Lax Cyber Hygiene Leaves Firms Vulnerable to Attacks & Threatens Creditworthiness

September 2024 by Martin Whitworth, Lead Cyber Risk Expert, S&P Global Ratings

What’s Happening

• Only a few fundamental cyber hygiene practices could have prevented most successful cyber-attacks.

o High-profile examples of successful cyber-attacks that leveraged unpatched vulnerabilities include the WannaCry and Equifax attacks in 2017 and the Rackspace attack in 2022.

o In a survey from April 2024 by network intelligence company, Extrahop, 51% of respondents reported that more than 50% of cyber-attacks on their organizations were related to poor cyber hygiene.

 According to the survey, about 50% of organizations use at least one unsecured, and thus vulnerable, network protocol.

Why It Matters

• Inadequate cyber hygiene practices make digital assets more vulnerable to attacks.

o Cyber hygiene is a component of cyber risk management, which S&P Global Ratings views as critical to limiting the potential negative ratings impacts following a successful cyber-attack.

o For sector-specific details on the effects from insufficient cyber risk management on ratings, see “Cyber Risk Insights: Navigating Digital Disruption," published July 9, 2024.

• In an increasingly digital world, effective cyber security matters. This is because:

o Organizations with poor cyber security are more vulnerable to cyber-attacks and demonstrate weak cyber risk management, which could weigh negatively on our rating assessments.

o Poor cyber hygiene suggests insufficient response and recovery planning, which can exacerbate the financial and reputational effects of a successful cyber-attack.

o Companies with poor cyber hygiene practices could struggle to get cyber insurance coverage, which could increase financial pressure in the case of a cyber-attack.

What Comes Next

• Insurers are honing in on cyber hygiene.

o Insurance coverage and exclusions will depend on an organization’s ability to demonstrate effective cyber hygiene.

o Companies’ cyber preparedness is already a consideration in our ratings analyses.

• Cyber resilience, which relies on effective cyber hygiene, is coming to the fore.

o It is becoming increasingly embedded in the wider concept of operational resilience and covers different types of operational disruption.

o As a result, regulatory risk increases for organizations that are unable to demonstrate good cyber hygiene and face increased cyber security risks.