How good are companies at guarding against cyber threats?

Maintaining effective "cyber hygiene" is an essential component of organizations' risk management. But Cyber Security Awareness Month is a reminder that the struggle for cyber security rolls on for public and private entities—with many borrowers not adequately prepared to prevent, or mitigate, attacks.

What we're watching:

Cyberattacks pose a serious risk to borrowers up and down the ratings spectrum, especially as new methods and actors emerge. Companies slow to adapt or update their IT structures are, clearly, the most vulnerable. Establishing and embedding an array of practices that minimize the risk of security crises—known as cyber hygiene—is essential to effective management of organizational risk.

Data on cyber hygiene bolster the view that routinely ensuring the security of systems and data can significantly reduce exposure to cyberattacks . In fact, good cyber hygiene has been shown to protect against nearly all (99%) cyberattacks, according to Microsoft's Digital Defense Report, from October 2023.

Effective cyber security is becoming increasingly important to credit quality, as well. Poor cyber hygiene suggests insufficient response and recovery planning, which can exacerbate the financial and reputational effects of successful cyberattacks and thus weigh on our S&P Global Ratings' analysis of creditworthiness. At the same time, companies with poor cyber hygiene could struggle to get cyber insurance coverage, which could increase financial pressure in the event of an attack.

What we think and why:

Within our governance analysis, poor management of cyber threats vulnerabilities can indicate weakness in organizational risk management and could negatively influence our assessment of an entity's risk management and internal controls.

And while cyber security isn't easy, involving a lot of moving pieces and requiring significant cooperation across an enterprise, sometimes fundamental steps—such as quickly patching an identified vulnerability—can prevent a successful attack. This is crucial considering that a survey in April by network-intelligence company Extrahop showed that about half of organizations use at least one unsecured, and therefore vulnerable, network protocol.

Cyber disruption isn't always the result of an attack. Consider the wide-ranging upheaval caused by a software update launched by CrowdStrike Holdings in July. On top of the billions of dollars in losses directly linked to the global outage, and millions of Windows machines affected, the event highlighted the risks to the global IT ecosystem inherent in the interdependency of critical systems and software, and underscored the concentration risk arising from the dominance of a few key vendors.

Cyber attackers often rely on subterfuge such as phishing emails, or so-called "spoofing"—the impersonation of a trusted entity to access a system. But one of the most common methods attackers use involves no such trickery, but rather the exploitation of known flaws.

To better understand organizations' management of cyber risks, we recently looked at data on these types of vulnerabilities for more than 7,000 companies we rate in the financial and corporate sectors. Our analysis suggests that more than a few—across all industries—are slow to remediate their cyber vulnerabilities , increasing the risk that their IT systems could be compromised.

While our examination of vulnerabilities was limited to the "attack surface" (the potential entry points for unauthorized users), poor vulnerability management might be an indication of generally weak cyber risk management, which could be a consideration in our assessment of broader management and governance.

What could change:

It seems inevitable that the number of vulnerabilities will continue to increase, which means that vulnerability management will remain a critically important part of the cyber risk management toolkit.

The importance of vigilance can hardly be overstated, especially for those entities that play a crucial role in the world's increasingly interwoven supply chains. The idea that a bad actor, whether state-sponsored or rogue, could identify and disrupt an entity whose role in a critical supply chain is such that there could be contagion across an entire economy is troubling, to say the least. We also think the likelihood of such an attempt has grown substantially amid heightened geopolitical tensions.

It's very difficult for any entity to be perfect, given the fast-changing nature of cyber threats. Even a system that is "secure by design"—which is to say, built from the ground up, with security as a prevailing feature—isn't flawless. Or, at least, it soon won't be.

The analogy here is the fabled little Dutch boy who saved the city of Haarlem by using his finger to plug a leaking dike. But there are numerous leaks, both current and forthcoming, many of which he'll need help identifying and reaching. In other words, all entities, regardless of their current vulnerabilities, need to stay vigilant in their efforts to prevent attacks.

At the company level, this is especially important given the evolution of the market for cyber insurance. As providers focus more on this growing area, coverage—and exclusions—will depend on an organization's ability to demonstrate effective cyber hygiene. Moreover, as insurers tighten underwriting standards, the cost of coverage could become more expensive—perhaps prohibitively so for many borrowers, especially if investors become more risk-averse and drive up financing costs more generally.

All told, cyber resilience, which relies on effective cyber hygiene, is increasingly important, becoming ever more embedded in the wider concept of operational resilience. As a result, regulatory risk is growing for organizations that don't demonstrate good cyber hygiene.

CreditWeek, Edition 48

Contributors: Tiffany Tribbitt, Martin Whitworth, Paul Alvarez, and Alexander J Gombach

Written by: Joe Maguire