Identifying Cyber Risk Across Industries - 2026 Assessment
Rankiteo monitors the cybersecurity posture of thousands of large most renowned enterprises across 50 industries. Our Worst Companies rankings surface the organizations with the weakest externally observable security posture - the companies most likely to be vulnerable to cyberattacks, data breaches, and supply chain compromise.
These rankings are not designed to shame or harm organizations. Instead, they serve as a transparency tool for risk managers, procurement teams, CISOs, regulators, and investors who need to understand where critical cyber exposure exists in their supply chain, market, or portfolio.
Why Monitor Low-Scoring Companies?
- Supply Chain Risk: Your organization's security is only as strong as your weakest vendor. Identifying high-risk third parties is essential for preventing supply chain attacks.
- Regulatory Compliance: Frameworks like NIS2, DORA, SOC 2, and ISO 27001 increasingly require continuous third-party risk assessment. These rankings provide evidence for due-diligence processes.
- Competitive Intelligence: Understand how competitors manage (or fail to manage) cybersecurity risk relative to your own organization.
- Investment Risk: For private equity firms, venture capitalists, and M&A teams, cyber risk is a material factor in valuation and deal-making.
How Risk Scores Are Calculated
The Rankiteo Cyber Resilience Score is a deterministic, evidence-driven metric that produces a single value between 100 and 1,000 for each organization. The score transparently decomposes into three principal components: a market-cap baseline, a time-decayed incident penalty, and an industry normalization adjustment. Lower scores indicate heavier incident burden and higher estimated cyber risk. Learn more in our AI Cyber Score methodology.
Core Scoring Components
- Time-Decayed Incident Exposure: Every confirmed cyber event - ransomware (100 pts), data breach (60 pts), cyber attack (20 pts), or vulnerability (5 pts) - contributes a penalty that decays exponentially. Ransomware and breach half-lives are 3 years, cyber attacks 2 years, and vulnerabilities 18 months. Quantitative severity (financial loss and records exposed, scaled relative to market capitalization) amplifies the penalty up to 3×.
- Sector-Sensitive Impact Multipliers: Each NAICS industry receives multipliers based on safety-of-life risk, service continuity, regulatory exposure, and data sensitivity. Identical incidents carry greater penalties in high-criticality sectors like healthcare, utilities, and national defense.
- Market-Cap Baseline & Dampening: A logistic function anchors clean companies between 750 and 850 based on size. A continuous dampening factor attenuates incident penalties for large firms, reflecting higher disclosure rates and absorption capacity - without masking severe events.
- Industry Adjustment: A bounded sectoral offset derived from NAICS-level incident-rate z-scores, applied only to companies with clean or near-clean records. Companies with material incidents lose this sector credit entirely.
- Ransomware Recurrence: Repeated ransomware events trigger escalation up to 1.5×, reflecting persistent adversarial footholds or unresolved root causes.
Risk Bands
Scores map to letter-grade bands for quick risk assessment. Companies in the worst rankings typically cluster in the lower bands:
- Aaa (900–1,000): Exceptional - minimal or no incident exposure. Rarely in worst rankings.
- Aa (800–899): Very strong posture with a clean or near-clean record.
- A (700–799): Strong resilience with limited incident history.
- Baa (600–699): Adequate but with some recorded incidents or sector risk.
- Ba (500–599): Below average - notable incident burden.
- B (400–499): Weak - significant accumulated exposure.
- Caa–C (0–399): Critical risk - severe, recent, or repeated cyber incidents.
Explore More
Gain a complete view of enterprise cybersecurity across industries by exploring complementary rankings and insights.
