Vendor Risk Ratings

As organizations continue to outsource, form partnerships and share data with third parties, they become vulnerable to security events that lie beyond their internal networks. High profile breaches in the past year have highlighted such challenges, with network vulnerabilities of seemingly low risk vendors leading to large breaches at major corporations. Current methods for measuring third party risks can be time and resource intensive and only provide a static view of security performance. In order to stay ahead of emerging risks within the information supply chain, organizations need tools to continuously monitor their third party partners, vendors, and suppliers.

BitSight Security Ratings for Vendor Risk Management provide organizations with continuous, data-driven measurements of security performance on third parties. These ratings enable organizations to measure the effectiveness of security controls within the networks of their third party vendors or suppliers.

Security Ratings are an effective tool for mitigating third party cyber risks, from the onboarding process through continued assessments. Companies have successfully utilized Security Ratings as a tool to screen new vendors and negotiate minimum standards of cyber security performance into contractual agreements. Once onboarded, these ratings can also prioritize actions for further assessments, allowing businesses to focus resources on the highest risk third parties.

What are Bitsight Security Ratings?

Breaches matter in today’s world. Whether it is the loss of personally identifiable information, financial records or other forms of data, organizations across the world are tasked with preventing data loss on their own networks, or from vulnerabilities that lie outside their control. Professionals and leaders across multiple industries are turning to BitSight Security Ratings to provide data-driven clarity on the security performance of themselves as well as their vendors, insureds, acquisition targets and more. To make these ratings actionable, BitSight does intensive research to ensure that the ratings can be used to identify real-world security risks. Recent research has shown that BitSight Security Ratings are the only security ratings that are indicative of a publicly disclosed breach. Companies with a rating of 400 or lower are five times more likely to have a breach than those with a rating of 700 or more.


All data added into the BitSight Security Ratings product is meaningful and impactful for risk managers, security professionals and cyber insurance underwriters. Currently, BitSight includes three categories of data in the Security Ratings platform: Events, Diligence and User Behavior.


Botnet Infections: Does this organization have controls in place to identify and prevent botnet infections?

Spam Propagation: Is spam being sent from this organization’s mail servers?

Malware Servers: Has this organization prevented malware infections that can be designed to harvest data, abuse company resources and spread across a network?

Potentially Exploited: Are there devices with potentially unwanted software such as adware, spyware and remote access tools on a network?

Unsolicited Communication: Are hosts trying to contact other services in an irregular manner? Are there hosts scanning darknets?


Sender Policy Framework (SPF): Is this organization protecting itself from email spoofing and phishing attacks by implementing SPF? Are any SPF records syntactically correct?

TLS/SSL Certificates: Are the cryptographic keys for TLS/SSL certificates secure?

DomainKeys Identified Mail (DKIM): Is this organization preventing unauthorized servers from sending mail on behalf of their domains?

TLS/SSL Configuration: Has this organization implemented servers with properly configured security protocols?

DNSSEC beta: Is this organization using public key encryption to authenticate DNS servers?

Open Ports: Can attackers more easily infiltrate this organization’s network because they have open ports with known vulnerabilities?

Application Security beta: Are security-related fields on HTTP headers properly configured? Is this organization protecting itself from potentially harmful man-in-the-middle and cross-site scripting attacks?

User Behavior

File Sharing: Does this organization have evidence of potentially harmful file sharing activity over peer-to-peer websites? Is this organization exposing itself to malware through poor file sharing practices?

Note: Beta risk vectors are not included in the ratings. They are for informational purposes only.