Moody's Wants to Rate Security, Not Just Securities

A new Moody’s service aims to create the security world’s equivalent of Aaa to C ratings, replacing the need for companies to do vendor assessments. But it will only work if enough companies sign up.

February 26, 2008 — CSO — As a consultant for @stake and then for Symantec, Ed Leppert spent a lot of time doing third-party security assessments for his financial-services clients--slogging through questionnaires and SAS 70 reports, trying to determine how effectively a given service provider was handling its own security. While the research was important, sometimes it seemed inefficient. “We said, it doesn’t make sense to do these things individually.” Leppert says. “All the companies want [to know] basically the same things.”

Now, as part of a startup within the credit rating company Moody’s, Leppert is trying to bring the same clarity and efficiency to security assessments that investors have when evaluating credit risks. Moody’s expects to introduce the Vendor Information Risk Rating Service the first week of March. The goal is to create the security world’s version of the Aaa to C ratings Moody’s devised long ago for financial securities and bonds.

Of course, it’s more complicated than that. For starters, the due-diligence ratings aren’t made public--the rated company has to authorize a potential customer to access the information. And the ratings are 1 through 5, not A through C. “The people creating it are techie guys, not good marketing guys,” quips Leppert, who is VP of Moody’s Risk Services.

Service providers who sign up are analyzed and rated in each of 11 categories--including access control, business continuity and data security--and get an overall assessment as well, with 1 being the best. The business model is still in flux, but currently, rated companies pay about $23,000 for the first year, and subscribers pay less than $1,500 per report, after receiving two reports for free. Some vendors have signed up after being asked to do so by one of several large financial-services companies that served as an advisory council during the service’s development.

The idea for such an at-a-glance rating is appealing to risk executives such as Andre Gold, head of security and risk management for ING’s U.S. Financial Services business, who is evaluating the Moody’s service along with a similar Product Certification Program from BITS, a nonprofit financial-services consortium operated by the Financial Services Roundtable. (See BITS website.) Last year Gold oversaw reviews of 176 new technology vendors; his team visited sites as far away as South Africa to conduct security assessments. “It’s a service that we must do, but I think it’s a non-value-add service,” he says.

Although Gold is eager for a service that would allow him to streamline that process, the question for him--as well as for Leppert--is whether Moody’s can persuade enough companies to sign up to make a subscription worthwhile. As of early February, Moody’s had completed only a few ratings, with 20 to 25 more in the contract process. “The subscriber base is going to be the issue with something like this really taking off,” Gold says. “I’m an optimistic observer.”