In this latest edition of “someone is wrong on the Internet and Adrian is fired up about it”, it was the comments section of a LinkedIn post that set me off.

Not too surprising, right?

The LinkedIn post was focused on a new community created around SOC 2 in an attempt to improve the quality of SOC 2 reports. The comments on this post, however, were flooded with HITRUST stans, revolving around a key statistic: that less than 1% of HITRUST-certified organizations reported having a breach.

There’s a lot to dissect here with just this one small claim. Before I get to that, however, let me comment on some positives I’m hearing from the HITRUST crowd.

In said LinkedIn comments, a HITRUST employee mentions that control selection is based on threat data. “We’re analyzing threat data monthly and adjusting controls as necessary based [on] what is being exploited today”, they say. I think this is an excellent idea, and it’s a key point I’ll be arguing for alongside Adam Shostack when we speak at RSA in a few months.

While I get excited about HITRUST’s certification methodology, I find the discussion around this less than 1% breached metric troubling. One thread in the comments is started with the argument that HITRUST is better than SOC 2, because it has “a published breach rate of less than 1%.”

How am I expected to use this metric with no basis for comparison though? I immediately have some questions:

1. What’s the breach rate for SOC 2?

2. What’s the breach rate for non-HITRUST certified organizations?

3. Where did this breach rate come from?

Understanding more about HITRUST

So, it looks like part of the HITRUST certification is a contractual obligation to report breaches. I like this as well! With breaches reported, HITRUST has an opportunity to learn from the breach and update their required controls to ensure others can benefit from breach lessons. Again, this is something I also argue heavily for, though in a more public sense, not within a private certification framework. We now understand how they’re collecting the data for their metric though.

Note - for simplicity’s sake, I’m going to assume 100% of organizations are 100% honest when reporting breaches to HITRUST. I believe that, whenever questioning someone else’s stats or reporting, it’s a good practice to be overly conservative and fair when challenging them.

With that said, are there incentives not to report a breach? Absolutely, if you think you can get away with it. From an attacker’s perspective, this is an extortion opportunity. How much is it worth to you to not lose your HITRUST certification? How much is it worth to HITRUST to have a low breach rate to report??

According to their 2025 Trust Report, HITRUST reports that in 2024, 0.59% of HITRUST-certified organizations reported a breach in their HITRUST-certified environment. This seems very impressive, as any bad thing less than 1% seems like a win when expressed as a percentage.

There’s a reason that “five nines” is a thing when calculating systems availability, however - 0.59% of downtime is nearly 52 hours, or 2 days offline. That’s an eternity if it happened to a major hyperscaler like AWS. If we said that less than 1% of schoolchildren were poisoned by their school’s drinking fountains, this would also come across as unacceptable - that’s over 330,000 sick kids.

Some Internet-sleuthing suggests that there are “over 1000” HITRUST-certified organizations globally. So we’re talking about at least 6 reported breaches within HITRUST’s dataset. Some important questions remain.

How do we know that this makes HITRUST superior to SOC 2? We don’t know what the breach rate is for organizations with SOC 2 type 2 reports.

Looking for quantitative answers

How do we know that this breach rate makes having HITRUST certification superior to not having it? We don’t know what the breach rate is for businesses as a whole. So I asked that same HITRUST employee for some clarification.

He replied that 40-60% of businesses have been breached in the past 12 months, citing a 55% number from a TechRadar/GigaOm survey on hybrid cloud. This is either troubling or comforting, depending on how you look at it. If more than half of all companies are getting breached every year, the cybersecurity industry isn’t doing too hot. On the other hand, breaches aren’t killing companies or the economy, so I guess this suggests that most breaches aren’t all that bad?

The 2025 Verizon DBIR reports 2,867 data breaches for organizations in North America. Excluding sole proprietorship, this gives us a breach rate of 0.038%, or 1 breach per 2,650 businesses. This is hardly a fair comparison though, as my dataset likely includes every small family-owned restaurant in North America, none of which are likely to ever pursue a SOC 2 or HITRUST-certification (though they can and have had breaches).

Refining the number of businesses further, to only those likely to pursue a SOC 2 or HITRUST certification, we come up with a conservative estimate of 0.97%. Still less than one percent, but again problematic, as we don’t know if Verizon’s dataset includes breaches at businesses we just excluded.

Looking at another interesting dataset, 26 companies have reported material cybersecurity incidents since the SEC breach disclosure rule went into effect on December 18th, 2023. A total of 55 cybersecurity incidents have been reported via Form 8-K in this same period. Again, we’re looking at a conservative estimate that still hovers around 1% (1.3%) of public companies reporting a breach, and only 0.65% reporting material breaches in the 12 months following this new disclosure rule.

Is HITRUST’s approach reducing the likelihood of breaches for its customers? It’s hard to say. I’m inclined to believe that HITRUST’s methodology will have a positive effect on the security programs of organizations that get certified, but without baseline data and comparisons to other compliance regimes, it is impossible to compare their numbers. Similarly, it is difficult to find support for reports that over half of companies are getting breached every year, outside some survey data.

Conclusion

I think any time spent focusing on controls that matter and align with how breaches are actually occurring is a good thing and is more likely to yield positive outcomes than simply following an industry standard that doesn’t take breach lessons into account.

Obtaining evidence that a particular approach works is very difficult however, as I hope my sad attempts at statistical analysis above demonstrate. I wish the best of luck to the folks at Verizon, Mandiant, and other organizations that produce annual reports on statistics and trends they’re seeing worldwide.

Finally, I hope this post has helped folks approach any statistical claims with a little more perspective and caution. There’s nothing wrong with asking questions and challenging stats. We can all stand to be challenged to improve our assumptions and data from time to time.