A cybersecurity breach could result in disrupted operations, data loss, or damage to reputation. The consequences can be serious for your organization and, potentially, for companies that do business with you. A breach may reflect a lapse in your cyber defenses or vendor risk management. For these reasons, it significantly impacts your score.
How the breach penalty works
Whenever SecurityScorecard gets information from a trusted data provider that a breach has been published, we apply a temporary penalty relative to the current score. The penalty begins on the publish date, not when the incident appears on the Scorecard.
Note: The penalty applies to all confirmed breaches, regardless of specific circumstances such as the magnitude of impact or whether data was stolen. The specifics of the breach do not affect the penalty amount.
The size of the penalty depends on whether the breach affects your organization directly or a third-party vendor:
- First-party breach: A 10-point penalty applies to your current score. For example, if your score is 80, it drops 10 points to 70.
- Third-party breach: A 5-point penalty applies to your current score. For example, if your score is 80, it drops 5 points to 75.
The negative score impact of the penalty gradually diminishes to zero over a 30-day period.
Why is there a delay in breach reporting?
Breach reports are processed through the same scoring mechanisms as all other signals we collect. This means it can take a few additional days after we receive and validate a notification for the breach report to appear on a scorecard.