On June 20, 2017, the U.S. Chamber of Commerce announced that a consortium of more than two dozen chamber member companies, including prominent big banks, big-box retailers, and technology giants released a set of principles designed to promote fair and accurate cybersecurity ratings. The creation of the “Principles for Fair and Accurate Security Ratings” comes in response to the recent emergence of several companies, such as BitSight Technologies, CyberGRX, RiskRecon and SecurityScorecard, that collect and analyze publicly accessible data to develop a rating of a company’s cybersecurity risk posture. The data is typically collected without the target company’s knowledge and comes from a variety of sources, such as:
- Hackers’ forums and data available on the darknet indicating that a company’s data is for sale or its systems have been compromised.
- Sink-hole technology that monitors all public internet traffic that enters or leaves a company’s network for signs of viruses, malware, spamming software or botnets beaconing to and from the company’s network.
- Port-scanning tools to identify open ports to a company’s network.
- Open-source malware intelligence sources intended for companies to use for strengthening cybersecurity defenses that are analyzed by ratings companies to identify compromised companies.
- Scanning a company’s public-facing systems for indications of vulnerabilities, such as out-of-date operating systems, the absence of multifactor authentication and poor patching practices.
- Public data breach feeds for indicators of compromise.