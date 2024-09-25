Lax Cyber Hygiene Leaves Firms Vulnerable to Attacks & Threatens Creditworthiness
September 2024 by Martin Whitworth, Lead Cyber Risk Expert, S&P Global Ratings
“Implementing only a few fundamental cyber hygiene practices could have prevented most successful cyber-attacks. Inadequate cyber hygiene practices make digital assets more vulnerable to attacks and can impair ratings. For this and other reasons, we factor cyber preparedness into our ratings analyses,” says, Martin Whitworth, Lead Cyber Risk Expert, S&P Global Ratings
What’s Happening
• Only a few fundamental cyber hygiene practices could have prevented most successful cyber-attacks.
o High-profile examples of successful cyber-attacks that leveraged unpatched vulnerabilities include the WannaCry and Equifax attacks in 2017 and the Rackspace attack in 2022.
o In a survey from April 2024 by network intelligence company, Extrahop, 51% of respondents reported that more than 50% of cyber-attacks on their organizations were related to poor cyber hygiene.
According to the survey, about 50% of organizations use at least one unsecured, and thus vulnerable, network protocol.
Why It Matters
• Inadequate cyber hygiene practices make digital assets more vulnerable to attacks.
o Cyber hygiene is a component of cyber risk management, which S&P Global Ratings views as critical to limiting the potential negative ratings impacts following a successful cyber-attack.
o For sector-specific details on the effects from insufficient cyber risk management on ratings, see “Cyber Risk Insights: Navigating Digital Disruption," published July 9, 2024.
• In an increasingly digital world, effective cyber security matters. This is because:
o Organizations with poor cyber security are more vulnerable to cyber-attacks and demonstrate weak cyber risk management, which could weigh negatively on our rating assessments.
o Poor cyber hygiene suggests insufficient response and recovery planning, which can exacerbate the financial and reputational effects of a successful cyber-attack.
o Companies with poor cyber hygiene practices could struggle to get cyber insurance coverage, which could increase financial pressure in the case of a cyber-attack.
What Comes Next
• Insurers are honing in on cyber hygiene.
o Insurance coverage and exclusions will depend on an organization’s ability to demonstrate effective cyber hygiene.
o Companies’ cyber preparedness is already a consideration in our ratings analyses.
• Cyber resilience, which relies on effective cyber hygiene, is coming to the fore.
o It is becoming increasingly embedded in the wider concept of operational resilience and covers different types of operational disruption.
o As a result, regulatory risk increases for organizations that are unable to demonstrate good cyber hygiene and face increased cyber security risks.