyberinsurance market will grow to $7.5 billion in premiums by 2020, making it the fastest-growing insurance product in America.