(Editor's Note: CreditWeek is a weekly research offering from S&P Global Ratings, providing actionable and forward-looking insights on emerging credit risks and exploring the questions that matter to markets today. Subscribe to receive a new edition every Thursday at: https://www.linkedin.com/newsletters/creditweek-7115686044951273472/)
Maintaining effective "cyber hygiene" is an essential component of organizations' risk management. But as Cyber Security Awareness Month draws to a close, the struggle for cyber security rolls on for public and private entities—with many borrowers not adequately prepared to prevent, or mitigate, attacks.
What We're Watching
Cyberattacks pose a serious risk to borrowers up and down the ratings spectrum, especially as new methods and actors emerge. Companies slow to adapt or update their IT structures are, clearly, the most vulnerable. Establishing and embedding an array of practices that minimize the risk of security crises—known as cyber hygiene—is essential to effective management of organizational risk.
Data on cyber hygiene bolster the view that routinely ensuring the security of systems and data can significantly reduce exposure to cyberattacks. In fact, good cyber hygiene has been shown to protect against nearly all (99%) cyberattacks, according to Microsoft's Digital Defense Report, from October 2023.
Effective cyber security is becoming increasingly important to credit quality, as well. Poor cyber hygiene suggests insufficient response and recovery planning, which can exacerbate the financial and reputational effects of successful cyberattacks and thus weigh on our S&P Global Ratings' analysis of creditworthiness. At the same time, companies with poor cyber hygiene could struggle to get cyber insurance coverage, which could increase financial pressure in the event of an attack.
What We Think And Why
Within our governance analysis, poor management of cyber threats vulnerabilities can indicate weakness in organizational risk management and could negatively influence our assessment of an entity's risk management and internal controls.
And while cyber security isn't easy, involving a lot of moving pieces and requiring significant cooperation across an enterprise, sometimes fundamental steps—such as quickly patching an identified vulnerability—can prevent a successful attack. This is crucial considering that a survey in April by network-intelligence company Extrahop showed that about half of organizations use at least one unsecured, and therefore vulnerable, network protocol.
Cyber disruption isn't always the result of an attack. Consider the wide-ranging upheaval caused by a software update launched by CrowdStrike Holdings in July. On top of the billions of dollars in losses directly linked to the global outage, and millions of Windows machines affected, the event highlighted the risks to the global IT ecosystem inherent in the interdependency of critical systems and software, and underscored the concentration risk arising from the dominance of a few key vendors.
Cyber attackers often rely on subterfuge such as phishing emails, or so-called "spoofing"—the impersonation of a trusted entity to access a system. But one of the most common methods attackers use involves no such trickery, but rather the exploitation of known flaws.
To better understand organizations' management of cyber risks, we recently looked at data on these types of vulnerabilities for more than 7,000 companies we rate in the financial and corporate sectors. Our analysis suggests that more than a few—across all industries—are slow to remediate their cyber vulnerabilities, increasing the risk that their IT systems could be compromised.
While our examination of vulnerabilities was limited to the "attack surface" (the potential entry points for unauthorized users), poor vulnerability management might be an indication of generally weak cyber risk management, which could be a consideration in our assessment of broader management and governance.
What Could Change
It seems inevitable that the number of vulnerabilities will continue to increase, which means that vulnerability management will remain a critically important part of the cyber risk management toolkit.
The importance of vigilance can hardly be overstated, especially for those entities that play a crucial role in the world's increasingly interwoven supply chains. The idea that a bad actor, whether state-sponsored or rogue, could identify and disrupt an entity whose role in a critical supply chain is such that there could be contagion across an entire economy is troubling, to say the least. We also think the likelihood of such an attempt has grown substantially amid heightened geopolitical tensions.
It's very difficult for any entity to be perfect, given the fast-changing nature of cyber threats. Even a system that is "secure by design"—which is to say, built from the ground up, with security as a prevailing feature—isn't flawless. Or, at least, it soon won't be.
The analogy here is the fabled little Dutch boy who saved the city of Haarlem by using his finger to plug a leaking dike. But there are numerous leaks, both current and forthcoming, many of which he'll need help identifying and reaching. In other words, all entities, regardless of their current vulnerabilities, need to stay vigilant in their efforts to prevent attacks.
At the company level, this is especially important given the evolution of the market for cyber insurance. As providers focus more on this growing area, coverage—and exclusions—will depend on an organization's ability to demonstrate effective cyber hygiene. Moreover, as insurers tighten underwriting standards, the cost of coverage could become more expensive—perhaps prohibitively so for many borrowers, especially if investors become more risk-averse and drive up financing costs more generally.
All told, cyber resilience, which relies on effective cyber hygiene, is increasingly important, becoming ever more embedded in the wider concept of operational resilience. As a result, regulatory risk is growing for organizations that don't demonstrate good cyber hygiene.
Writers: Molly Mintz and Joe Maguire
This report does not constitute a rating action.
Primary Credit Analysts: | Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
Martin J Whitworth, London +44 2071766745; martin.whitworth@spglobal.com | |
Alexander J Gombach, New York + 1 (212) 438 2882; alexander.gombach@spglobal.com | |
Paul Alvarez, Washington D.C. +1 2023832104; paul.alvarez@spglobal.com | |
Secondary Contact: | Alexandra Dimitrijevic, London + 44 20 7176 3128; alexandra.dimitrijevic@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.