Key Takeaways
- Cyber vulnerability management that prioritizes remediation based on the probability of a breach and the potential severity of resulting damage is a key facet of cyber security.
- Within S&P Global Ratings' governance analysis, poor cyber vulnerability management can be considered indicative of wider cyber security issues and could negatively influence our assessment of an entity's risk management and internal controls.
- Our analysis suggests that some organizations that we rate may be slow to remediate highly targeted cyber vulnerabilities, increasing the risk that computer systems could be compromised.
Cyber attackers often rely on trickery to access target systems. That can involve an innocent-looking email hiding malware (phishing), or the impersonation of a trusted entity to gather usernames and passwords (spoofing). Yet one of the most common means of bypassing IT security employs no subterfuge, with attackers instead relying on vulnerabilities (known flaws) to gain access to and potentially manipulate computer systems.
Vulnerability exploitation almost tripled in 2023, according to figures provided in the 2024 Verizon Data Breach Investigations Report. Underlying that increase was the growth in the number of known vulnerabilities, with 29,000 discovered in 2023, up about 4,000 on the previous year, according to Qualys, a provider of information security and compliance solutions. The uptick marks an acceleration of a long-term increase in the number of vulnerabilities discovered annually (see chart 1).
Chart 1
The growth in identified vulnerabilities is likely the result of multiple factors, which includes increased security research (driven by security competitions and bug bounty programs), improved detection tools and techniques that lead to the identification of more issues, and increased application complexity that can lead to more vulnerabilities.
Organizations have suffered financial and operational damage resulting from vulnerability exploitation, and the potential exists for significant harm both to individual groups and at a systemic level. Mitigating factors, including thoughtful system redundancy design, rapid responses,and cyber insurance can limit the credit quality impacts of vulnerability exploitation. However, the increased cadence of attacks on known vulnerabilities highlights the importance of effective vulnerability management, including the proactive identification and elimination of security flaws. We consider vulnerability management to be a critical part of an issuer's cyber security preparedness and indications of weak management of security flaws can weigh on our assessment of an entity's risk management.
Cyber Vulnerabilities Differ In Both Structure And Magnitude
Not all vulnerabilities are equal. For example, as of 2023, Qualys indicated that hackers have already developed malicious code to exploit more than one quarter (26.5%) of identified vulnerabilities. This makes targets easier for hackers. Other vulnerabilities have "preconditions" that must be met before they can be exploited, such as an attacker already having access to the target system. This is harder to achieve relative to simply developing malicious code. Some vulnerabilities (generally those considered most critical) could enable an attacker to run malicious code remotely, potentially enabling them to take over a computer system from distance. For example, an attacker could send specially formatted queries to a vulnerable database that would upload malicious code in an effort to send it commands.
Similarly, not all computer systems are equally vulnerable. Those that are directly connected to the internet are, generally, the most exposed to attacks since anyone with internet access can interact with them (see chart 2). More connectivity, typically in terms of the number of connection-points, creates a larger "attack surface" and increases the risk of exposure. This makes it critical for organizations to understand what systems are exposed to the internet and that patches are used promptly to reduce the risk of compromise.
Chart 2
Exploitation of vulnerabilities found on the attack surface can prove particularly harmful. For example, in 2023, malevolent actors were able to use a vulnerability to exploit MOVEit, an application supplied by Progressive Software that enabled users to transfer data between systems. The resulting breaches gave ransomware groups access to files stored in the application and affected about 2,700 organizations and 95 million individuals, according to Emsisoft, a provider of IT security systems. Using by-record cost estimates for a data breach, as provided by IBM, Emsisoft calculated the total cost of the breach at over $15 billion.
The Dataset: Vulnerability Scans Of Over 7,000 Rated Entities
To better understand organizations' management of cyber risks on their attack surface, we examined vulnerability data for over 7,000 of the entities that we rate (comprised of companies in the financial and corporate sectors). This "dataset" was collated during 2023 by cyber security specialist Guidewire, which periodically scanned internet accessible computer systems for vulnerabilities that could increase the possibility that a system will be compromised.
Remediation Is Often Infrequent
Analysis of the dataset highlighted details on how quickly vulnerabilities are typically remediated by rated entities. The results showed that occasional or infrequent remediation of vulnerabilities was common across all industries, suggesting that lax vulnerability management could contribute to a heightened risk of systems being compromised (see chart 3).
Chart 3
While the frequency of remediation is an indicator of good cyber risk management, the rates need to be balanced against the risks posed by the vulnerabilities that were found. This is particularly pertinent given the regularity with which vulnerabilities are discovered, which can make it challenging to decide what to fix first.
In some cases, prioritizing remediation is done by examining Common Vulnerability Scoring System (CVSS) scores. CVSS scores provide a standardized way of categorizing a vulnerability on a range from one to 10, with a higher score representing greater severity. The average CVSS score in our dataset was 4.87, equating to a medium severity, while over 80% of all vulnerabilities were considered to be of medium severity or higher (see chart 4).
Chart 4
It is notable that the dataset features some vulnerabilities that have already been used by ransomware groups to gain access to systems. There were also regular occurrences of vulnerabilities in widely used products. These are often favored by malevolent actors as they potentially provide access to multiple targets, making their exploitation an efficient use of time.
Older Vulnerabilities Carry Added Risks
Older vulnerabilities often continue to be exploited by attackers, whose familiarity with their use increases the likelihood of success. That danger is pertinent given that vulnerabilities discovered seven years ago, in 2016, constitute the largest group in the dataset (28%), while a little under three-quarters of all the vulnerabilities in the study were discovered seven or more years ago (see chart 5).
Chart 5
Analysis revealed that the oldest vulnerability was over 24 years old, and affects software that is no longer supported by the vendor, meaning it cannot be fixed (patched). Furthermore, that vulnerability was present for eight months at one entity, giving attackers plenty of opportunity to exploit it. We consider that remediation that takes that long could be the result of poor vulnerability management and possibly an indication of wider issues with an entity's cyber security (especially if there were no actions taken to reduce the risk while waiting for remediation).
Effective Remediation Planning Requires Nuance
A remediation plan based on CVSS scores and the age of vulnerabilities may prove inadequate to the task of effectively reducing risk if it does not also reflect how often attackers are exploiting vulnerabilities. One way to address this issue is by incorporating the Exploit Prediction Security Score (EPSS). EPSS, created by a group of incident responders and security experts called the Forum of Incident Response and Security Teams (FIRST), is an estimate of the likelihood that a vulnerability will be exploited.
EPSS reflect the probability of vulnerability exploitation based on a combination of the vulnerability's characteristics and measures of how often it is actually exploited. The scores are dynamic and updated daily based on threat intelligence and other security data (while CVSS scores are usually static, even if a vulnerability is heavily exploited by attackers).
The addition of EPSS scores to CVSS adds crucial context that helps identify vulnerabilities that may pose a greater risk due to a high probability of exploitation. For example, in the following chart (see chart 6), vulnerabilities in the top left have a higher probability of being exploited so may need to be remediated sooner than those in the bottom right--even though the latter carry a higher risk of severe disruption. And clearly, vulnerabilities with high EPSS and CVSS scores (top right) pose the greatest risk and thus likely a remediation priority for organizations.
Chart 6
Entities that were in the dataset had vulnerabilities with an average EPSS score of 0.33, suggesting that, on average, vulnerabilities on their attack surface had a low probability of exploitation (see chart 7).
Chart 7
There were, however, exceptions to the generally low-risk scenario. For example, one vulnerability in the dataset had an EPSS of over 0.9, indicating a highly likelihood of exploitation by attackers, and an entity was exposed to that vulnerability for several months (increasing the risk of a breach). That example also shows how CVSS combined with EPSS can lead to a better estimation of the risk posed by vulnerabilities. In this case, the CVSS score was a medium severity 5.3 (which alone might not have prompted more immediate remediation), while the EPSS was a high risk 0.9.
Poor Vulnerability Management Can Be A Material Risk Factor
Based on the trends seen over the last few years, it seems inevitable that vulnerabilities will continue to increase in number. That will ensure that vulnerability management remains a critically important part of the cyber risk management toolkit.
Yet our analysis of vulnerabilities and remediation indicates that organizations can be slow in addressing known flaws in computer systems. This exposes systems to an increased risk of compromise, particularly where vulnerabilities are on the attack surface, and on the rare occasions they are both severe and/or have a high probability of exploitation. That, in turn, increases the risk that an organization might have intellectual property stolen, suffer operational interruption, reputational loss, and financial impacts (including from disruption and more directly ransom payments).
We consider management of cyber risk as part of our assessment of an issuer's management and governance. While our examination of vulnerabilities was limited to the attack surface, poor vulnerability management might be an indication of generally weak cyber risk management, which could be a consideration in our assessment of broader management and governance.
Writer: Paul Whitfield
Related Research
- Your Three Minutes In Cyber Security: Cyber Hygiene Can Affect Creditworthiness, Sep. 24, 2024
- Cyber Risk Insights: IT Asset Management Is Central To Cyber Security, Aug. 15, 2023.
This report does not constitute a rating action.
Primary Analyst: | Paul Alvarez, Primary Analyst, Washington D.C. +1 2023832104; paul.alvarez@spglobal.com |
Secondary Contacts: | Maria Mercedes M Cangueiro, Buenos Aires + 54 11 4891 2149; maria.cangueiro@spglobal.com |
Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com | |
Nico N DeLange, Sydney + 61 2 9255 9887; nico.delange@spglobal.com | |
Raam Ratnam, CFA, CPA, London + 44 20 7176 7462; raam.ratnam@spglobal.com | |
Nik Khakee, New York + 1 (212) 438 2473; nik.khakee@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.