Pros and Cons of Hiring a Security Rating Agency

Oct 19, 2017

By Jennifer Thompson


See all of Our JDSupra Posts by Clicking the Badge Below

View Patrick Law Group, LLC

One can hardly check out any news outlet today without reading or hearing about a security breach.  Experts frequently advocate performing internal assessments to identify security weaknesses.  Commentators tout the importance of assessing the security of the entities with which you do business.  Investors, partners and markets shy away from companies that are not proactive enough with respect to security. Given the multitude of variables involved and security measures available, how can a company convey the effectiveness of its own security program in a meaningful manner? Further, given how fact and business-specific that security is, how can one company compare its own security measures to those taken by another company?  Many companies turn to independent ratings agencies for an objective evaluation and systematized rating.

Security rating agencies are becoming instrumental in helping companies evaluate security risks and potential transactions.  Investors in start-ups will use such ratings to evaluate risks and identify future investment needs of the entity.  Security ratings are a critical part of due diligence review in mergers, acquisitions and joint ventures.  Procurement departments routinely require vendors to obtain ratings before entering into agreements.  Some companies may even request that a rating agency evaluate its own operations to identify weak points and opportunities for improvement.

In compiling the ratings, the rating agencies compile public and private data points, feed them into the agency’s proprietary algorithm and generate a “score.”  Scores can be used to measure one entity’s security efforts against others.  Of course, the rating is only as reliable as the entity providing it, so is it worth it to expend the money on these services?  Similarly, once a score is obtained, can it harm your business?  Will others deem your score too low?  Will the publication of your score actually hamper prospects operations?  Or worse, will having a low score published ultimately make you a more attractive target to would-be hackers?

Fortunately, some forty-odd companies and the US Chamber of Commerce identified the need for suggesting a standardized methodology for the security rating agencies.  In June 2017, these companies and the US Chamber of Commerce issued the Principles for Fair and Accurate Security Ratings (the “Principles”).

The Principles seek to establish guidelines for fair and accurate reporting of security ratings and promote standards for the appropriate use and disclosure of the scores.  The Principles suggest that all security rating agencies should:

  • provide transparency of the methodologies and data used to create the rating;
  • provide a mechanism by which entities that are rated can dispute, correct and/or appeal any rating published by the ratings agencies;
  • provide advance notice of any changes to ratings methodologies so that rated companies are clear on how the procedural changes may affect their scores;
  • remain independent of the entities they rate; and
  • maintain confidentiality of all sensitive information (including information shared during disputes, non-public ratings and other private information).

Hopefully, the Principles will result in greater consistency among rating agencies, increased reliability in the scores and more efficiency in the ratings process itself.  All of these Principles ideally will lead to candid discussions among business partners as to how entities can improve their security and, more importantly, suffer fewer breaches.

Of course, every company must assess whether to have itself rated and how to utilize and share any scores it obtains from the various rating agencies.  But assuming the agency retained to provide the security rating is in compliance with the Principles, at least buyers of these services can be reasonably certain they are receiving a truly objective measure with full opportunity to appeal or clarify any questions with respect to the score.

So, if your entity uses a security rating agency, make sure it is one that is operating in compliance with the Principles for Fair and Accurate Security Ratings espoused by the Chamber of Commerce.

OTHER THOUGHT LEADERSHIP POSTS:

Apple’s X-Cellent Response to Sen. Franken’s Queries Regarding Facial Recognition Technologies

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, I wrote an article outlining the growing body of state legislation designed to address and mitigate emerging privacy concerns over facial recognition technologies.  It now appears that...

Pros and Cons of Hiring a Security Rating Agency

By Jennifer Thompson See all of Our JDSupra Posts by Clicking the Badge Below One can hardly check out any news outlet today without reading or hearing about a security breach.  Experts frequently advocate performing internal assessments to identify security...

Part II of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below This is the second in a series of three articles on the FTC’s Stick with Security blog. Part I of this series can be found here. Over the past 15 years, the Federal Trade Commission (FTC) has...

Part I of III | FTC Provides Guidance on Reasonable Data Security Practices

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below Over the past 15 years, the Federal Trade Commission (FTC) has brought more than 60 cases against companies for unfair or deceptive data security practices that put consumers’ personal data at...

Data Scraping, Bots and First Amendment Rights

By Linda Henry See all of Our JDSupra Posts by Clicking the Badge Below A recent case involving a small workforce analytics startup fighting for its right to extract data from the largest professional networking site on the Internet may set a precedent for applying...

When 2017 Becomes 1984: Facial Recognition Technologies – Face a Growing Legal Landscape

By Dawn Ingley See all of Our JDSupra Posts by Clicking the Badge Below Recently, Stanford University professor and researcher Michal Kosinski caused a stir of epic proportions and conjured up visions of George Orwell’s 1984 in the artificial intelligence (AI)...

PMI – An Insider’s Guide – Part 3: What to do When You’re Asked to Assist in a Potential Acquisition – Post-Integration Run Phase and the Wheels Have Come Off

By Peggy Abood See all of Our JDSupra Posts by Clicking the Badge Below See PMI – An Insider’s Guide - Part 1 here. See PMI – An Insider’s Guide - Part 2 here. See PMI – An Insider’s Guide - Part 3 here. This is the third in a series of three articles on post-merger...

PMI – An Insider’s Guide – Part 2: What to do When You’re Asked to Assist in a Potential Acquisition – Between Signed and Closed Phase

By Peggy Abood See all of Our JDSupra Posts by Clicking the Badge Below See PMI – An Insider’s Guide - Part 1 here. See PMI – An Insider’s Guide - Part 2 here. See PMI – An Insider’s Guide - Part 3 here. Your day starts with headlines screaming across the Internet –...

PMI – An Insider’s Guide – Part 1: What to do When You’re Asked to Assist with a Potential Acquisition – Due Diligence Phase

By Peggy Abood See all of Our JDSupra Posts by Clicking the Badge Below See PMI – An Insider’s Guide - Part 1 here. See PMI – An Insider’s Guide - Part 2 here. See PMI – An Insider’s Guide - Part 3 here. The Internet is jammed with articles reporting that most merger...

Just Push the Button! Instagram’s Response to Influencers, Hashtags and Disclosures

By Farah Cook See all of Our JDSupra Posts by Clicking the Badge Below In April, the Federal Trade Commission (“FTC”), after reviewing Instagram posts by celebrities, athletes, and social media influencers, issued 90 letters reminding influencers and marketers about...