Our initiative with the US Chamber of Commerce to release the Principles for Fair and Accurate Security Ratings started with defining and publishing the principles, and now SecurityScorecard is fostering this initiative by continuing to educate current and future users of our product about how we adhere to these principles.
We recently took a deep dive into other areas of these principles and this week we’re continuing our series by analyzing the principle of Independence, which reads:
Independence: “Commercial agreements, or the lack thereof, with rating companies, shall not have direct impact on an organization’s rating; any rated organization will be able to see and challenge their rating irrespective of whether they are a customer of the rating company.”
This principle –like its counterparts– focuses on promoting quality, accuracy, and independence of security rating, fairness in reporting, and (most directly) a coordinated process for adjudicating errors or inaccuracies in the reported content. Breaking down each section of this principle, we’re able to see how the SecurityScorecard platform puts each part of this principle into practice.
Section 1: Commercial agreements, or the lack thereof, with rating companies, shall not have direct impact on an organization’s rating.
A foundation principle of SecurityScorecard is that ratings must be fully independent and free of any commercial bias. SecurityScorecard ratings ensure independence and fairness via a rating system that provides a level playing field for all rated companies, regardless of an existing commercial agreement between the rated company and SecurityScorecard.
Furthermore, SecurityScorecard uses statistical methods that ensure that similar companies are rated consistently. To facilitate a fair and meaningful evaluation of cybersecurity risk, SecurityScorecard categorizes companies into buckets by industry and the company size in terms of IP footprint; these groups are referred to as cohorts. SecurityScorecard determines a company’s industry using publicly accepted, externally-managed data repositories. SecurityScorecard determines a company’s size by the number of digital assets assigned to the company. Aligning ratings for every company with its cohorts ensures that companies are compared apples-to-apples and that commercial agreements with SecurityScorecard do not influence ratings.
Section 2: Any rated organization will be able to see and challenge their rating irrespective of whether they are a customer of the rating company.
SecurityScorecard provides the ability of any rated company to view their company’s scorecard.