Identifying Cyber Risk Across Industries - 2026 Assessment
Rankiteo monitors the cybersecurity posture of thousands of large enterprises with 5,000+ employees across 50 industries. Our Worst Companies rankings surface the organizations with the weakest externally observable security posture - the companies most likely to be vulnerable to cyberattacks, data breaches, and supply chain compromise.
These rankings are not designed to shame or harm organizations. Instead, they serve as a transparency tool for risk managers, procurement teams, CISOs, regulators, and investors who need to understand where critical cyber exposure exists in their supply chain, market, or portfolio.
Why Monitor Low-Scoring Companies?
- Supply Chain Risk: Your organization's security is only as strong as your weakest vendor. Identifying high-risk third parties is essential for preventing supply chain attacks.
- Regulatory Compliance: Frameworks like NIS2, DORA, SOC 2, and ISO 27001 increasingly require continuous third-party risk assessment. These rankings provide evidence for due-diligence processes.
- Competitive Intelligence: Understand how competitors manage (or fail to manage) cybersecurity risk relative to your own organization.
- Investment Risk: For private equity firms, venture capitalists, and M&A teams, cyber risk is a material factor in valuation and deal-making.
How Risk Scores Are Calculated
The Rankiteo Cyber Resilience Score is a deterministic, evidence-driven metric that produces a single value between 100 and 1,000 for each organization. The score transparently decomposes into three principal components: a market-cap baseline, a time-decayed incident penalty, and an industry normalization adjustment. Lower scores indicate heavier incident burden and higher estimated cyber risk. Learn more in our AI Cyber Score methodology.
Core Scoring Components
- Time-Decayed Incident Exposure: Every confirmed cyber event - ransomware (100 pts), data breach (60 pts), cyber attack (20 pts), or vulnerability (5 pts) - contributes a penalty that decays exponentially. Ransomware and breach half-lives are 3 years, cyber attacks 2 years, and vulnerabilities 18 months. Quantitative severity (financial loss and records exposed, scaled relative to market capitalization) amplifies the penalty up to 3×.
- Sector-Sensitive Impact Multipliers: Each NAICS industry receives multipliers based on safety-of-life risk, service continuity, regulatory exposure, and data sensitivity. Identical incidents carry greater penalties in high-criticality sectors like healthcare, utilities, and national defense.
- Market-Cap Baseline & Dampening: A logistic function anchors clean companies between 750 and 850 based on size. A continuous dampening factor attenuates incident penalties for large firms, reflecting higher disclosure rates and absorption capacity - without masking severe events.
- Industry Adjustment: A bounded sectoral offset derived from NAICS-level incident-rate z-scores, applied only to companies with clean or near-clean records. Companies with material incidents lose this sector credit entirely.
- Ransomware Recurrence: Repeated ransomware events trigger escalation up to 1.5×, reflecting persistent adversarial footholds or unresolved root causes.
Risk Bands
Scores map to letter-grade bands for quick risk assessment. Companies in the worst rankings typically cluster in the lower bands:
- Aaa (900–1,000): Exceptional - minimal or no incident exposure. Rarely in worst rankings.
- Aa (800–899): Very strong posture with a clean or near-clean record.
- A (700–799): Strong resilience with limited incident history.
- Baa (600–699): Adequate but with some recorded incidents or sector risk.
- Ba (500–599): Below average - notable incident burden.
- B (400–499): Weak - significant accumulated exposure.
- Caa–C (0–399): Critical risk - severe, recent, or repeated cyber incidents.
Explore More
Gain a complete view of enterprise cybersecurity across industries by exploring complementary rankings and insights.
