Security ratings or cybersecurity ratings provide risk management and security teams with the information needed to determine whether their vendors' and their own security posture is sufficient to prevent cyber attacks and ensure information security.
A Brief History of Security Ratings
Security ratings stem from credit ratings, except they are an assessment of a company's security risk not credit risk.
To understand the value of security ratings, it helps to have an understanding of where credit ratings came from, so we will start there.
Credit ratings provide investors with information about whether the issuer of a bond, debt instrument or fixed-income security will be able to meet their debt obligations.
They generally take the form of a letter grade that is issued by a credit rating agency who provides independent and objective analysis of a company or country's ability to repay debt.
Credit ratings were born in wake of the financial crisis of 1837 with the establishment of mercantile credit agencies.
These agencies rated the ability of merchants to pay their debts and consolidated these ratings into published guides. The first such agency was established by Lewis Tappan in 1841 and subsequently acquired by Robert Dun who published a ratings guide in 1859.
However, it wasn't until 1909, and the establishment of John Moody's railroad bonds guide, that credit ratings became widely accessible.
In 1913, Moody expanded into industrial firms and utilities and began using the letter grade system we know today.
In following years, the antecedents of the "Big Three" credit rating agencies were established. Namely Poor's Publishing Company in 1916, Standards Statistics Company in 1922, and Fitch Publishing Company in 1924.
These agencies, alongside John Moody's, would eventually become Standards & Poors (S&P), Moody's and Fitch Group.
The goal of these credit rating providers is to remove subjectivity and point-in-time assessment of credit risk by providing an independent, objective and quantitative assessment of credit worthiness that anyone could use.
By most accounts, credit ratings have been a success. Credit scores are the primary measurement of creditworthiness throughout the world.
Security ratings providers have the same goal, just replace credit risk with cybersecurity risk.
What are Security Ratings?
Security ratings are a data-driven, objective and dynamic measure of an organization's security posture.
They are commonly used to understand the risk posed by third-party or supply chain relationships, as well as assessing your own cybersecurity posture.
Security ratings provide a single metric that represents an organization's cybersecurity performance, often in the form of a letter grade (like credit ratings) or numeric score.
The benefit of security ratings over traditional risk assessments is they are automatically generated, updated frequently and they provide a common language for technical and non-technical stakeholders.
What are Common Use Cases For Security Ratings?
Common use cases for security ratings include:
- Helping third-party risk management teams perform due diligence on business partners, service providers and third-party vendors' IT security practices to better understand exposure to third-party risks and fourth-party risks (also known as vendor risk).
- Cyber insurance underwriting, pricing and risk management by allowing insurers to gain visibility into the security program of those they insure to better assess and price risk.
- Investment in or acquisition of a company by providing organizations with an independent assessment of an investment or M&A target's security controls
- Enabling governments to better understand and manage theirs and their vendors' cybersecurity performance, a key component of FISMA compliance.
- Continual assessment of internal security posture, providing CISOs with a simple, understandable rating that can be presented to key stakeholders including C-Suite and board members.
- Benchmarking and comparison to industry peers, competitors, sectors and vendors. This can assist with decision-making and provide context about what security controls or mitigations your organization needs to invest in.
- Providing assurance to customers, insurers, regulators and other stakeholders that your organization cares about preventing security issues like data breaches, malware and ransomware.
How are Security Ratings Calculated?
Security ratings are based on objective, externally observable, continuously available and verifiable information.
Security ratings providers are independent organization, which means each provider uses different data to generate their rating.
UpGuard is one of the most popular security ratings platforms. We generate our ratings through proprietary algorithms that take in and analyze trusted commercial and open-source threat feeds, and non-intrusive data collection methods to quantitatively evaluate cyber risk.
With UpGuard, an organization's security rating can range from 0 to 950 and is comprised of a weighted average of the risk rating of all their underlying domains in addition to the ratings of their vendors.
The lower the rating, the more severe the risks the organization is exposed to.
Inversely, the higher the rating the better their security practices and the lower chance they will expose sensitive information.
To keep your security rating up to date, we recalculate it whenever one of your websites is scanned or a security questionnaire is submitted.
This generally means your organization's security rating will be updated multiple times a day, as most websites are scanned daily. This assumes you have more than one website.
We base our ratings on the analysis of 70+ vectors including:
- Susceptibility to man-in-the-middle attacks
- Insecure SSL/TLS certificates
- SPF, DKIM and DMARC settings
- HTTP Strict Transport Security (HSTS)
- Email spoofing and phishing risk
- Malware susceptibility
- Unnecessary open administration, database, app, email and file sharing ports
- Exposure to known data breaches and data leaks
- Vulnerable software
- HTTP accessibility
- Secure cookie configuration
- Results of intelligent security questionnaires
If you are curious about other security rating services, see our guide on SecurityScorecard security ratings vs BitSight security ratings here.
The Importance of Security Ratings
According to Gartner, cybersecurity ratings will become as important as credit ratings when assessing the risk of existing and new business relationships…these services will become a precondition for business relationships and part of the standard of due care for providers and procurers of services. Additionally, the services will have expanded their scope to assess other areas, such as cyber insurance, due diligence for M&A and even as a raw metric for internal security programs.
The growing importance of security ratings is largely due to the introduction of general data protection laws like FIPA, CCPA, PIPEDA, the SHIELD Act, LGPD and GDPR, as well as industry-focused mandated vendor risk management programs driven by the introduction of CPS 234, 23 NYCRR 500, FISMA and GLBA.
Which is why many organizations have turned to security ratings for assessing themselves and their third-parties.
Traditional methods of third-party assessment is immensely time-consuming. Sending questionnaires to every third-party to understand their security posture requires a lot of tracking and frankly, isn't always accurate.
The truth is that questionnaires, much like penetration testing, are subjective and point-in-time assessments that become inaccurate over time as new security issues emerge.
Security ratings complement these traditional risk management methods by providing a continuous, objective and up-to-date assessment of security postures, enabling you to understand what cyber threats your organization faces and how to mitigate them.
Additionally, many security leaders find security ratings invaluable for reporting cybersecurity results to their Board of Directors, C-Suite and even shareholders. Pair this with the addition of industry benchmarking and competitor ratings and organizations now have the context they need to inform assess their and their vendors' cybersecurity programs.
The Importance of Fair and Accurate Security Ratings
As security ratings continue to mature, more organizations in the public and private sectors rely on them to make business and risk decisions.
To increase the confidence of in security ratings, the U.S. Chamber of Commerce has outlined an industry-wide, common approach for security rating companies to:
- Promote quality and accuracy in the production of security ratings
- Promote fairness in reporting
- Include a coordinated process for adjudicating errors or inaccuracies in reported content
- Establish guidelines for appropriate use and disclosure of the scores and ratings
The Principles of Fair and Accurate Security Ratings are:
- Transparency: UpGuard believes in providing full and timely transparency not only to our customers but to any organization who wants to understand their security posture, which is why you can request your free security rating here and you can book a free trial of our platform here.
- Dispute, Correction and Appeal: UpGuard is committed to working with customers, vendors and any organization who believes their score is not accurate or outdated.
- Accuracy and Validation: UpGuard's security ratings are empirical, data-driven and based on independently verifiable and accessible information.
- Model Governance: While the datasets and methodologies used to calculate our security ratings can change from time to time to better reflect our understanding of how to mitigate cybersecurity risk, we provide reasonable notice and explanation to our customers about how their security rating may be impacted.
- Independence: No commercial agreement or lack thereof, gives an organization the ability to improve their security rating without improving their security posture.
- Confidentiality: Any information disclosed to UpGuard during the course of a challenged rating or dispute is appropriately protected. Nor do we provide third-parties with sensitive or confidential information on rated organizations that could lead to system compromise.