US banks, corporations establish principles for cyber risk ratings firms

Reuters: More than two dozen US companies, including several big banks, have teamed up to establish shared principles that would allow them to better understand their cyber security ratings and to challenge them if necessary, the US Chamber of Commerce said.

Large corporations often use the ratings, the cyber equivalent of a FICO credit score, to assess how prepared the companies they work with are to withstand cyber attacks. Insurers also look at the ratings when they make underwriting decisions on cyber liability.

The group includes big banks like JPMorgan Chase & Co, Goldman Sachs Group Inc and Morgan Stanley , as well as non-financial companies like coffee retailer Starbucks Corp, health insurer Aetna Inc and home improvement chain Home Depot Inc. They are organising the effort through the Chamber of Commerce, a broad trade group for corporate America.

The move comes in response to the emergence of such startups as BitSight Technologies, RiskRecon and SecurityScorecard that collect and analySe large swaths of data to rate companies on cyber security.

As these startups have gained prominence and venture capital funding, the companies they rate have complained of a lack of transparency.

“The challenge is that their (startups’) methodologies are proprietary and there hasn’t been transparency on how they go about creating the ratings,” JPMorgan Global Chief Information Security Officer Rohan Amin said in an interview.

The financial services industry is among the most vulnerable to cyber crime because of the massive amount of money and valuable data that banks, brokerages and investment firms process each day.