Big U.S. banks and corporations are partnering to establish principles for setting cybersecurity ratings, according to the U.S. Chamber of Commerce.
The companies say having agreed-upon principles for the ratings will allow them to better understand the ratings and to challenge then if necessary, according to a report from Reuters. The security ratings, which serve as the cyber equivalent of a credit score, can be used by large corporations to assess how vulnerable their potential partners are to cyberattack. Insurers use the scores to assess liability.
Forty-four companies attached their names to the statement from the Chamber, which endorses principles of transparency, accuracy, model governance, independent, and confidentiality. Among the financial institutions that signed up were Citigroup, Goldman Sachs, JPMorgan Chase, Morgan Stanley, and Wells Fargo. Blackstone, Microsoft, and Lockheed Martin were also signatories.
In a statement, Ann Beauchesne, the Chamber’s senior vice president of national security and emergency preparedness, said a common understanding of how cyber-ratings were derived was fundamental to building trust. “To maximize their utility, both consumers of security ratings and rated companies need to have confidence that ratings are based on actionable, relevant information evaluated through a clear, articulable algorithm or data-driven process,” she wrote.
Startup cyber-ratings companies including BitSight Technologies, RiskRecon, and SecurityScorecard have attracted venture capital funding while drawing criticism from companies who complain their ratings methods remain opaque.
“The challenge is that [startups’] methodologies are proprietary and there hasn’t been transparency on how they go about creating the ratings,” Rohan Amin, JPMorgan’s global chief information security officer, told Reuters.
In their statement of principles, the companies said the common, industrywide approach should include a coordinated process for adjudicating errors in reported content. “Rated organizations shall have the right to challenge their rating and provide corrected or clarifying data,” the companies said.
They also said that any rated organization should be allowed access to their individual rating and any data that causes a change in the rating.