In-brief: The U.S. Chamber of Commerce has released guidelines for the use of cyber security ratings – a kind of “credit score” that will allow consumers and other businesses to assess the trustworthiness of organizations they do business with.
The U.S. Chamber of Commerce has released guidelines for the use of cyber security ratings – a kind of “credit score” that will allow consumers and other businesses to assess the trustworthiness of organizations they do business with.
The guidelines come as more firms are concerned about the risk posed by third party firms and attempt to set guidelines for a fast-evolving market seeking to apply credit-score like ratings for cyber security risk.
The guidelines, published on the Chamber of Commerce website, are intended to promote “fairness in reporting” and to “enhance the value of security ratings across all industries,” the Chamber said in a statement. Leading private sector firms including banking and financial services giants Morgan Stanley, JP Morgan Chase and Goldman Sachs, said they support the new guidelines.
The Chamber said the new guidelines are needed to ensure that multiple, competing ratings methods don’t create a ‘Tower of Babel’ environment in which consumers of the ratings aren’t sure what a given rating means or how reliable a cybersecurity score is.
From the Chamber’s statement:
Security rating companies use a combination of data points collected or purchased from public and private sources and proprietary algorithms to articulate an organization’s security effectiveness into a quantifiable measure or score.
As these ratings rely in part upon the quality and breadth of the data they use, the variety of sources and the dynamic nature of the environment create risks of producing ratings that can potentially be inaccurate, irrelevant or incomplete.
The new standards aim to promote quality and accuracy in the production of security ratings and fairness in reporting, including a standard and coordinated process for adjudicating errors or inaccuracies in reported content.
Among the guidelines for would be rating firms are transparency into the methods used to determine ratings and the types of data that inform ratings. As with credit scores, rated organizations should be allowed access to their individual rating and the data that impacts a change in their rating, the Chamber said.
The Chamber called on ratings to be “empirical” and “data-driven.” Rating companies should provide validation of their rating methodologies and historical performance of their models, and include updated or corrected information as soon as possible.
Customers should be notified when the rating firm is making changes to its methods or the data sets used to calculate a rating. Customers must be told clearly how the changes may impact existing ratings, and companies and other rated organizations need a way to dispute ratings and provide corrected information.
The Chamber calls out ‘pay for play’ arrangements, demanding that “commercial agreements, or the lack thereof” with rating companies should not impact an organization’s rating.
A number of venture funded firms have cropped up offering variations on security ratings and third-party risk management tools in recent years, including firms like BitSight, Security Scorecard and Risk Recon.
Unlike the banking sector, where the federal Fair Credit Reporting Act (FCRA) of 1970 governs the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies, no similar standard covers cyber security ratings.
Doug Clare, a Vice President at FICO, said his firm has seen security ratings publicly disclosed or compared to advance the marketing goals of the provider. “This certainly seems like a bad idea, and one of the key goals of the principles is to ensure that the scores are distributed and used for the right purposes,” he wrote.
The proposed guidelines don’t have the force of law. “They establish what amounts to a code of conduct for market participants and offer potential ratings consumers with additional means to differentiate providers,” Jake Olcott, a Senior Vice President at BitSight told The Security Ledger.
Still, Olcott said the guidelines set forth by the Chamber of Commerce aren’t window dressing either, and will challenge firms wishing to meet them, while providing competitive advantage to companies that can show they have met the standards.