Since 2011, we’ve been leading the creation and evolution of a rating system and approach that is transparent, fair, and correlated to business risk.
Integrity marks a true security ratings authority
Transparent Rating Methodologies
How does Bitsight calculate its Security Rating?
Bitsight calculates its security rating by analyzing a company's external-facing digital assets and assessing security performance indicators like vulnerabilities, malware, and compromised systems. It uses real-time data, benchmarks against industry peers, and considers historical trends to provide a rating that reflects the organization’s cybersecurity posture and risk exposure.
What principles guide the Bitsight Security Rating process?
Bitsight is committed to creating trustworthy, data-driven, and dynamic measurements of organizational cybersecurity performance derived from objective, verifiable information. Bitsight established the guidelines for responsible development of security ratings and helped create the Principles for Fair and Accurate Security Ratings, a series of practices developed alongside some of the world’s largest and most risk-focused companies.
How does Bitsight verify security ratings?
Bitsight verifies its security ratings through independent external validation by organizations like AIR Worldwide, Marsh McLennan, and IHS Markit, demonstrating correlation with breach risk and financial performance. A dedicated committee governs its rating algorithms, ensuring businesses can trust Bitsight's analytics for informed decision-making on cybersecurity hygiene.
Correlated To Business Risk
How does the Bitsight Bitsight rating correlate with Ransomware?
Bitsight ratings correlate with ransomware risk by identifying specific security vulnerabilities and weak points in a company’s cyber hygiene, which are commonly exploited in ransomware attacks. Studies show that organizations with lower Bitsight ratings are more likely to experience ransomware incidents, linking poor security performance to higher ransomware risk.
How does the Bitsight rating correlate with cybersecurity breaches?
Bitsight ratings correlate with cybersecurity breaches by showing that organizations with lower ratings are at a significantly higher risk of a publicly disclosed breach. Companies with a rating below 500 are four times more likely to experience a breach than those with higher ratings, demonstrating a clear link between security performance and breach risk.
How does Bitsight rating correlate with botnet infections?
Bitsight ratings correlate with botnet infections by showing that organizations with lower ratings are more likely to experience such infections. Companies with a Botnet Infections grade of B or lower are over twice as likely to experience a publicly disclosed data breach, indicating weaker cyber hygiene and higher infection risk.
Dispute, Correction & Appeal
What rights do rated organizations have?
Rated organizations are ensured fairness through transparency, standardized treatment, and equal access to rating details. They can appeal ratings, and their specific ratings are protected from public disclosure. Rated organizations receive algorithm transparency, free access to ratings, and can collaborate with government bodies to promote accuracy and responsible disclosure.
How are ratings disputes resolved?
Rated organizations, not just customers, can challenge the assets, findings, and interpretations used in their Bitsight Security Rating. They can provide corrections or clarifications to ensure accuracy. Bitsight provides a summary that outlines the dispute resolution process, including disputing data, rating calculations, and the appeals and adjudication procedures for prompt resolution.
How long does dispute resolution take?
Bitsight aims for prompt dispute resolution, typically resolving disputes within 7-10 business days. In 2023, the average resolution time was 4 business days for disputed assets and 6 business days for disputed findings.
Model Governance
What is the Bitsight Policy Review Board?
The Bitsight Policy Review Board (PRB) oversees the ratings algorithm and policies to ensure alignment with company principles. It adjudicates appeals on data accuracy and methodology, providing a transparent and systematic dispute resolution process for all rated entities.
How does Bitsight update the algorithm and methodology for security ratings?
Bitsight updates its rating methodology annually, incorporating customer feedback and the latest research to ensure the rating continues to reflect the evolving cybersecurity landscape in which our users operate. By expanding the rated inventory, adding new risk vectors, or other innovative updates, Bitsight security rating maintains a comprehensive and accurate view of risk.
What is the Bitsight External Advisory Board?
The Bitsight External Advisory Board, consisting of public and private sector leaders, advises on ratings, methodologies, models, and data, offering improvements to help organizations access and impact their ratings.