- December 4, 2023: Linked to Finding Lifetime section.
- October 19, 2023: Security Incident severity.
- July 14, 2022: Added examples of different adjustments to base impact.
The Security Incidents risk vector involves a broad range of events related to the undesirable access of a company’s data. They’re grouped into Breach Security Incidents and General Security Incidents.
This risk vector only impacts Bitsight Security Ratings if an incident occurs. When an incident is recorded, its base impact may be adjusted based on the number of lost or exposed records, the company size, and any delay in Bitsight’s recording.
Any event that’s under investigation can possibly have an initial impact value of 0, depending on the amount of available information. The impact might change in the future if further information becomes available that changes our understanding of the incident.
Depending on the number of points lost in the rating, the incident’s severity is categorized in the following manner:
- Severe = 101 - 150 points
- Moderate = 51 - 100 points
- Minor = 1 - 50 points
- Informational = 0 points
Ratings-impact is subject to change from informational to ratings-impacting and vice versa based on changes in public recommendations.
|Field||Details & Values|
|Lifetime:||Ratings-impacting Security Incident events have a 120-day half life starting from the effective date. The impact reduces by half after 120 days, and then steadily minimizes to stop impacting the rating after two years.|
The absence of ratings-impacting Security Incident events do not positively affect security ratings, but its presence will have a negative impact. This letter grade is designed to neutralize any positive or negative impact to the risk vector.
Breach Security Incident Impact
Breach Security Incidents are ratings-impacting. Learn more about breach security incident types.
|Incident Type||Ratings Impact|
|Intrusion (No Records)||60|
General Security Incident Impact
General Security Incidents are considered more severe than the Other Disclosures risk vector. Some general security incident types are ratings-impacting, while others are informational only and do not impact the rating. Learn more about general security incident types.
❖ Does not impact ratings, regardless of record count.
⟁ Does not impact ratings if the record count is less than 10 or is unknown.
|Incident Type||Ratings Impact|
|Account Takeover (Employee)||20|
|Account Takeover (User)||❖|
|Lost / Stolen Asset||30⟁|
|Lost / Stolen Asset (Encrypted)||❖|
|Point of Sale (POS)||20|
The base impact may be increased based on the number of records of personal information involved, as follows:
- 0-10 records = +0 points
- 11-100 records = +10 points
- 101-1000 records = +20 points
- 1001-10,000 records = +30 points
- 10,001-100,000 records = +40 points
- 100,001+ records = +50 points
Example: A ransomware incident involving 9,000 records has an impact of 130 (100 for incident type + 30 for record count).
The impact may be reduced based on the size of the company to reflect the higher baseline risks of larger companies. This reduction is as follows:
- 0-100 employees = No adjustments
- 101-1000 employees = Reduced up to 20%
- 1001-10,000 employees = Reduced up to 40%
- 10,001-100,000 employees = Reduced up to 60%
- >100,000 employees = Reduced by 60%
The reduction varies smoothly between the values. For example, the adjustment for 5000 employees is between 20% and 40%.
- In the ransomware example above, 130 would be the actual impact for a company with 0–100 employees.
- For a large company with over 100,000 employees, the actual impact for the same incident would be around 52 points, reflecting the 60% reduction for such companies (130 × 40%).
Finally, the impact may be reduced to reflect any delay between the public disclosure date and Bitsight’s recording of the incident. This is calculated using the same 120-day half life with which the rating recovers from security incidents.
- If the ransomware incident on the larger company were made public today and immediately recorded, its impact today would be 52 points.
- If the incident had been made public four months ago and promptly recorded, its impact today would be approximately 26 points (52 × 0.5), reflecting the natural recovery from the original impact.
- If the incident had been made public four months ago but not recorded until today, its impact would be 26 points–Bitsight’s failure to record the incident in a timely manner does not change what its impact is today.