How to Measure a Company’s Cyber Risk with the Breach Susceptibility Indicator

Cyber insurers face rising claims, shifting threats, and limited visibility into what truly drives breach events. The Breach Susceptibility Indicator (BSI) brings clarity to that uncertainty. It helps you quantify the likelihood of breach across your portfolio, using real-world data and modeling you can trust. 

The BSI combines SecurityScorecard’s global ratings intelligence with deep insurance insight. Together, they reveal which insureds are most exposed, so you may refine underwriting, strengthen pricing accuracy, and support proactive loss prevention. 

SecurityScorecard ratings still guide posture and remediation. The BSI adds a layer that measures inherent exposure and historical breach patterns, giving you a clearer view of the risks you carry. 

With the BSI, you may move from reacting to losses to anticipating them—protecting portfolios, strengthening models, and building confidence in every policy decision. 

We have collaborated with the Marsh McLennan Cyber Risk Intelligence Center (“CRIC”), an award-winning, enterprise-wide global cyber data, analytics, and modeling center of excellence, to test and confirm the results of the BSI. 

What is the Breach Susceptibility Indicator? A 100% Data-Driven Metric 

We built the BSI as a unique measurement tool to maximize correlation with potential breaches. 

The BSI is: 

• 100% Data-Driven: It is calculated entirely from data points on a company’s security posture and the size of its digital footprint. 

• Focused on Inherent Risk: It provides a realistic perspective of underlying threats you may not be able to fully control. 

• Validated by Real Insurance Data: It uses a hyperoptimized, non-linear model trained exclusively on real-world events and is grounded in data, not personal interpretation. 

The model is informed by SecurityScorecard’s curation of more than 10,000 cyber insurance policies and years of historical data. 

The BSI, as the name suggests, is an indicator of potential future breach risk and ranges from “Very Low” to “Very High” in the platform. This is different from our top-level score, which shows a letter grade (A-F) and a numerical value (0-100).

SecurityScorecard leveraged comprehensive incident information to back test the model with six years of data, while using the most recent 18 months of data to train our production model.  

How Correlated is the BSI? 

To validate its power, the CRIC compared the BSI against their data. The CRIC examined their detailed insurance claims information, leveraging powerful historical data on real-life breaches to validate the BSI’s correlation with incident likelihood.  

The CRIC’s analysis entailed more than 8,000 unique organizations and 12,000 cyber insurance policies, utilizing three years of historical data.   

The data shows that companies with a higher breach susceptibility score have a higher breach claim rate.  

Please note: A higher number in the BSI means a higher breach susceptibility. This is the inverse of how our top-level score is shown.

How To Use the BSI

The BSI’s purpose is to guide your understanding of breach susceptibility, serving as a benchmark for your overall vulnerability.

Cyber insurance companies can use the BSI to understand a company’s cyber risk for more accurate risk evaluation, whether they use the gauge in our platform or the numerical value via our API. This is incredibly helpful for underwriting purposes and recommending the right policies for insureds.

Note: There is an API option for a numerical value which may be valuable for cyber insurance use cases.

For enterprises, the indicator can also be used to understand your third-party risk by viewing the BSI measurement of vendors in your supply chain.

Adding the BSI To Your Toolkit 

The BSI is a powerful indicator of breach susceptibility and can provide valuable information for directional risk analysis. The BSI uses a hyperoptimized, non-linear model with carefully curated training data. Its specialized design makes it a strong signal of risk, but the same complexity means it doesn’t produce prioritized improvement plans or actionable, itemized findings in its current form.   

We will be updating the model periodically, and in a future state, specific improvement plans may be provided. Take back control of supply chain cyber risk with a free demo of our Ratings platform. 

About SecurityScorecard: SecurityScorecard provides continuous third-party risk monitoring for over 3,000 organizations worldwide. Learn more at securityscorecard.com.