Largest and Most Risk-Focused Organizations Support Principles for Fair and Accurate Ratings
BitSight, the Standard in Security Ratings, today announced that a consortium of some of the world’s largest and most risk-focused organizations demonstrated their commitment to supporting the utilization of fair and accurate security ratings as a valuable part of any security risk management program. The consortium, which includes Goldman Sachs, Morgan Stanley, Starbucks and Aetna, among others, announced the creation of the “Principles for Fair and Accurate Security Ratings,” designed to promote fairness in reporting and cybersecurity performance analysis, and encourage the adoption of security ratings across all industry sectors.
“BitSight pioneered security ratings and was the first company to ever offer a security ratings product. We are pleased to see adoption rise, as we believe the day is quickly coming when security ratings will be as critical as credit ratings and other factors considered in business partnership decisions, “ said Tom Turner, president and COO of BitSight. “Becoming the trusted standard in security ratings doesn’t happen overnight. It requires everything from a commitment to data quality and data science, to remaining independent of influence, to applying security ratings consistently and uniformly across all companies. One of the requirements of being a market leader is to show the market the way. Having created and embraced the practices required to meet these principles, derived from our early market engagement and core beliefs, we are proud to see the broader market now also embracing these principles."
- Transparency: Transparency is important for improving cybersecurity, and it is also necessary for security ratings organizations to be transparent about their processes and methodologies. This is the foundation of BitSight. From clearly illustrating how we develop asset maps, to what types of data we evaluate and incorporate into security ratings, we are committed to being open with our customers and rated organizations about how we derive our ratings.
- Dispute, Correction and Appeal: Organizations should be able to review and challenge their ratings with a clear appeal process. Last year, BitSight announced the appointment of Michael Cusumano, the first and only security ratings ombudsman, to evaluate our ratings policies and aid organizations in the appeals process.
- Accuracy and Validation: BitSight is proud to be the only security rating company with third-party validation of how our ratings correlate to breaches. We incorporate only the most critical, high quality risk vectors into the security rating to ensure the results are actionable for customers. Previous BitSight research demonstrates that organizations with a BitSight Security Rating of 400 or lower are almost 5 times as likely to suffer a publicly-disclosed data breach than those with a 700 or higher.
- Model Governance: In order to stay current with today’s dynamic threat environment, we update our ratings algorithm once a year and notify our customers of this change at least 3 months in advance, enhancing our statistical models from the addition of tens of thousands of companies to our inventory and feedback from our customers. We constantly work to refine our security ratings and ensure we are incorporating the most accurate risk vectors and updating the corresponding weights in our algorithm.
- Independence: As the Standard in Security Ratings, independence is a hallmark of BitSight. The management team, data scientists, and technical researchers at BitSight closely monitor the quality of the security ratings, free of influences or interferences such as a rated company’s financial performance, stock price, or other non-security related topics. Even if an organization is not a BitSight customer, they are able to challenge results they see in these reports.
- Confidentiality: BitSight firmly believes that integrity and confidentiality are the marks of a true security ratings authority. We have been very transparent about our Code of Conduct. Furthermore, we abide by our Responsible Disclosure policy; unlike other ratings organizations, we never, ever share third party forensics with first parties, nor do we ever publicly discuss specific ratings of companies via public forums (e.g. news outlets, industry events, etc.).
To view the Principles of Fair and Accurate Security Ratings, visit: https://www.uschamber.com/issue-brief/principles-fair-and-accurate-security-ratings
BitSight is transforming how companies manage information security risk with trusted, time-tested and actionable security ratings. Founded in 2011, the company built its Security Ratings Platform to continuously analyze vast amounts of external data on security issues and behaviors in order to help organizations manage third party risk, underwrite cyber insurance policies, benchmark performance, conduct M&A due diligence and assess aggregate risk. Seven of the top 10 cyber insurers, 80 Fortune 500 companies, and 3 of the top 5 investment banks rely on BitSight to manage cyber risks. For more information, please visit www.bitsighttech.com, read our blog or follow @BitSight on Twitter.