The Importance of Principles for Fair and Accurate Security Ratings
The security ratings industry is evolving, and SecurityScorecard has been a proud participant in every step. Today we are proud to discuss a set of guiding principles that we believe in and which form a foundation for further industry growth. We are also excited that the US Chamber of Commerce has agreed to assist in the distribution of these principles (you can find a link here). SecurityScorecard and a consortium of leading financial institutions, along with other market participants, have collaborated on the creation of these principles, and we are especially excited to give you our insights on them.
SecurityScorecard believes in providing full and timely transparency not only to our customers, but also to any vendor of our customers’ or any rated company that wants information about their scorecard. Any rated organization may email email@example.com at any time to request free and expedient information about their scorecard, whether that’s an explanation of our scoring methodology or the exact details of IP attribution.
As part of our commitment to transparency, we are also dedicated to working with customers, vendors, and any rated company on any disputes, corrections or appeals of their scorecards. The security ecosystem collectively benefits when all of its participants understand how their digital footprint and security programs are viewed by their counterparties. When a company feels that their security program needs clarification or correction, we encourage them to reach out. The entire ecosystem benefits when we collaborate to improve clarity on each player’s risk and work toward remediating any security issues – it’s what we like to call Ecosystem Risk Management.
In as much as security ratings are derived from the mass collection of data, the scoring of that data represents the intersection of fact and opinion. Ratings of any kind are opinions, but we are devoted to being exhaustive in the accuracy and validation of the data we use to derive our letter grade ratings. As we find new security issue types, we intend to surface these issues promptly to our clients and to provide a clear explanation of their impact on ratings, with ample notice before they are incorporated into the scoring model.
We are committed to providing our clients with sufficient information on model governance so that they can understand how a rating will be impacted by a new security issue introduction or an existing issue remediation. We want ratings to improve across the ecosystem. Transparency and collaboration during the remediation process will allow counterparties to programmatically improve their ratings and helps build trust between third parties.
Lastly, we recognize that the ecosystem’s trust in our ratings is paramount. We are committed to ensuring the independence of our ratings from any commercial, partner, or customer influence, and we are committed to protecting the confidentiality of information shared with us under our commercial agreements.
We encourage our customers, partners, vendors or any member of the security ecosystem to review these principles and to reach out to us with feedback or questions. We are excited to announce these in conjunction with an industry effort, and look forward to collaborating more in the future as this industry continues to mature!
Aleksandr Yampolskiy and Sam Kassoumeh, Co-Founders of SecurityScorecard