Nearly 30 years ago the Fair Isaac Corp. (FICO) first introduced its metric for measuring creditworthiness. Since then, the FICO Score has become a default metric used by countless market participants to facilitate arms-length transactions. It is a score that, while not without problems, is generally understandable and easily accessible.
FICO and other entities are now promoting new methods of rating companies’ cyber risk and resiliency with the same goals of promoting informed decision-making. The growing importance of such ratings was recently recognized by the U.S. Chamber of Commerce, which published “Principles for Fair and Accurate Security Ratings” in June 2017. This article briefly discusses the growing role of security ratings in driving business strategy and the need for more uniform standards among ratings companies.
The goal of a security rating is to assess a company’s general degree of cyber risk and how prepared the company is to withstand cyber attacks or cyber incidents. Security ratings are an externally-focused means of measuring a company’s cyber resiliency. In this way, they are akin to the FICO Score in as much as they rely on external…
