Trusted Ratings

Security ratings are a valuable tool to help organizations understand their security performance and that of their vendors. Security ratings were created with the goal of increasing transparency about cybersecurity, enabling dynamic, informed interactions between global market participants, and incentivizing a more trustworthy and secure global ecosystem.

BitSight ratings directly correlate with financial performance and likelihood of data breaches, all to help organizations be as informed as possible when managing their cybersecurity posture. As the framework for creating the methodology behind our ratings, BitSight uses the US Chamber of Commerce’s Principles for Fair and Accurate Security Ratings, which we helped develop.

In this document we outline the principles and methodology behind BitSight Security Ratings, including:

• Objectives
• Comparison With Other Rating Systems
• The Ratings Process
• Network Mapping
• Risk Vectors, Grading and Weighting
• ...and more

BitSight believes in the value of cybersecurity ratings because we know they represent more about your organization than just what’s happening within your attack surface. As the only cybersecurity rating independently verified by external organizations, BitSight takes program and vendor risk management a step further to ensure companies are equipped with a trusted view of their cybersecurity hygiene.

BitSight takes program and vendor risk management a step further to ensure companies are equipped with a trusted view of their cybersecurity hygiene.

BitSight is the only Security Ratings provider with proven outside validation of its ratings, which have been proven to correlate with data breach risk as well as business financial performance. Combined with a dedicated committee to govern its ratings algorithm and associated policies, BitSight’s customers can trust our data and make meaningful business decisions based on our analytics.

• BitSight’s cybersecurity rating correlation to breach performance has been reported by AIR Worldwide, Marsh McLennan, and IHS Markit.
• BitSight has proven correlation with financial performance according to external Solactive research.

To get started managing your organization’s cybersecurity with the only independently verified security rating on the market, request a security ratings snapshot report.

• BitSight data is directly correlated with the risk of organization's suffering a ransomware attack. In our ransomware report, we’ve gathered data on specific network vulnerabilities connected directly to the risk of a ransomware attack. Read the report.
• BitSight ratings correlation with breach data - Learn what security rating scores are correlated with a greater risk of breach, and what can be done to decrease breach likelihood. Download Datasheet.
• Botnet infections correlation with breach - In this report, learn why botnet grades are a key metric in determining the likelihood of large-scale malicious activity. Download Report.

While BitSight is confident in the accuracy and objectivity of our security ratings, we believe that any organization, regardless of whether they are a BitSight customer or not, should have a way to understand and dispute their rating.

With our Policy Review Board and defined steps for handling ratings disputes, organizations can trust BitSight has their back in creating an accurate rating.

BitSight is committed to creating the highest quality, most accurate security ratings in the industry. We are also committed to allowing all rated organizations -- not just customers -- to have an opportunity to challenge the assets, findings, and interpretation of those findings used to determine a BitSight Security Rating and provide corrected or clarifying data. BitSight seeks accurate and prompt remediation for any dispute.

This document highlights our dispute resolution process for any rated entity (organization that has been rated by BitSight), including:

• Disputing Data and Findings
• Ratings and Calculation Disputes
• Appeals and Adjudication

The BitSight Policy Review Board (PRB) is a committee created to govern the ratings algorithm and associated policies, and to ensure that they are aligned with our principles. As the highest level of ratings governance, the PRB also adjudicates appeals related to data accuracy and evaluation methodology. It is charged with providing a consistent, transparent, and systematic dispute resolution process that is available to all rated entities. BitSight seeks accurate and prompt remediation for any dispute.

This document covers the purpose, composition and processes used by the Policy Review Board including:

• Scope
• Governing Principles
• Composition
• Types of Decisions
• Process

View the Policy Review Board case summaries here.

To uphold the fairness of our ratings, all rated entities are entitled to the below rights, as part of the review process:

• Provide transparency about the security ratings process.
• Standardize treatment for customers and noncustomers.
• Practice responsible disclosure in how we share ratings.
• Provide a process for appealing ratings content (for customers and noncustomers), including access to the policy review board.
• Enable any rated organization (including noncustomers) to get access to their rating details.
• Facilitate participation and engagement with standards bodies, regulators and governmental bodies.

BitSight firmly believes that integrity is the mark of a true security ratings authority. We believe in providing transparency about our ratings and we provide information in our portal about how ratings are calculated (i.e. which risk vectors were considered and their relative weighting) in our Knowledge Base. When we change our algorithms, we provide advance notice and demonstrate how such change will impact ratings.

We treat customers and noncustomers the same—our algorithms do not take into account whether an entity is a customer or not. In addition, we provide free access to our ratings for a limited period of time to all rated entities and will always work with any rated entity to improve the accuracy of its rating, regardless of whether it is a paying customer.

We do not publicly discuss specific ratings of companies via public forums (e.g. news outlets, industry events, etc.). We believe that we provide valuable insight into security through aggregate and industry trends. We do not believe in discussing a company’s rating publicly without permission, as this can pose a security risk to an organization.

While we are confident in the quality of our data, we believe that any organization using BitSight Security Ratings should have a way to dispute its ratings formally if it is ultimately not satisfied with the response it receives from BitSight. BitSight has created the Policy Review Board (PRB), which reviews issues of accuracy, fairness, and balance regarding BitSight Security Ratings. The PRB will review the information presented and will recommend the appropriate approach for BitSight to take. For more information, see What Is The Policy Review Board.

We also believe that responsible disclosure includes collaboration and sharing of information with law enforcement and governmental organizations and we offer our Sovereign Ratings product to help support these goals. We are also a signatory to the Principles for Fair and Accurate Security Ratings.