Nearly 30 years ago the Fair Isaac Corporation (“FICO”) first introduced its metric for measuring creditworthiness. Since then, the FICO Score has become a default metric used by countless market participants to facilitate arms-length transactions. It is a score that, while not without problems, is generally understandable and easily accessible.FICO and other entities are now promoting new methods of rating companies’ cyber risk and resiliency with the same goals of promoting informed decision-making. The growing importance of such ratings was recently recognized by the U.S. Chamber of Commerce, which published “Principles for Fair and Accurate Security Ratings” in June 2017. This article briefly discusses the growing role of security ratings in driving business strategy and the need for more uniform standards among ratings companies.

Executive Summary

Companies are increasingly pursuing management of cyber risk rather than eliminating it outright, as hacker attacks become more prolific, widespread and hard to stop. A trio of attorneys/experts at the law firm Akin Gump argue that cyber security ratings for companies carried out by outside, independent ratings companies could help support informed underwriting and better risk management.

External Scores

The goal of a security rating is to assess a company’s general degree of cyber risk and how prepared the company is to withstand cyber attacks or cyber incidents. Security ratings are an externally-focused means of measuring a company’s cyber resiliency. In this way, they are akin to the FICO Score inasmuch as they rely on external data to provide a risk profile without need for input or cooperation from the rated company.

Every company with a digital presence has an Internet footprint, including devices and data belonging to the company that are accessible (intentionally or not) from the Internet. Security ratings analyze this outward-facing footprint to assess the company’s cyber weaknesses and levels of risk. The main benefit to this method of assessment is that it can be determined externally. The methods of measurement and comparison between companies also can be standardized to provide for meaningful comparisons within and across industries.

Member Only Content

To continue reading, purchase this article or become a member.

*Already have an account? Click here to login