In 2017, the U.S. Chamber of Commerce set forth a set of principles for governing providers of security ratings. Security leaders from nearly 50 companies, including RiskRecon, worked together to craft the principles. The intent of the principles, as set forth in the Principles for Fair and Accurate Ratings, is to:
Principle 1 - Transparency: Rating companies shall provide sufficient transparency into the methodologies and types of data used to determine their ratings, including information on data origination as requested and when feasible, for customers and rated organizations to understand how ratings are derived. Any rated organization shall be allowed access to their individual rating and the data that impacts a change in their rating.
RiskRecon Compliance: RiskRecon explains its rating methodology in the whitepaper found at https://www.riskrecon.com/cybersecurity-risk-rating-model.
RiskRecon provides companies free access to their rating through RiskRecon’s Know Your Rating service, found at https://www.riskrecon.com/know-your-rating.
Principle 2 - Dispute, Correction and Appeal: Rated organizations shall have the right to challenge their rating and provide corrected or clarifying data. Rating companies should have an appeal and dispute resolution process. Disputed ratings should be notated as such until resolved.
RiskRecon Compliance: Any company can engage RiskRecon regarding their rating through the following steps:
1) Contact RiskRecon and Explain Issue – Contact RiskRecon through email at email@example.com or through RiskRecon portal functionality, providing details related to the dispute. Ratings disputes most commonly involve seeking correction of potential errors in the rating report.
2) RiskRecon Analyst Confirms Receipt – RiskRecon’s analyst team will confirm receipt of the rating dispute.
3) RiskRecon Investigation – RiskRecon’s analyst team will investigate the issue, requesting additional information as needed. This is typically completed within three business days.
4) RiskRecon Resolution – Upon completion of the investigation, RiskRecon analysts communicate the results to the requestor, conducting further discussions and investigation as necessary.
5) Update Rating – If the investigation confirms that errors exist in the rating, RiskRecon removes the errors and republishes the assessment. RiskRecon engineers then work to address the root cause of the false positive in the rating.
Principle 3 - Accuracy and Validation: Ratings should be empirical, data-driven, or notated as expert opinion. Rating companies should provide validation of their rating methodologies and historical performance of their models. Ratings shall promptly reflect the inclusion of corrected information upon validation.
RiskRecon Compliance: RiskRecon’s rating model is empirical. RiskRecon derived its model based on analysis of the rates and risk severity of issues across a wide range of industries. Through this analysis, RiskRecon discovered that the banking sector performances the best of all industries, while universities perform the worst. RiskRecon used this fact to then build a rating model and associated mathematics rooted in real-world risk management performance, with the banking industry anchoring known good at a mid-B rating (7.8) and universities as the known bad at a mid-D rating (4.8). RiskRecon used a Rayleigh3 distribution model to then determine weights necessary to distribute security domain and underlying issue risks.
Full details are available at https://www.riskrecon.com/cybersecurity-risk-rating-model.
Principle 4 - Model Governance: Prior to making changes to their methodologies and/or data sets, rating companies shall provide reasonable notice to their customers and clearly communicate how announced changes may impact existing ratings.
RiskRecon Compliance: RiskRecon begins public notification of material changes to the rating model months in advance of changes. All information is published on the website and is accompanied by webinars and email communications.
Principle 5 - Independence: Commercial agreements, or the lack thereof, with rating companies shall not have direct impact on an organization’s rating; any rated organization will be able to see and challenge their rating irrespective of whether they are a customer of the rating company.
RiskRecon Compliance: RiskRecon provides all companies the ability to access their rating through RiskRecon’s Know Your Rating service, found at https://www.riskrecon.com/know-your-rating.
Principle 6 - Confidentiality: Information disclosed by a rated organization during the course of a challenged rating or dispute shall be appropriately protected. Rating companies should not publicize an individual organization’s rating. Rating companies shall not provide third parties with sensitive or confidential information on rated organizations that could lead directly to system compromise.
RiskRecon Compliance: RiskRecon does not reveal information shared by rated companies at any time without the permission of the rated company.