With several providers now offering security ratings—also known as risk scores or risk ratings—as a way to measure an organization’s level of cybersecurity, a new white paper by the American Bankers Association examines the pros and cons of these ratings systems and how they should be used by financial institutions. Ratings systems seek to provide a method for comparing two or more organizations on their cybersecurity implementation by using the same standards and controls.
“As we see more security ratings hit the market, we want to ensure that banks and others understand how they fit into a broader risk management program,” said ABA SVP Paul Benda. “A robust plan includes multiple tools in the toolbox and if used appropriately, security ratings can be one of those tools.”
While security ratings can serve as a helpful starting point for businesses looking to evaluate their own security posture or the risk exposure created by third parties, the paper cautions that ratings do not provide a full picture of an organization’s cybersecurity program. The paper also highlights additional tools banks can use to assess cybersecurity risk management, such as conducting an in-depth evaluation of a firm, using common questionnaires or outsourcing to a third party to gather and validate information.