A recent American Bankers Association (ABA) white paper explains the pros and cons of security ratings, how the ratings work, and how financial institutions should use them.
“As we see more security ratings hit the market, we want to ensure that banks and others understand how they fit into a broader risk management program,” Paul Benda, senior vice president, risk and cybersecurity policy at ABA, said regarding Security Ratings: A Tool as Part of a Risk Management Program. “A robust plan includes multiple tools in the toolbox, and if used appropriately, security ratings can be one of those tools.”
The paper maintains security ratings can provide insight and serve as a starting point when evaluating a firm’s cybersecurity program, but the association said ratings could not offer a full picture of an organization’s cybersecurity program, because the providers rely on a combination of data points collected or purchased from public and private sources and are unable to evaluate a firm’s internal infrastructure and controls.
“Cybersecurity remains a top priority for banks across the country, and we are continuously looking for ways to improve effectiveness and efficiency,” Benda said. “There are many resources out there, so understanding how they work is key.”