New Marsh study finds link between cybersecurity incidents and ratings

A new study by Marsh McLennan and BitSight throws light on the “significant correlation” seen between cyber ratings and security incidents.

BitSight, the Standard in Security Ratings, has released results from an independent study which found fourteen BitSight analytics, including the BitSight Security Rating, and thirteen BitSight risk vectors, to be correlated with cybersecurity incidents.

The study was conducted by the Marsh McLennan Cyber Risk Analytics Center, which brings together the cyber risk data and analytics expertise of Marsh McLennan’s businesses, Marsh, Guy Carpenter, Mercer and Oliver Wyman.

Marsh McLennan independently determined the methodology and analysed BitSight’s security performance data on 365,000 organisations and Marsh McLennan’s proprietary cybersecurity incidents and claims information.

Results from the study showed that cybersecurity performance deficiencies in the identified areas increases an organisation’s risk of experiencing a cybersecurity incident, while strong performance implies a lower risk of an incident occurring.

The fourteen analytics with measured correlation cover a diverse set of security concerns including – Endpoint Management and Malware Detection, Vulnerability Management, Secure Communications, and User Training and Awareness.

One critical finding from the report concerns the importance of an organisation’s patching initiatives. Many organisations struggle to effectively deploy patches when a new vulnerability is identified.

BitSight measures how many systems within an organisation’s network are affected by important vulnerabilities, and how quickly the organisation remediates them.

Marsh McLennan found that an organisation’s patching cadence, as measured by BitSight, was correlated to the likelihood of experiencing a cybersecurity incident.

Scott Stransky, managing director and head of the Marsh McLennan Cyber Risk Analytics Center, said: “After comparing the security performance data of thousands of organisations that experienced cybersecurity incidents against those that did not, we identified a statistically significant correlation between BitSight Security Ratings as well as certain BitSight risk vectors and the likelihood of a cybersecurity incident.”

Stephen Harvey, chief executive officer of BitSight, added: “The findings from this critical study confirm the value of BitSight’s Security Ratings and analytics. Our goal has always been to provide leaders with insightful data to help drive smarter decisions around cybersecurity. We anticipate this research will be used to augment the market’s cybersecurity decision making, and now those in the marketplace can be more confident that our data effectively assesses the cyber risk of organisations and provides actionable insights when creating or managing a cybersecurity program."

Did you get value from this story?  Sign up to our free daily newsletters and get stories like this sent straight to your inbox.