Frequently Asked Questions
What insights does Security DataPoint offer?
Security DataPoint delivers independent, data-driven insight into the cybersecurity posture of publicly traded companies. By evaluating each company across six key security categories and normalizing the results to a 0–100 score, SDP provides a clear, comparable view of cyber risk across the public markets. These insights help market participants, enterprises, and other stakeholders better understand cybersecurity exposure as part of broader risk assessment and oversight.
Why is cybersecurity an important risk factor for public companies?
Cybersecurity incidents can lead to financial loss, operational disruption, regulatory scrutiny, and lasting damage to brand trust. For public companies, these impacts can affect business continuity, governance, and market confidence. Understanding a company’s cybersecurity posture provides additional context for assessing cyber-related risks alongside other operational and governance considerations.
How are SDP’s cybersecurity scores calculated?
SDP assesses publicly traded companies across six key cybersecurity and governance categories by evaluating externally observable signals and public disclosures through a structured scoring methodology. The scores are normalized to a 0–100 model to provide a clear, comparable view of cybersecurity risk across companies.
Does SDP replace traditional financial analysis?
No. SDP’s data is intended to complement traditional financial and operational research by adding an independent cybersecurity risk signal. It provides additional context that can be considered alongside existing analysis, not a substitute for it.
If a company has SOC 2 certification, doesn’t that mean its cybersecurity is strong?
Companies define what to place in scope for SOC 2 audits — they choose which systems, services, and trust criteria are included. The detailed report is only available to clients, typically under NDA, so an outside observer typically sees a badge or announcement with no indication of what was reviewed under the audit. SDP doesn’t rely on what a company chooses to disclose — it assesses cybersecurity posture through externally observable signals across a company’s full public-facing footprint.
If a company carries cyber insurance, doesn’t that protect against cybersecurity losses?
Cyber insurance activates after an incident and is often more limited than it appears. Policies routinely exclude nation-state attacks, cap ransomware payouts through sublimits, and can be voided entirely if a company misrepresented its security practices during underwriting. When a publicly traded company discloses a breach, the market reacts in days; insurance claims resolve in months to years — if they pay at all. By contrast, SDP focuses on the pre-incident posture.
Which exchanges, market segments, and tickers does SDP cover?
SDP provides cybersecurity risk data for companies listed on NASDAQ, NYSE, and AMEX. Current coverage includes small-cap, micro-cap, and nano-cap public companies, totaling just over 3,000 firms. Coverage was expanded to mid-cap companies in Q1 2026. SDP focuses on primary equity tickers that represent operating companies. Secondary tickers — including financial instruments, special-purpose or acquisition vehicles, and similar listings — are not included.
Why does SDP focus on nano- to mid-cap companies?
Larger public companies typically have more mature cybersecurity programs and greater resources to manage cyber risk. In contrast, nano-, micro-, small-, and mid-cap companies often face higher relative exposure due to leaner security teams and less standardized disclosure. SDP focuses on these segments to provide clearer insight into cybersecurity risk where information asymmetry is highest across the public markets.
How can clients access SDP data?
Clients can access SDP data through APIs as well as dashboard reports. The specific delivery options and level of access depend on the selected subscription tier.
SDP data is provided for informational purposes only and is intended to supplement, not replace, independent analysis. Not investment advice.