Managing Cyber Risk: Breach Risk Trends in Public Companies

Posted by Subodh Mishra, ISS STOXX, on
Thursday, August 22, 2024
Comment print this page Print
, , ,
More from: ,

Subodh Mishra is Global Head of Communications at ISS STOXX. This post is based on an ISS-Corporate memorandum by Douglas Clare and Brian O’Leary.

Introduction

In the two years to January 2024, almost 700 cyber incidents were reported among Russell 3000 companies in the U.S., impacting more than 10% of the firms. One-third of those involved the compromise of a supplier or other third party, and the study also identified substantial third-party aggregate risk concentration across Russell 3000 firms.

KEY TAKEAWAYS

  • One-third of reported incidents among Russell 3000 firms involved a supplier or other third-party relationship, and incidents that impacted a large number of individuals were more likely to have a third-party as the root cause.
  • Aggregate risk exposure across the index is high, with more than 90% of Russell 3000 firms utilizing certain third-party technologies, and more than 1,000 different unique supplier/technology pairings each being utilized by more than 10% of constituent companies.
  • Companies that reported cyber incidents during the analysis period have higher risk, as measured by significantly lower ISS Cyber Risk Scores, than firms with no reported incidents.
  • Of those firms reporting an incident, the score effectively rank-orders incident risk by severity, as measured by the number of individuals impacted.

Backdrop

Data breaches and other security incidents continue to grab headlines and create negative impacts for companies, their customers, and their shareholders. Ransomware incidents continue to dominate in terms of headline-making events; however, a broad spectrum of incident types continue to generate challenges for publicly traded firms. Managing these risks is critical, and consequently consumes a significant amount of time, money and attention of C-suite executives and board members. It has also gotten increasing attention from regulators.

The SEC has imposed its long-anticipated disclosure requirements for publicly traded firms, requiring timely market notification of breach events, annual disclosures regarding cyber risk management practices, and management and board involvement in oversight. This is already driving a change in behavior. A review of disclosure data for Russell 3000 firms as of February 2024 showed that roughly 35% of firms were providing regular cyber security briefings to boards of directors. By June, this had increased to more than 98% of the firms.[1]

While the actual performance impact of these changes will take some time to measure, companies should expect more scrutiny as detailed disclosures become commonplace and shareholders begin to expect them. These disclosures will undoubtedly help to ensure that investors have better information; but objective, technical assessments of cyber risk are also available, and they play an increasingly important role in both self-assessment and stakeholder-assessment of cyber risks.

As this paper will show, the ISS Cyber Risk Score provides objective insight into cyber risk and can serve as a valuable input for companies as well as stakeholders looking to manage risk across a portfolio of firms.

High Cost of Cyber Risk

The average cost of cyber breach insurance claims for small and medium enterprises (SMEs) between 2018-2022 was $175,000, according to the 2023 NetDiligence® Cyber Claims Study. The height of the pandemic in 2020 saw the largest number of claims and highest costs for SMEs. Since then, the number of claims has dropped by half and the average size is down by about 25%. Still, the numbers indicate that serious risks remain. The average claim cost for large enterprises with $2 billion or more in annual revenue over the same 5-year period was $13.8 million.

Certain classes of claims, reflecting specific types of cyber incidents, cost more. Ransomware costs, comprising fully one-third of claims for large firms, averaged $43.4 million. At smaller firms, the per-incident cost of ransomware losses is nearly double the incident cost of non-ransomware claims.[2] Mirroring the claims data, the 2024 Verizon Data Breach Investigations Report cites ransomware or similar extortion-type incidents as representing roughly one-third of incidents overall.[3]

It’s not surprising then, that ransomware also played a starring role in the largest and most headline-grabbing recent breaches; including the 2023 incident that famously shut down MGM Resorts in September and an attack that crippled UnitedHealth early in 2024. UnitedHealth CFO John Rex has indicated that the full year costs will total between $1.4 Billion and $1.6 Billion.[4]

Impacts on shareholders are harder to discern, as the market seems to punish some firms quickly and excuse others indefinitely. The MGM Resorts incident had a $100 million impact on its Q3 results. The share price was impacted quickly and significantly in the days following the incident; but it has since recovered. UnitedHealth seems to have steered clear of any significant medium-term impacts on share price. Some impacts such as fines and litigation take longer to materialize but may be financially significant and affect shareholders down the road. Much depends on the financial strength and diversity of the firm suffering the loss. Regardless, it will always be difficult to estimate the long-term value that may have been generated if cyber losses had been avoided and the lost profits put to productive use in generating shareholder value.

How the Analysis Works

The findings outlined in this report are derived from an analysis by ISS-Corporate of the Russell 3000 over the two years through Dec. 31, 2023. The data used in the analysis comes from the ISS Cyber Risk Score platform, which serves as the delivery engine for the score.

The ISS Cyber Risk Score is calculated by a machine learning model trained on reported cyber incidents. It is a scaled representation of the likelihood that an organization will suffer a material security incident within the next 12 months and ranges from 300 (highest risk) to 850 (lowest risk). The score is calculated based on the observed behavior of an organization measured through its existing and historical security posture. The signal data, broadly, is generated through an assessment of the nature and extent of exposure of IT assets, the configuration and condition of Internet-accessible networks, and the content and construction of domains owned by the subject firm. It also considers firmographic factors (size and sector), as well as reported evidence of end-point compromise.

The total number of firms included in the analysis is 2,928. Twenty Russell 3000 firms were excluded from the list due to a lack of available data.

The average score across this universe of firms is 698. Those scoring higher demonstrate lower-than-average risk. Those with lower scores demonstrate a higher-than-average risk. The standard deviation is 86 points.

The study leverages cyber incident data collected primarily from 32 U.S. state reporting databases. These states have a mandatory security incident reporting requirement for firms operating there and the data is available to the public. As most larger firms operate across multiple states, the incident reporting coverage is likely to include most of the significant incidents.

The score distribution across the Russell 3000 follows.

Cyber Incidents

Leveraging this data, we found 693 incidents impacting the study population. A total of 310 firms, or 10.5%, reported one or more incidents. There were 232 incidents specified as being caused by or involving a third-party – almost exactly one-third of the total. The remainder were cataloged as an incident type consistent with a direct or first-party event.

Incidents were further categorized by size, based on the scale of data compromised as measured by the number of individuals impacted. Incidents involving the data of 100,000 or more individuals were classified as extra-large, 10,000 or more as large, 100 or more as medium and less than 100 as small. The largest incident recorded impacted 60 million individuals. There were 14 separate incidents that impacted more than 1 million people.

The underlying cause of the incident is not captured for about 20% of the reported incidents. For the rest, nearly 30% are attributable to issues with people (e.g. human error, social engineering), rather than something strictly technical. This ratio is lower than the statistics provided in the 2024 Verizon Data Breach Investigations Report, which analyzes a much broader spectrum of firms. According to Verizon, 68% of cyber incidents involve a “human element”.[5] For a more in-depth analysis of the impact and measurement of human error in cyber incidents, see People Problems: The Human Element of Cyber Risk

Ransomware is not expressly captured as a category in the study dataset, but malware is. Interestingly, malware is more frequently present in the larger incidents. A malware element is found in nearly 10% of the medium, large and extra-large categories, but less than 2% of the small incidents.

Link to the full article can be found here.

1ISS-ESG review of disclosure information for Russell 3000 firms (GQS FactorID 404), 1H2024.(go back)

2NetDiligence Cyber Claims Study, 2023 Report.(go back)

32024 Data Breach Investigations Report, Verizon Business.(go back)

4“UnitedHealth Paid Hackers $22 Million, Fixes Will Soon Cost Billions”, Forbes, April 30, 2024.(go back)

52024 Data Breach Investigations Report, Verizon Business.(go back)

Trackbacks are closed, but you can post a comment.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>