Published: November 8, 2023
Cybersecurity breaches and data theft are becoming more frequent and more costly, making information security and consumer data protection key governance issues for companies.
S&P Global Sustainable1 data shows that a majority of companies in every sector have given a board member responsibility for cybersecurity strategy, but some companies still lack cybersecurity incident response plans. Among companies that do have plans, almost one-third do not test them regularly.
The risks are particularly high for the financials and healthcare sectors, which must protect sensitive consumer banking and medical data.
Business and social interactions around the world have become increasingly digitalized over the past two decades, making every company and each person a potential target for data theft and other cybercrimes. A spike in online adoption due to the coronavirus pandemic resulted in a huge flow of information into the web, putting new pressure on information security systems and increasing the risk of data loss and theft.
The rising frequency and cost of cybersecurity breaches have made information security and privacy protection key issues for all sectors of the economy. The number of breaches jumped annually 38% in 2022, according to the cybersecurity research firm Check Point Research, and the average cost of a corporate data breach in 2023 was about $4.5 million, up 15% from 2020, IBM wrote in its annual Cost of a Data Breach report. The risk to companies shows little sign of relenting: In the Global Risk Report 2023, the World Economic Forum listed “widespread cybercrime and cyber insecurity” as a top-10 global risk for the next two years and the next 10 years.
Cybersecurity refers to a body of technologies, processes and practices designed to protect networks, systems, computers, programs and data from attack, damage or unauthorized access.
Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
A privacy policy is an internal statement that governs an organization or entity’s handling of personal information. It is directed at those members of the organization who might handle or make decisions regarding personal information, instructing them on the collection, use, storage, and destruction of the data, as well as any specific rights the data subjects may have.
Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information collected together can lead to the identification of a particular person, and also constitute personal data.
While information security and privacy protection have clear operational and strategic importance for companies, they are also key factors in a company’s social and governance performance. Information security is mainly a governance issue, and if not managed well, it can have negative repercussions on a company’s reputation and on consumers — particularly if financial or health data is compromised. Social risk comes into play when personal data is available for cybercriminals to access due to insufficient privacy protection measures that don't safeguard consumer information.
The risks are leading more companies to understand the importance of cybersecurity management and privacy protection, but some sectors are underperforming others and may be more vulnerable, according to S&P Global ESG raw data, which is based on the S&P Global Corporate Sustainability Assessment (CSA). Accountability for cybersecurity at the corporate board level is improving, but even in 2022, one in five companies do not have a cybersecurity incident response plan in place. The risks to customer data protection are particularly great for the financials and healthcare sectors, which must protect sensitive consumer banking and medical records. While CSA data shows that the financials sector is one of the best prepared for cyber breaches, healthcare has room for improvement.
From 2020 to 2022, an increasing share of companies across all sectors assigned a board member to oversee the cybersecurity strategy set up to prevent IT system failures and major information security incidents. Across sectors, an average of 80.6% of companies assessed in the 2022 CSA did so, up from about 66% of companies in the 2020 CSA. At the high end, about 86% of companies in the information technology and financials sectors had a designated board member. The energy sector was the lowest at 70.7%, while healthcare was close to the cross-sector average.
Most sectors show substantial growth in the number of companies assigning cybersecurity responsibility to a board member from 2020 to 2022. The materials sector jumped from 55.2% in 2020 to 80.2% in 2022. The energy sector, by contrast, has shown only a minor increase over that period. About 65.9% of energy companies had a designated board member in 2020, and that share grew to 70.7% in 2022.
While having a board member responsible for information security is now the norm, having a plan in place to respond to breaches is far less common. These incident response plans exist to ensure business continuity, prevent cyberattacks and reduce any costs or penalties that may occur. IBM suggests that an incident response plan should specify exactly how different types of cyberattacks should be identified, contained and resolved and lists a robust and regularly tested incident response plan as one of the factors that ultimately reduce costs in case a breach does happen.
Across sectors, 42.7% of companies have a cybersecurity response plan and test it at least annually. However, one in five companies do not have a plan or procedure in place at all. The remaining 37.3% of companies have plans in place but test them less often than once a year or did not specify whether there is a testing schedule, according to S&P Global Sustainable1 data.
The financials sector had the highest share of companies testing their plans annually, at 60.1% — making it the only sector where a majority of firms have a regular cybersecurity testing regimen. The information technology, materials and real estate sectors have the highest shares of companies with no plan in place, with about one-quarter of companies each. While the information technology sector had a surprisingly high share of companies with no plan in place, it was the sector with the second-highest share of companies with plans that are tested at least annually.
Healthcare is below the cross-sector average with slightly less than 40% of companies testing at least annually, and it has the second-highest share of companies (46.2%) with unspecified or less-than-yearly testing.
The 2022 CSA also examined what measures companies are taking to prevent incidents in the first place. These actions are largely geared toward training staff to be more conscious of cybersecurity threats: 74% of data breaches involve the human element, from simple errors to stolen credentials, according to the 2023 Verizon Data Breach Investigations Report.
Increasing employee awareness about the importance of information security is typically done through: (1) having an information security policy internally available for all employees; (2) awareness training; (3) a clear escalation process to report something suspicious; and (4) including cybersecurity as part of employee performance evaluations. The objective of these measures is to increase security by gradually changing people’s behavior.
Companies have increased the rate of implementation of the four measures assessed in the CSA over the last three years. Almost three-quarters of companies assessed in 2022 had all four measures in place, compared to only 52.5% in 2020. Companies in the information technology (87.8%), energy (82.9%) and utilities (80.3%) sectors had the highest share of implemented measures. The energy sector in particular has ramped up its employee training efforts: in 2020, it was the sector with the lowest share (41.2%) of companies with all four measures in place.
Poorly managed information security systems and procedures can harm customers, suppliers and other business partners if a data breach exposes personal data. As companies increasingly collect information and data from their customers and business partners, a weak privacy protection system can render this data easily obtainable.
Companies can pursue several mechanisms to protect the private data they hold. These include, for example, applying a comprehensive, regularly audited privacy policy to the entire organization and designating a person or department as responsible for privacy issues. The latter helps ensure clear ownership of this issue within the organization.
On this measure, data from the 2022 CSA shows that almost one in four assessed companies lacked a clear internal organizational structure to deal with privacy issues. At the sector level, financials and healthcare were slightly ahead of other sectors. The information technology and communications sectors — which include social media firms and other digital native companies that typically collect large volumes of consumer data — were below average.
All sectors have room to improve in their use of audits to identify gaps or areas to strengthen in their data privacy policies. A majority of companies in each assessed sector conduct internal audits of compliance with their privacy policies, though that figure varies widely — from 51.7% in the consumer staples sector to 70.4% for utilities companies. External audits are far less common, however. The financials and healthcare sectors led the pack in terms of assigning responsibility for privacy issues internally, but they were slightly below average in terms of running external audits of their policies to strengthen them.
The financials sector has been a leader in information security and data protection since the sector began to digitize in the late 1990s. More recently, the healthcare sector has become a hotspot of data collection — particularly during and after the coronavirus pandemic, when more interactions between patients and care providers occurred virtually. In this analysis, the healthcare sector includes service providers and excludes pharmaceuticals and manufacturers. Both the financials and healthcare sectors capture and hold distinctly valuable private information that, if compromised in a breach, could be used for identity theft and other crimes that affect consumers.
Information technology and communications companies provide the essential digital and physical infrastructure to enable the internet and its applications, and they play a key role in protecting corporate, public and private information. These companies represent best-in-class practices and policies related to cybersecurity and privacy protection.
Building and maintaining customers’ trust is a basic task for companies in the financials sector, and the reputational risk of data breaches that expose customers’ personal and financial information is great. Financial institutions also face strict data protection rules that are enforced by different regulatory bodies.
The sector has experienced massive data breaches in the recent past, most notably the 2017 Equifax data breach, which exposed the private records of more than 147 million US citizens. Events such as this have likely made information security and privacy issues top of mind for the sector.
In the 2022 CSA, 85.6% of financial firms answered that they have a board member overseeing their cybersecurity strategy, nearly as high as the leading information technology sector, and indicating that the issue’s importance is well understood at the executive level. The sector also appears to be walking the talk, as it is the leader in testing incident response procedures at least once a year. The share of financial companies doing this is almost 15 percentage points higher than the second-highest sector, information technology.
The sector also has strong governance around privacy protection. In the 2022 CSA, 78% of financial companies stated that they have a designated person or department responsible for privacy protection, which was again the highest share of all sectors assessed. But while companies in the financial services industry conduct an internal audit of their privacy policies and compliance in 62% of the cases, only 24% also conduct external audits, which is the fourth-lowest share of all sectors assessed.
Digitalization has been a growing trend in healthcare, further accelerated by the pandemic. Health data is increasingly being collected not only by providers but also by consumers using smartphone apps, smart watches and other wearables. The sensitivity of health information has made the sector a prime target for ransomware attacks, in which a cybercriminal threatens to expose personal information unless the target pays a ransom. Insurance fraud and identity theft are also top concerns involving misuse of health data. Companies tasked with safeguarding collected patient and customer data face high costs in the event of a breach: Healthcare breach costs have jumped 53.3% since 2020, and the average cost of a healthcare breach is now $10.9 million, according to IBM.
While the healthcare sector has shown improvement in cybersecurity and privacy governance, it has room to improve on the ground in terms of action. It has an above-average share of companies with a department or person responsible for privacy issues. And more than 80% of companies have a designated board member responsible for cybersecurity. However, it is the third-lowest sector in terms of testing response plans at least annually. It is also below average in the share of companies with four key cybersecurity measures in place, signaling that the sector can do more to prepare its employees to detect and report security breaches.
The healthcare sector is earlier in its digitization journey than the financials sector, but all corners of the economy have room to ramp up their efforts as cybersecurity and privacy become greater focuses for regulators and policymakers. In January 2023, voters in the US state of California — where many of the world’s largest tech companies are based — strengthened that state’s consumer privacy act, giving them the right to limit companies’ use of personal data. The EU’s Digital Operational Resilience Act, adopted in 2022, sets operational requirements for financial institutions to deal with aspects such as incident reporting, resilience testing and third-party outsourcing. And the US Securities and Exchange Commission, the nation’s capital markets regulator, has listed cybersecurity practices as a 2024 priority for its examinations division. As the global economy grows more reliant on digital technologies, preventing and responding to information security risks will only become more important for companies across all sectors.
