U.S. banks, corporations establish principles for cyber risk ratings firms

A view of the exterior of the JP Morgan Chase & Co. corporate headquarters in New York City May 20, 2015. REUTERS/Mike Segar/Files

(Reuters) - More than two dozen U.S. companies, including several big banks, have teamed up to establish shared principles that would allow them to better understand their cyber security ratings and to challenge them if necessary, the U.S. Chamber of Commerce said on Tuesday. Large corporations often use the ratings, the cyber equivalent of a FICO credit score, to assess how prepared the companies they work with are to withstand cyber attacks. Insurers also look at the ratings when they make underwriting decisions on cyber liability.

The group includes big banks like JPMorgan Chase & Co JPM.N, Goldman Sachs Group Inc GS.N and Morgan Stanley MS.N, as well as non-financial companies like coffee retailer Starbucks Corp SBUX.O, health insurer Aetna Inc AET.N and home improvement chain Home Depot Inc HD.N. They are organizing the effort through the Chamber of Commerce, a broad trade group for corporate America.

The move comes in response to the emergence of such startups as BitSight Technologies, RiskRecon and SecurityScorecard that collect and analyze large swaths of data to rate companies on cyber security.

As these startups have gained prominence and venture capital funding, the companies they rate have complained of a lack of transparency.

“The challenge is that their (startups’) methodologies are proprietary and there hasn’t been transparency on how they go about creating the ratings,” JPMorgan Global Chief Information Security Officer Rohan Amin said in an interview.

The financial services industry is among the most vulnerable to cyber crime because of the massive amount of money and valuable data that banks, brokerages and investment firms process each day. Several technology companies, including Microsoft Corp MSFT.O and Verizon Communications Inc VZ.N, also support the principles being developed, as do the cyber ratings firms, the Chamber of Commerce said.

Ratings issued by those companies could help guide the standards being set by U.S. corporations. BitSight, for example, rates companies on a scale of 250 to 900 with a higher rating indicating better security performance.

“For organizations to use your platform you have to demonstrate trustworthiness and reliability,” said Jake Olcott, BitSight’s vice president of strategic partnerships.

Reporting by Anna Irrera and Olivia Oran in New York; Editing by Lauren Tara LaCapra and Lisa Von Ahn