ESG Data Guide 2023

ISS ESG - Cyber Risk Score

Data category

  • Ratings
  • Research data

The data offers solutions for:

  • Investment decisions and portfolio insight
  • Social impact analysis and insight
  • Network security risk

Who are the data users?

  • Corporates
  • Trustees
  • Investors
  • Government
  • Financial institutions
  • Index providers; Institutional investors; Asset managers; Asset owners; Fund managers; Banks; Government institutions; Universities and research firms

Brief description of the data offering

The ISS ESG Cyber Risk Score is a data-driven scoring and screening solution. The score is a concise, empirical, and proactive metric that conveys how well a company manages and maintains its network security, powered by a machine learning model trained to identify the potential for a breach event.

The Cyber Risk Score represents the likelihood that an organization will suffer a material cyber incident (e.g., breach) within the next 12 months, expressed as a score on a scale from 300 to 850. The Cyber Risk Score scoring model is trained to recognize patterns and signals indicative of breach risk. A historical dataset with known breach outcomes is used for model training. Records of cybersecurity breach incidents are identified by ISS and used to identify affected organizations and the corresponding timeline of breach incidents.

A score of 300 represents high risk; a score of 850 represents lower risk. A company with a Cyber Risk Score closer to 300 is assessed to be at significantly higher risk of experiencing a material cyber incident in the next 12 months than a company with a Cyber Risk Score closer to 850.

The Cyber Risk Score is calculated based on the behaviour of an organization, as well as firmographic information that includes company size and the industry in which the firm operates. Organizational behaviours are assessed through an array of IP and domain-based data collections.

Each company’s Cyber Risk Score is generated from data findings collected from cyber assets identified as being either owned or operated by the company or any of the company’s majority-owned subsidiaries. Each company’s asset attribution is reviewed at least annually, while each week a new score is generated based on findings collected over the previous week. Historical scores and data provide greater context and trend analysis to understand a company’s approach to managing cyber risk over time.

Where and how do you source your data?

The Cyber Risk Score is based on a forward-looking predictive model that leverages a data-driven and empirically derived assessment of cybersecurity risk. It relies on supervised machine learning to discover best predictors among network conditions, management behaviors and known data breaches.  By understanding the mathematical relationships between these, the ISS Cyber Risk Score is more effective at predictiving future outcomes. Where organizations exhibit behaviors that are strong predictors based on past breach events, they demonstrably more likely to suffer similar outcomes. Through the development of a predictive model based on empirical mathematical relationships, any potential bias is removed from the process and the score delivered has been proven to be the most accurate security rating on the market for insurance carriers and brokers to rely on as part of their underwriting, portfolio management and aggregation/cyber modeling efforts.

The Cyber Risk Score is based on a combination of compiled information sourced from third parties (such as HG Data Insights and SpamHaus), as well as a deep database of historical cyber risk data (7 years), information collected by ISS ESG’s own efforts, across the entire global internet address space. This ensures a deep pool of information for research, allowing for scores to be generated for companies and organizations worldwide. The continuous collection of data on all organizations ensures the ability to assess the long-term behavior of the subject organization from the moment the score is requested.

What is the cost for your data offering?

Pricing is based on the method by which data is delivered. ISS ESG can provide data via its proprietary platform, DataDesk, or via data feed. Pricing for this solution is available upon request.

What are the key attributes that differentiates the data you offer?

  • Benefit from a concise, empirical, and proactive metric that seeks to convey how well a company manages and maintains its cyber security posture, powered by a machine learning model trained to identify the potential for a breach event over the next 12 months.
  • Empirically scoring and managing portfolios through platform to track and monitor cyber resiliency performance. 
  • Understanding cyber risk accumulation/aggregation based on defined segments and scenarios and measure risk exposure associated with 3rd and 4th party dependencies (Cloud Service Provider and Technology Vendors
  • Estimating Probable Maximum Loss scenarios and Disaster Scenarios based on defined requirements
  • Engaging with potential insureds and their brokers in a meaningful security conversation through system collaboration capabilities
  • Enabling actual insureds to better monitor, remediate, and manage ongoing cyber risk


Assess and manage #CyberRisk across #ESG investments with a data driven and behavioural analytic approach. Find out more about ISS ESG's Cyber Risk Score for asset #investors and insurance underwriters: