- April 19, 2023: Launched. Preparation resources no longer available.
- January 19, 2023: Linked to the Information Center (SPM & TPRM) in the Resources section.
- January 4, 2023: Launch date set.
- Why Does Bitsight Update its Ratings Algorithm?
- What Changed in the Bitsight Ratings Algorithm?
- How Were Bitsight Security Ratings Affected by the Updated Algorithm?
Why Does Bitsight Update its Ratings Algorithm?
To make the Bitsight Security Rating more valuable, accurate, and actionable, we periodically update our ratings algorithm. We use internal and external research data to improve the correlation of the rating with real-world cybersecurity incidents and to better align the rating with the cyber threat landscape. These updates ensure that the Bitsight Security Rating is the best external indicator of the performance of cybersecurity controls.
Algorithm updates are a common practice across rating industries. Updates allow Bitsight to adapt as the cybersecurity landscape evolves. Currently, several forces affect the landscape and create additional cyber risk for every organization:
- The growing digital footprint of organizations, driven by recent investments in digital transformation.
- A rise in the scope and scale of cyber attacks.
- Increasing efforts by threat actors to monetize cyber attacks.
- Increasing oversight from capital markets and regulators.
Research studies conducted during 2021 and throughout 2022 provided a path for improving the correlation of the Bitsight Rating with cybersecurity incidents. We analyzed the correlation of the Bitsight rating and a subset of Bitsight risk vectors with ransomware incidents. In addition, an external study published by the Marsh McLennan Cyber Risk Analytics Center found 14 Bitsight analytics to be significantly correlated with cyber incidents.
What Changed in the Bitsight Ratings Algorithm?
This update changes the weight of multiple risk vectors, including a large increase in the weight of Patching Cadence. The update also includes changes that reduces the volatility of the ratings of small entities and improves the explainability of the algorithm.
Read the complete list of changes.
How Were Bitsight Security Ratings Affected by the Updated Algorithm?
The Bitsight Rating is essentially a weighted average of the individual risk vector grades. This average combines the weights and grades for each of the risk vectors to determine the rating. The risk vectors with high grades improve your Bitsight rating, while the risk vectors with lower grades hurt your Bitsight rating. Likewise, risk vectors with greater weight have a greater influence on your Bitsight rating.
With this in mind, a change in the ratings algorithm can cause your Bitsight rating to drop for the following reasons:
- A change in the ratings algorithm decreases the weight of one of your higher-scoring risk vectors.
- A change in the ratings algorithm increases the weight of one of your lowest-scoring risk vectors.
- A change in the ratings algorithm lowers one or more of your risk vector grades.
The present algorithm update (RAU 2023) includes changes in the weights of several risk vectors. These have the potential to affect your Bitsight rating. Evaluate whether the risk vectors that are changing weights may be among the higher-scoring or lower-scoring risk vectors for your company.
In addition to changes to risk vector weights, RAU 2023 includes some changes that may affect risk vector grades. These changes to individual risk vectors simplifies our rounding method, reduce volatility, and minimize unexpected rating drops. Few see increases or decreases in risk vector grades, but the majority of companies are not impacted.
See the complete list of changes in the 2023 ratings algorithm update.