The IT Nerd

HITRUST today released its Second Annual 2025 HITRUST Trust Report, reaffirming HITRUST as the only information risk and cybersecurity certification that delivers quantifiable proof of risk reduction. The data is clear: organizations with HITRUST certifications experience dramatically fewer breaches than those without, demonstrating that HITRUST is the benchmark for cybersecurity trust and assurance.

Key Findings from the 2025 Trust Report:

• HITRUST-Certified Organizations Remain Protected: Organizations with a HITRUST certification reported an incident rate of just 0.59% in 2024, meaning 99.41% remained breach-free. This rate—down from 0.64% in 2023—now covers all HITRUST certifications (e1, i1, and r2), not just the r2, proving that HITRUST’s entire portfolio delivers measurable risk reduction.
• HITRUST Protects Against 100% of Known Cyber Threats: The HITRUST CSF is cyber threat-adaptive and leverages top intelligence sources to counter modern cyber threats. With direct mapping to MITRE ATT&CK, HITRUST is the only framework proven to mitigate 100% of addressable TTPs.
• HITRUST Drives Continuous Security Maturity: Organizations that maintain HITRUST certification see up to 54% fewer corrective actions required year-over-year, proving that repeat certification leads to material, ongoing security improvements.
• HITRUST Introduces Two AI Security Assurances: HITRUST now provides industry-leading AI Security Assessment and Certification, allowing organizations to seamlessly integrate AI risk management into their broader security programs.
• HITRUST found system vulnerability exploits as the top breach type over three years. Password Management, Data Protection, and Access Control are the hardest domains to achieve security maturity. Inadequate Endpoint Protection is the leading cause of HITRUST certification failures.

HITRUST’s Cyber-Threat-Adaptive Delivers Continued Relevance

HITRUST’s superior risk mitigation is driven by its cyber threat-adaptive engine, ensuring that its control requirements are continuously evaluated against the latest threat landscape. Using proprietary, patent-pending technology and indicators of attack and compromise, HITRUST ensures that controls remain effective in mitigating current and emerging threats. Unlike static, one-size-fits-all standards and frameworks, HITRUST’s framework ensures that its controls have an intended and measurable risk mitigation effect.

Reliable Assurance Built for Trust

HITRUST certifications are built on a highly reliable assurance methodology, which includes:

• Prescriptive control requirements are designed for validation, measurement, and scoring from the start.
• Independent third-party validation to verify accurate and effective implementation.
• Centralized QA review, reporting, and certification to ensure consistency and trustworthiness.
• A robust gap and corrective action plan model, driving continuous improvement.
• Annual recertifications that ensure organizations maintain their cybersecurity maturity.

Together, these relevant controls and reliable assurances create measurable, consistent, significant, and ever-improving security outcomes. This fact is further validated by the cyber insurance industry, which has recognized HITRUST’s accuracy and dependability in understanding and reducing risk. As recently announced, multiple insurers have now formed a shared risk facility to offer HITRUST-certified entities enhanced cyber insurance options, including better coverage, reduced rates, and a streamlined process for application and renewals.

Coming Soon: Public Cyber-Threat-Adaptive Reporting

In the coming months, HITRUST will begin publicly reporting cyber threat-adaptive analytics and findings. These reports will not only reinforce greater confidence in HITRUST’s control requirements but also guide organizations on which controls are under the most pressure and where they should prioritize security investments. This data-driven approach will enable organizations to proactively strengthen high-impact controls based on real-world attack trends and evolving threats.

How Organizations Are Using HITRUST

HITRUST is more than just a certification—it is a blueprint and benchmark to manage information security risk and compliance and to establish trust between organizations and parties:

• Business, security, and risk leaders rely on HITRUST as a structured approach to internal security programs.
• Third-party risk managers leverage HITRUST to ensure strong, practical, and scalable vendor risk management.
• Sales and marketing leaders use HITRUST certification to demonstrate a trusted security posture, removing friction with prospects and customers.
• Compliance leaders utilize HITRUST to streamline regulatory compliance and reporting across multiple requirements.

With the release of this year’s Trust Report, HITRUST continues to cement its position as the gold standard and industry leader in cybersecurity assurance.

Get the Full ReportFor a deeper dive into how HITRUST is leading the way, visit: HITRUST 2025 Trust Report. 

HITRUST, the leader in information security assurances for risk and compliance management, today unveiled an innovative cyber insurance consortium in collaboration with Lloyd’s of London and backed by a network of globally recognized AA-rated insurers. This first-of-its-kind shared risk facility revolutionizes the cyber insurance landscape, delivering exclusive, market-leading coverage and rates to HITRUST-certified organizations worldwide. By aligning relevant and reliable cybersecurity practices with tailored insurance solutions, the consortium sets a new standard for incentivizing and protecting trusted organizations.

As cyber threats continue to escalate, organizations face increasing pressure to effectively measure and mitigate information risk. HITRUST’s proven methodology, stands out as the industry-leading solution to manage information risk and to measure residual risk. By incorporating relevant risk management practices and security controls with a comprehensive and reliable assurance process, HITRUST-certified organizations achieve a significantly lower likelihood of breaches with the gold standard for resilience in an increasingly volatile threat landscape and endorsement by leading cyber insurers.

According to the recently published 2024 Trust Report, less than 1% of HITRUST-certifications experienced a breach over the past two years. This remarkable statistic underscores the effectiveness of the HITRUST assurance program in delivering measurable risk mitigation outcomes.

The newly formed consortium with Lloyd’s of London unites additional capital from a global network of Moody’s recognized AA-rated insurers to establish an innovative shared risk facility. This novel initiative leverages the proven link between HITRUST certification and superior and measurable risk management, enabling insurers to confidently deliver enhanced and more consistent insurance products. The facility is designed to scale as additional insurers join, ensuring greater capacity to meet the evolving demands of HITRUST-certified organizations across the globe.

Key benefits for HITRUST-certified organizations include:

• Lower Insurance Costs: Exclusive, market-leading rates with more favorable terms and significant savings that reflect an organization’s commitment to strong cybersecurity practices, including a starting credit of 25% on premiums.  

• Simplified Insurance Process: Redundant questionnaires and lengthy application cycles are replaced with streamlined underwriting based on data from the HITRUST certification; some policies being underwritten in just one week.

• Comprehensive Coverage: Policies are built on a single-page exclusion model, offering clarity and adaptability while supporting a wide range of organizational needs.

• Scalable Protection: Access to increasing capacity as the consortium grows, ensuring coverage is adaptable to an organization’s needs as they change and grow over time.

• Recognition for Security Investments: Demonstrate to partners, clients, and regulators that your organization meets the highest standards of cybersecurity, validated by the industry’s most trusted risk management framework.

To enable this consortium, HITRUST has developed a secure API that allows insurers to access detailed information about an organization’s HITRUST r2 certification through the company’s Results Distribution System (RDS). This technology ensures that insurers receive structured, consistent assessment data, facilitating a more accurate and efficient underwriting process.

Understanding the Shared Risk Facility  

A shared risk facility is a collaborative arrangement where multiple insurers come together to share the underwriting risk associated with policies. For HITRUST-certified organizations, this means access to better insurance options, as the insurers collectively recognize the reduced risk these organizations present. This collaboration fosters a more stable and competitive insurance market.

Availability and Next Steps

The enhanced cyber insurance offerings are available to HITRUST-certified organizations effective immediately through their existing brokers. Currently available for HITRUST r2 certifications, plans are underway to extend this capability to include the i1 and e1 assurance programs in 2025. Additionally, there is potential to expand the scope to encompass HITRUST’s newly released AI Security Certification offering.

Organizations interested in benefiting from improved coverage and rates are encouraged to pursue HITRUST certification to take advantage of these new options.

For more information about how to get started with HITRUST certification, please visit hitrustalliance.net/cyber-insurance or contact them.