Findings Impact of Delegated Security Controls Ingrid Companies identified as having delegated security controls are impacted in the following manner:How does this classification work? Findings in assets with delegated controls are excluded from the risk vector grade depending on the type of delegated control. Findings that are excluded from the risk vector grade of an entity due to delegated controls are also excluded from the parent’s entity risk vector grade. Findings in assets without delegated controls continue to be included in the risk vector grade. Ratings may not necessarily improve. Both positively and negatively contributing findings are excluded from the risk vector grades. Is Bitsight updating the algorithm as part of this initiative?Delegated security controls are unrelated to Ratings Algorithm Updates.Impact on Risk VectorsRefer to the following table outlining how risk vectors are impacted by findings for each delegated control type:What happens to the rating of a company identified as having delegated security controls? Delegated Control Type Impact on Risk Vector Internet Service Provider All findings in delegated assets are excluded from the risk vector grades. Internet Research Findings in delegated assets are excluded from the risk vector grades except for the following risk vectors: SPF Domains DKIM Records DNSSEC Network Services All findings in delegated assets are excluded from the risk vector grades. Platform-as-a-Service Findings in delegated assets are excluded from the risk vector grades except for the following risk vectors: Botnet Infections Spam Propagation Malware Servers Unsolicited Communications Potentially Exploited SPF Domains DKIM Records Insecure Systems Desktop Software Mobile Software DNSSEC Mobile Application Security File Sharing Impact on AssetsWhat happens to assets (domains and IPs) and the corresponding findings that do not impact the rating?The same set of assets (domains and IPs) continue to be attributed to the company and visible in the Bitsight applications, even if some of the assets are identified as having delegated security controls.Refer to the Attribution and Assets tabs in the Infrastructure page of the Security Posture Management application to see which assets are classified as having (or not having) delegated controls. March 25, 2026: Security Posture Management rebrand March 13, 2024: Published. Related articles Delegated Security Controls Overview How Companies with Delegated Security Controls are Identified How Companies with Delegated Security Controls are Presented Attack Surface: Infrastructure Finding Behavior Feedback 0 comments Please sign in to leave a comment.