On June 20, 2017, the U.S. Chamber of Commerce announced that a consortium of more than two dozen chamber member companies, including prominent big banks, big-box retailers, and technology giants released a set of principles designed to promote fair and accurate cybersecurity ratings. The creation of the “Principles for Fair and Accurate Security Ratings” comes in response to the recent emergence of several companies, such as BitSight Technologies, CyberGRX, RiskRecon and SecurityScorecard, that collect and analyze publicly accessible data to develop a rating of a company’s cybersecurity risk posture. The data is typically collected without the target company’s knowledge and comes from a variety of sources, such as:
- Hackers’ forums and data available on the darknet indicating that a company’s data is for sale or its systems have been compromised.
- Sink-hole technology that monitors all public internet traffic that enters or leaves a company’s network for signs of viruses, malware, spamming software or botnets beaconing to and from the company’s network.
- Port-scanning tools to identify open ports to a company’s network.
- Open-source malware intelligence sources intended for companies to use for strengthening cybersecurity defenses that are analyzed by ratings companies to identify compromised companies.
- Scanning a company’s public-facing systems for indications of vulnerabilities, such as out-of-date operating systems, the absence of multifactor authentication and poor patching practices.
- Public data breach feeds for indicators of compromise.
Risk ratings companies then use proprietary methodologies and algorithms to analyze the data and assign a rating for a company based on comparative analysis to the company’s peers. There are a variety of metrics used by ratings companies. BitSight uses a FICO-type score ranging from 250 to 900 (a higher number indicating a better cybersecurity performance). SecurityScorecard uses an A to F grading methodology. Because ratings companies are continuously gathering and analyzing data about companies, a company’s rating can quickly change if, for example, the ratings company’s data feed identifies a company’s data being offered for sale on the darknet.
Cybersecurity ratings are used by companies for a variety of purposes, including to evaluate the cybersecurity risk posture of third-party vendors as part of a vendor risk management program; as part of due diligence in connection with mergers and acquisitions; by security teams to identify the company’s own weaknesses; by senior executives to help explain and quantify a company’s cybersecurity risk to its board of directors; and by cybersecurity insurance underwriters to evaluate a company’s potential risk. As a result, a company’s rating can have a significant impact on its business. A company may lose a critical business deal because its competitor had a higher cybersecurity rating, or conversely, a company may reduce its annual premiums for cybersecurity insurance by monitoring and improving its cybersecurity rating.
Importantly, however, cybersecurity ratings have the potential for being inaccurate, incomplete, unverifiable and unreliable if, for example, the source data is inaccurate or the methodology doesn’t account for risk mitigations in place at a company. The principles developed by the consortium were designed to increase confidence in and the usability of fair and accurate cybersecurity ratings by addressing the potential problems. The principles were modeled after the Fair Credit Reporting Act, which helped increase confidence in the credit process by ensuring the usability of ratings for legitimate purposes while recognizing the interests of consumers to ensure that the data underlying the scores was accurate and complete. The principles are as follows:
Transparency: Ratings companies shall provide sufficient transparency into the methodologies and types of data used to determine their ratings, including information on data origination as requested and when feasible, in order for customers and rated organizations to understand how ratings are derived. Any rated organization shall be allowed access to its individual rating and the data that impacts a change in its rating.
Dispute, correct and appeal: Rated organizations shall have the right to challenge their ratings and provide corrected or clarifying data. Ratings companies should have an appeal and dispute resolution process. Disputed ratings should be notated as such until resolved.
Accuracy and validation: Ratings should be empirical, data-driven or notated as expert opinion. Ratings companies should provide validation of their rating methodologies and historical performance of their models. Ratings shall promptly reflect the inclusion of corrected information upon validation.
Model governance: Prior to making changes to their methodologies and/or data sets, ratings companies shall provide reasonable notice to their customers and clearly communicate how announced changes may impact existing ratings.
Independence: Commercial agreements, or the lack thereof, with ratings companies shall not have direct impact on an organization’s rating; any rated organization will be able to see and challenge its rating irrespective of whether it is a customer of the ratings company.
Confidentiality: Information disclosed by a rated organization during the course of a challenged rating or dispute shall be appropriately protected. Ratings companies should not publicize an individual organization’s rating. Ratings companies shall not provide third parties with sensitive or confidential information on rated organizations that could lead directly to system compromise.
The establishment of the principles indicates that the emergence of cybersecurity risk ratings has the potential to become as critical as credit ratings and other factors considered in making business partnership decisions, as well as to become an important tool for monitoring a company’s own cybersecurity risk posture. As such, becoming adept at understanding and effectively utilizing cybersecurity ratings will be an important strategic advantage for companies in the future.