BID Daily Newsletter
August 30, 2017

BID Daily Newsletter

August 30, 2017

New Cyber Security Ratings

Bug burgers are now being sold in Switzerland. Apparently, there has been a change in the food and safety laws, which opens the door to insect-based foods. That means all you tourists out there can now eat insects such as crickets, grasshoppers and mealworms along with your Swiss cheese. Whether this will take off as the latest trend for foodies or just gross everyone out, we will all have to wait and see. For bankers, eating bugs may in fact be easier than trying to figure out the ins and outs of cyber risk ratings.
Of course, bankers all know about cyber risk, but what about the measuring and rating of a bank's cyber risk? Now that the country and industry are progressing further along the technological lifecycle, it is more imperative than ever to ensure that these ratings are fair and accurate.
In light of this, some of the banking industry's largest players came together with more than 40 major US companies as a part of a consortium to establish "Principles for Fair and Accurate Security Ratings." These ratings set six standards that aim to encourage fairness and accuracy in this area. Bank of America, Bank of New York Mellon, Citigroup, JPMorgan, US Bank and Wells Fargo have all joined in the consortium. This was all organized by the US Chamber of Commerce, along with a group of leading companies including Microsoft, Cisco and Starbucks.
These new principles were created in response to the growing number of organizations generating security ratings that are supposed to indicate a company's ability to withstand cyber-attacks. Such ratings are used for everything from due diligence for potential M&A, to the potential risk that insurance companies assign to companies and even by companies themselves to identify any weaknesses they may have.
Security ratings are often determined without a company's knowledge, using methodologies that vary between the organizations that generate them. Further, without any agreed upon guidelines, there is no guarantee that such ratings are accurate and there is no way to dispute them.
In an effort to promote uniformity in how these ratings are determined, as well as to provide companies with a basis from which to understand their individual ratings, the consortium modeled its ratings principles on the approach of the Fair Credit Report Act utilized by the major ratings agencies.
In order for you to become a little more familiar with these six principles, we are providing them below.
Transparency: Companies that have been rated should be provided information on the methodologies and the specific data used to rate them.
Dispute, Correction and Appeal: Rated companies should be able to challenge the ratings assigned to them and to correct any inaccurate data used to determine those ratings. This should include a documented appeals process.
Accuracy and Validation: Ratings should be empirical and determined by data, and rating companies should provide information on the historical performance of their models.
Model Governance: If rating companies are going to change their methodologies they should inform the companies they rate before doing so and should indicate what kind of impact such changes will have on any existing ratings.
Independence: Ratings should be in no way impacted by whether or not a rating company has any sort of business agreement with the company they are rating.
Confidentiality: Rating companies need to protect any information provided to them by a company they have rated that is disputing its rating.
It is important for community banks to be aware of these principles and monitor any cyber security ratings that may be done on your institution.
In an increasingly digital world, a cyber security rating may become more important to customers and vendors, so staying on top of this trend should be on your menu too in order to avoid eating an unsavory ratings bug somewhere.