Study Finds Significant Correlation Between Cybersecurity Ratings and Incidents

Study shows deficiencies in cybersecurity performance increase an organization's risk of experiencing a cybersecurity incident, whereas strong performance implies a lower risk of an incident occurring.

Source: BitSight | Published on October 26, 2022

Growth in cyber insurance market

BitSight, the Security Ratings Standard, has released the findings of an independent study that found fourteen BitSight analytics, including the BitSight Security Rating, and thirteen BitSight risk vectors to be correlated with cybersecurity incidents.

According to the study, deficiencies in cybersecurity performance in the identified areas increase an organization’s risk of experiencing a cybersecurity incident, whereas strong performance implies a lower risk of an incident occurring.

Marsh McLennan’s Cyber Risk Analytics Center conducted the study, which brings together the cyber risk data and analytics expertise of Marsh McLennan’s businesses, Marsh, Guy Carpenter, Mercer, and Oliver Wyman. Marsh McLennan determined the methodology independently by analyzing BitSight’s security performance data on 365,000 organizations as well as Marsh McLennan’s proprietary cybersecurity incidents and claims data.

“We discovered a statistically significant correlation between BitSight Security Ratings as well as certain BitSight risk vectors and the likelihood of a cybersecurity incident after comparing the security performance data of thousands of organizations that experienced cybersecurity incidents against those that did not,” said Scott Stransky, managing director and head of the Marsh McLennan Cyber Risk Analytics Center.

Historically, the market has struggled to establish a data-driven link between poor cybersecurity performance and an increased likelihood of cybersecurity incidents. BitSight’s cybersecurity analytics can help security, business, and insurance leaders make more informed and data-backed decisions by demonstrating how quantitative performance measurements created by BitSight correlate to the likelihood of a cybersecurity incident.

“The findings of this critical study confirm the value of BitSight’s Security Ratings and analytics,” said BitSight CEO Stephen Harvey. “Our goal has always been to provide leaders with insightful data to help them make better cybersecurity decisions. We anticipate that this research will be used to supplement the market’s cybersecurity decision making, and those in the market can now be more confident that our data accurately assesses organizations’ cyber risk and provides actionable insights when developing or managing a cybersecurity program.”

Endpoint Management and Malware Detection, Vulnerability Management, Secure Communications, and User Training and Awareness are among the fourteen analytics with measured correlation. One important finding from the report is the significance of an organization’s patching initiatives. When a new vulnerability is discovered, many organizations struggle to effectively deploy patches. BitSight tracks how many systems in an organization’s network are affected by critical vulnerabilities and how quickly they are fixed. Marsh McLennan discovered that a company’s patching cadence, as measured by BitSight, was related to the likelihood of a cybersecurity incident.

About BitSight

BitSight builds trust in the digital economy and changes how businesses manage cyber risk. The BitSight Security Ratings Platform employs sophisticated algorithms to generate daily security ratings ranging from 250 to 900, assisting organizations in managing their own security performance, mitigating third-party risk, underwriting cyber insurance policies, conducting financial diligence, and assessing aggregate risk. BitSight is the industry standard in security ratings because it has the largest ecosystem of users and information. Visit, read our blog, or follow @BitSight on Twitter for more information.