US 12,282,564 B2
Systems and methods for assessment of cyber resilience
Derek Vadala, Wading River, NY (US); Sean Malone, Lynnwood, WA (US); John Freund, Huntersville, NC (US); Vincent Dasta, Grayslake, IL (US); and Joan Roserie, Charlotte, NC (US)
Assigned to BitSight Technologies, Inc., Boston, MA (US)
Filed by BitSight Technologies, Inc., Boston, MA (US)
Filed on Jan. 31, 2023, as Appl. No. 18/162,154.
Claims priority of provisional application 63/305,082, filed on Jan. 31, 2022.
Prior Publication US 2023/0244794 A1, Aug. 3, 2023
Int. Cl. G06F 21/57 (2013.01); G06F 30/20 (2020.01); G06F 111/08 (2020.01)
CPC G06F 21/577 (2013.01) [G06F 30/20 (2020.01); G06F 2111/08 (2020.01); G06F 2221/034 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A computer-implemented method for providing a cyber resilience rating for an entity of a plurality of entities, the method comprising:
obtaining a plurality of entity indicators corresponding to the plurality of entities, wherein each of the plurality of entity indicators comprises characteristic information for a respective entity of the plurality of entities, and wherein each of the plurality of entities corresponds to a respective entity indicator of the plurality of entity indicators;
determining a peer group for the entity based on the respective characteristic information for the entity, wherein the peer group comprises a subset of the plurality of entities;
obtaining a plurality of loss event records for the peer group, wherein each loss event record comprises a respective loss value and corresponds to a cyber event associated with a respective entity of the peer group, wherein respective groups of loss event records selected from the plurality of loss event records correspond to a data disclosure type, a business interruption type, and a fraud type;
executing, for each group of loss event records, a plurality of Monte Carlo simulations to generate respective loss simulation data based on the respective loss values of the loss event records included in the group and results for a cyber security assessment of the entity;
identifying, based on the respective loss simulation data for each group of loss event records, an expected probability value corresponding to a materiality loss value of the entity;
providing a risk factor score indicative of a cyber security risk of the entity based on the identified expected probability value; and
providing a cyber resilience rating for the entity based on a combination of the risk factor score, a fortitude factor score, and a governance factor score, wherein the fortitude factor score is indicative of a cyber security control posture of the entity, and wherein the governance factor score is indicative of an administration of cyber security controls by the entity.