Skip to main content

Configuring Bitsight cyber risk

Cyber risk check

How it works

The Cyber risk check uses Bitsight methodologies to identify cyber risks for both public and private companies.

Information used to run this check

To run the check, the company profile information must have a valid Company number to generate the BvD ID.

Overall result of the check

​Bitsight cyber risk generates a Cyber risk rating for a given organization by identifying which network assets are theirs and then examining the findings from those assets. Findings are used to build sub-ratings, called risk vectors, which are the explanatory ratios necessary to understand the drivers that make up the ratings. In a similar style to the FICO credit score, the least secure rating is 250, while 900 is the most secure.

The company Cyber risk rating is compared to the Minimum Cyber risk rating to pass check in your smart policy. Moody's or Bitsight cannot give advice on this value, which should be set according to your company's risk policy. For the check to pass, the rating has to be the same or higher than the value set in your smart policy.

For more details, you can see a visualization under the score. Selecting the Source opens the Bitsight website with more information. Select See historical data to see previous monthly reports, if available.

The Cyber risk check ratings are divided into three main categories:

  • Basic (rating between 250 to 630): Poor security performance and the highest risk. Entities in this category have lower security ratings and an increased likelihood of a data breach. They typically have not implemented best practice IT security policies and procedures, may demonstrate evidence of compromised systems on their network, and provide the greatest risk. The basic entities are, on average, two to three times more likely to experience a publicly disclosed data breach than the intermediate entities.

  • Intermediate (rating between 640 to 730): Fair security performance and a moderate risk. Entities in this category have relatively fair security performance and demonstrate a moderate security effectiveness. These entities provide a moderate level of risk and are, on average, one and half to two times more likely to get breached than entities with the advanced ratings.

  • Advanced (rating between 740 to 900): Strong security performance and the lowest risk. Entities in this category have a strong security performance and are less likely to experience a data breach. These entities demonstrate evidence of a best practice implementation and consistent risk mitigation.

In addition, the report offers a Detailed cyber risk rating breakdown showing how the rating was formed. The details are divided into four separate vectors: Compromised systems, Diligence, User behavior, and Public disclosures. Each vector has their sub vectors with a rating from A to F.

The Cyber risk check ratings are:

  • A In the top 10% of companies

  • B In the top 30% of companies

  • C In the top 60% of companies

  • D In the bottom 40% of companies

  • F In the bottom 20% of companies

  • N/A This grade has no correlation with how a company is performing. If a letter grade is "N/A" (not available), it may be because:

    • The risk vector is informational.

    • The grade defaults to it, in the absence of findings.

    • The risk vector is going through an evaluation period before having an impact on the rating.

Testing your configuration

Once the Cyber risk check is configured, follow these steps in your demo environment to test whether it's working as expected:

  1. To run the test, create a company profile.

  2. After creating the profile, run the Cyber risk check. If the check returns a risk rating, it’s working as expected.

In this section: