- October 25, 2022: Referenced Marsh McLennan analysis.
- January 6, 2022: Included the full data sheet.
- November 2, 2018: Published.
Bitsight Security Ratings are used by organizations worldwide to mitigate cybersecurity risk across the enterprise. Leading organizations (including AIG, Fannie Mae, and Comcast) to depend on us to provide quantitative insight into the risks facing both themselves and third parties. As data breaches continue to grab headlines and create significant business challenges, more and more companies are actively seeking measurements for risk of a breach.
- Marsh McLennan: Correlation to Cybersecurity Incidents
- Verisk: Correlation to Breach
- Bitsight: Correlation to Breach
- Advisen: Correlation to Breach
- Business Impact
Marsh McLennan: Correlation to Cybersecurity Incidents
The Marsh McLennan Cyber Risk Analytics Center (Marsh McLennan) conducted an independent analysis our data analytics (security rating and risk vectors) and Marsh McLennan’s cybersecurity incident data. After comparing the security performance data of thousands of organizations that experienced cybersecurity incidents against those that did not, Marsh McLennan identified 14 Bitsight analytics to be clearly correlated with cybersecurity incidents, including the rating and 13 risk vectors.
- Bitsight Blog: “New Study Finds Significant Correlation Between Bitsight Analytics and Cybersecurity Incidents”
- Setting Alerts Based on Marsh McLennan Cyber Risk Analytics Center Research Findings
Verisk: Correlation to Breach
Verisk (formerly known as “AIR Worldwide”) leveraged Bitsight data to conduct an analysis demonstrating the rating’s correlation to breach. The study found that organizations with lower ratings are significantly more likely to experience a breach. Organizations with a rating of 700 or greater were found to have a breach probability of less than 1%, while those with a rating of less than 500 were found to have a probability of nearly 3%.
Bitsight: Correlation to Breach
We analyzed the security ratings of 27,458 companies over a two year period. These companies varied by size and geography and they spanned 22 diverse industry sectors. Our data scientists compared this ratings data to a comprehensive set of 2,671 breach events during this time period. The resulting analysis demonstrates that companies with higher ratings are less likely to have experienced a publicly disclosed data breach.
Specifically, companies with a rating of 400 or lower were five times more likely to experience a publicly disclosed data breach than companies with a 700 or higher.
Advisen: Correlation to Breach
A leader in the insurance sector, Advisen found that “companies with a Botnet Infections grade of B or lower were more than twice as likely to experience a publicly disclosed data breach.”
Organizations across all industry sectors can leverage this information to drive risk aware business decisions. Security ratings are indicative of a company’s risk of data breach, and businesses can take action with ratings in the following ways:
- Continuously monitor the cyber security performance of third party vendors. Prioritize which vendors need a follow up or onsite assessment. Communicate with vendors with low ratings to ensure that issues are being addressed. Empower vendors to lower their risk of a breach.
- Benchmark the security performance of an organization. Communicate to upper level management on what ratings mean and on the importance of historical data. Provide comparative analysis to benchmark data breach risk among industry peers. Remediate issues with detailed forensics to lower your risk of a breach.
- Prioritize cyber insurance applicants. Determine cyber insurance policies and coverage based on risk of a breach. Underwrite good risk. Continuously monitor your book of business to make sure that insureds do not increase their likelihood of a breach.
- Monitor merger and acquisition targets for security problems from discovery through due diligence and purchase. Communicate with portfolio companies and subsidiaries about cyber risk. Enable acquisitions to continuously manage cyber risk to prevent a potentially costly breach.