Roughly two dozen companies in the United States have established a set of ground rules and guiding principles that center on cyber security ratings. Among that roster of companies are several large U.S. banks.
Reuters reports that the announcement of the principles came via the U.S. Chamber of Commerce. Those cyber ratings are used in essence as a FICO score, which allow for companies to assess risks of partner firms. The scores give an inkling about how well a company can “weather” a cyber attack. The scores also help underwriting decisions for various underwriting practices. The cyber security risk rating is emerging through the efforts of smaller companies, among them startups such as SecurityScorecard and RiskRecon, said Reuters. But one criticism lies in the fact that, according to the firms being rated, there really is no transparency on what exactly is going into those ratings, data-wise. By way of example, BitSight Technologies has a scale of cyber risk ratings in place that range from 250 to 900, with higher scores pointing toward better risk profiles.
In an interview with Reuters, JPMorgan Global Chief Information Security Officer Rohan Amin stated that "the challenge is that their (startups') methodologies are proprietary, and there hasn’t been transparency on how they go about creating the ratings.”
Within the group are marquee payments and banking and retailing names such as JPMorgan Chase and Starbucks, in addition to health care names such as Aetna Inc.