On June 20th, the US Chamber of Commerce released these Principles for Fair and Accurate Security Ratings to increase confidence in third-party issued cybersecurity ratings, which are increasingly used by, for, and as against companies for various purposes notwithstanding their potential for inaccuracy, irrelevance or other deficiencies. The Principles are supported by 44 organizations (and growing), including diverse companies like Chevron, Eli Lilly, Honeywell, Microsoft and Starbucks; investors - including Charles Schwab, Morgan Stanley, State Street and TIAA; and a number of financial services organizations such as AmEx, Bank of America, E*Trade, JPMorgan, and SIFMA.
This recent post from BakerHostetler: "US Companies Create Principles for Cybersecurity Riks Ratings" discusses where and how the data underlying the security ratings are sourced, some of the current big-name (relatively speaking) ratings organizations, and how the ratings are being used, including, e.g., for purposes of companies evaluating third-party vendors and M&A targets and quantifying their own cyber risk for their boards of directors, and cybersecurity insurance underwriters' evaluation of particular company risks. As such, the potential impact of these ratings - which presumably will increase in popularity and use given the dynamics of the cyber environment - is significant.