Security Performance Management
Continuous Monitoring
Cyber Insurance
National Cybersecurity

Articles in this section

Bitsight Security Ratings Correlate to Breaches

Avatar
Ingrid
Follow
  • October 25, 2022: Referenced Marsh McLennan analysis.
  • January 6, 2022: Included the full data sheet.
  • November 2, 2018: Published.

Bitsight Security Ratings are used by organizations worldwide to mitigate cybersecurity risk across the enterprise. Leading organizations (including AIG, Fannie Mae, and Comcast) to depend on us to provide quantitative insight into the risks facing both themselves and third parties. As data breaches continue to grab headlines and create significant business challenges, more and more companies are actively seeking measurements for risk of a breach.

Studies

Marsh McLennan: Correlation to Cybersecurity Incidents

The Marsh McLennan Cyber Risk Analytics Center (Marsh McLennan) conducted an independent analysis our data analytics (security rating and risk vectors) and Marsh McLennan’s cybersecurity incident data. After comparing the security performance data of thousands of organizations that experienced cybersecurity incidents against those that did not, Marsh McLennan identified 14 Bitsight analytics to be clearly correlated with cybersecurity incidents, including the rating and 13 risk vectors.

Verisk: Correlation to Breach

Verisk (formerly known as “AIR Worldwide”) leveraged Bitsight data to conduct an analysis demonstrating the rating’s correlation to breach. The study found that organizations with lower ratings are significantly more likely to experience a breach. Organizations with a rating of 700 or greater were found to have a breach probability of less than 1%, while those with a rating of less than 500 were found to have a probability of nearly 3%.

Bitsight: Correlation to Breach

<400 is x5 likely | 400-500 is x4 likely | 500-600 is x3 likely | 600-700 is x2 likely | 700 is x1 likely

We analyzed the security ratings of 27,458 companies over a two year period. These companies varied by size and geography and they spanned 22 diverse industry sectors. Our data scientists compared this ratings data to a comprehensive set of 2,671 breach events during this time period. The resulting analysis demonstrates that companies with higher ratings are less likely to have experienced a publicly disclosed data breach.

Specifically, companies with a rating of 400 or lower were five times more likely to experience a publicly disclosed data breach than companies with a 700 or higher.

Advisen: Correlation to Breach

A leader in the insurance sector, Advisen found that “companies with a Botnet Infections grade of B or lower were more than twice as likely to experience a publicly disclosed data breach.”

Business Impact

Organizations across all industry sectors can leverage this information to drive risk aware business decisions. Security ratings are indicative of a company’s risk of data breach, and businesses can take action with ratings in the following ways:

  • Continuously monitor the cyber security performance of third party vendors. Prioritize which vendors need a follow up or onsite assessment. Communicate with vendors with low ratings to ensure that issues are being addressed. Empower vendors to lower their risk of a breach.
  • Benchmark the security performance of an organization. Communicate to upper level management on what ratings mean and on the importance of historical data. Provide comparative analysis to benchmark data breach risk among industry peers. Remediate issues with detailed forensics to lower your risk of a breach.
  • Prioritize cyber insurance applicants. Determine cyber insurance policies and coverage based on risk of a breach. Underwrite good risk. Continuously monitor your book of business to make sure that insureds do not increase their likelihood of a breach.
  • Monitor merger and acquisition targets for security problems from discovery through due diligence and purchase. Communicate with portfolio companies and subsidiaries about cyber risk. Enable acquisitions to continuously manage cyber risk to prevent a potentially costly breach.

Related articles