When evaluating a major investment, one of the first questions leaders ask is: “Is it worth it?”

With security, assurance, and trust initiatives, that question becomes even more pressing. You want to strengthen your organization, but you also need to justify the cost and prove the return on investment.

That’s why we’re excited to introduce the new HITRUST ROI Calculator — a tool designed to give you clear, data-backed insights into the value HITRUST certification can bring to your business.

Why we built it

For years, organizations have shared the business benefits they’ve seen with HITRUST, from faster sales cycles and stronger risk posture to reduced costs and greater efficiency. But until now, there hasn’t been an easy way to estimate those benefits for your specific environment.

The HITRUST ROI Calculator bridges that gap. It helps you

• Quantify the impact HITRUST could have on your revenue, costs, and risk.
• See your potential savings based on real-world data and independent analysis.
• Make informed decisions with confidence, backed by tangible numbers.

How it works

The calculator is simple to use yet powerful in the insights it provides. You enter details about your organization, such as industry, revenue, workforce, and certification goals, and the calculator generates a tailored estimate of your potential ROI.

It measures four key areas of value.

1. Revenue growth: How HITRUST can help accelerate sales cycles, reduce procurement friction, and open doors to new opportunities.
2. Operational efficiency: How much time and effort you can save on certification and audit activities with reusable documentation and streamlined preparation.
3. Cyber insurance savings: How HITRUST can help lower premiums and simplify underwriting by validating your security posture.
4. Risk reduction: How certification strengthens controls, reduces the likelihood of breaches, and improves resilience across your ecosystem.

Your results include an estimated annual benefit, your projected investment, and the overall ROI percentage, all based on assumptions validated by HITRUST customers and market benchmarks.

Why it matters

The ROI Calculator is more than just numbers on a screen — it’s a decision-making tool.

• If you’re considering HITRUST but unsure of the payoff, it provides clarity.
• If you’re building a business case internally, it gives you concrete figures to support your recommendation.
• If you’re comparing investments, it helps you weigh HITRUST against alternatives with measurable data.

HITRUST customers have witnessed a 464% ROI — proof that HITRUST isn’t just about assurance, it’s about meaningful business impact.

Try it today

Decisions about security and trust are too important to leave to guesswork. With the HITRUST ROI Calculator, you can replace uncertainty with clarity and move forward with confidence. Explore it now.

- Tom Kellermann, VP of Cyber Risk, HITRUST

Cybercriminals are increasingly exploiting the networks of smaller, often overlooked partners to reach high-value targets — a tactic known as island hopping. This method targets vulnerable vendors and turns trusted business relationships into pathways for intrusion.

According to Verizon’s 2025 Data Breach Investigations Report, third-party breaches have increased 100% from last year. There has also been a dramatic increase in island hopping. Island hopping occurs in these breaches when cybercriminals hijack the digital transformation of an organization and then launch cyberattacks against their customers. 

Why is mitigating island hopping important?

Cybercriminals are evolving their conspiracies and escalating their intrusions. Mitigating island hopping is paramount to protecting one’s brand. Thwarting island hopping goes beyond perimeter security due to the ephemeral technology environments of corporations. Recognize that adversaries will get in and that success is defined by the speed at which we suppress the cybercriminal to prevent the island hop.

How to mitigate island hopping?

Organizations must embrace effective Third-Party Risk Management (TPRM) strategies in order to strengthen supply chain security and business resilience. Leverage HITRUST's comprehensive portfolio, integrating threat-adaptive security assessments with operational enablement tools that make strong and efficient TPRM practical, driving cost reductions, risk mitigation, and program simplification. With a unique combination of relevant, threat-adaptive controls and a proven and reliable assurance methodology, HITRUST helps organizations manage and mitigate third-party cyber risk. 

This is no longer a question of duty of care but rather a duty of loyalty to the digital safety of your customers. As your organization digitally transforms, it must practice cyber vigilance. Doing so will enhance customer loyalty and protect your brand, thus allowing you to ward off island-hopping cybercriminals and regulatory penalties. 

Cybersecurity can no longer be viewed as an expense but rather as a business functionality, given that cybercrime has a material impact on businesses. CISOs and CMOs must work together to protect the organization’s digital brand and remember that a dynamic cybersecurity blueprint is fundamental to managing third-party cyber risks.

For years, the cybersecurity conversation has centered around whether organizations have the right controls in place. Do you have endpoint protection? Do you use multi-factor authentication (MFA)? Is there a security awareness training program in place? 

According to new research from Marsh McLennan’s Cyber Risk Intelligence Center (CRIC), those questions no longer go far enough. Today, the difference between resilience and risk is not about whether a control exists. It’s about whether it is implemented comprehensively, configured correctly, and tested continuously. 

This shift has profound implications for how organizations should approach cyber risk management, how insurers evaluate exposure, and how regulators and business partners assess security assurance. 

What the report found 

The CRIC report reveals a maturing cybersecurity landscape where effectiveness matters more than existence. 

• Controls are widespread, but uneven in execution. Most organizations now deploy basics like patching processes, privileged access management, and email security tools. The challenge is ensuring those controls are applied consistently across the enterprise. 

• Coverage and completeness matter. Endpoint detection and response (EDR) is a good example: every 25% increase in deployment reduces breach likelihood, but only full coverage delivers meaningful protection. A partial rollout leaves critical blind spots. 

• MFA must evolve. MFA has become table stakes. Insurers and security leaders now look deeper, asking: Are phishing-resistant methods in use? Is enforcement universal? Without those, MFA is just a façade of protection. 

• Quality beats quantity in training. Running employees through countless simulations doesn’t guarantee readiness. The research shows fewer, higher-quality exercises with realistic and evolving attack scenarios yield better outcomes. 

• Preparedness saves. Incident response planning consistently ranks among the most effective measures to reduce risk, particularly when bolstered by tabletop and red-team exercises that test readiness against real-world attack scenarios. 

Why this matters for HITRUST 

Assurance over existence 

At HITRUST, this has always been our philosophy. Our security assurance methodology doesn’t stop at verifying whether a control exists. It requires proof that it is operationalized, aligned with best practices, and auditable. Marsh’s findings validate what HITRUST has been delivering for years: assurance that controls are not just present, but effective in practice. 

A stronger market narrative 

Independent voices like Marsh strengthen HITRUST’s message to customers, regulators, and the market: Risk outcomes improve only when controls are deployed effectively. HITRUST certification provides that proof. 

This positions HITRUST as the bridge between governance frameworks, which define what should be done, and trusted assurance, which proves it has been done right. 

New leverage with insurers 

As a major global insurance broker, Marsh has significant influence over how insurers evaluate cyber risk. Its report underscores that superficial compliance is no longer enough. If HITRUST certification is seen as credible evidence of control maturity and completeness, insurers may reward organizations with certifications with better premiums, lower deductibles, and preferred underwriting status. That translates into real financial value alongside security assurance. 

Alignment with emerging risk differentiators 

The findings also align with HITRUST’s cyber threat-adaptive controls, which evolve to reflect emerging risks.  

• Phishing-resistant MFA is already an expectation in HITRUST assessments. 

• Enterprise-wide EDR coverage is reinforced within the HITRUST framework. 

• Incident response exercises, including tabletop simulations, are evaluated during assessment, providing measurable assurance of preparedness. 

HITRUST demonstrates that certification is not static. It evolves with the threat landscape and remains a reliable marker of resilience. 

The bottom line 

Marsh McLennan’s research should be a wake-up call for organizations still relying on governance checklists or partial implementations. Cybersecurity isn’t about having the right controls on paper; it’s about proving they work where it counts. 

This is where HITRUST delivers unmatched value. Our certification approach ensures that organizations are not just compliant but credible in the eyes of partners, regulators, and insurers. In an era where outcomes depend on security assurance, not assumptions, HITRUST stands as the trusted path forward.