The landscape of cybersecurity is, without a shred of doubt, prone to dynamic shifts. According to the U.S. Securities and Exchange Commission (SEC), new cybersecurity regulations will require publicly traded organizations to provide proper disclosure of quote-unquote “material” cyber incidents within a period of four days.
Alright, four days. At least it isn’t four hours, right?
Nevertheless, many organizations – plus key policymakers and investors therein – still lack the ability to tap into key insights that shine a bright-enough overhead light, so to speak, on the evolution of the current threat landscape. (Which, as we’ve established, evolves rapidly.)
What’s the next step, then?
SecurityScorecard’s threat researchers have clinched an answer.
With such new breach requirements (and the increased need for breach visibility) on the horizon, SecurityScorecard conducted its S&P 500 Cyber Threat Report. This report analyzes the security ratings of S&P 500 companies and offers avenues down which security teams may trek in order to shore up the state of their respective cybersecure systems.
Here's a long-story-short version of the report’s findings:
- 21% of S&P 500 companies reported breaches in 2023: Bad actors chase money trails, and ransomware operators target S&P 500s based on their stocks’ market values (while demanding higher and higher ransoms, as time passes). The bigger targets, in attackers’ eyes, are usually more capable of paying these ransoms, so ensuring that “the bigger they are, the harder they fall” doesn’t happen vis-à-vis strengthened cybersecurity is a sure-fire must in 2024.
- 25% of the reported S&P 500 breaches impacted financial services, fintech, and insurance companies: Financial institutions are responsible for substantial assets, and those wielding ransomware know how interconnected segments of the financial sector can be. Compromising a “big player” could lead to additional gains for bad actors. Thus, a company ensuring it’s protected can also have a significant effect on other companies, as well.
- 52% of breached companies unfortunately reported exposed Personal Identifiable Information (PII): Once an attack has been enacted, the access of critical employee info (used against them either via ransom or via impersonation) can lead to legitimate crises on personal, professional, and wholescale operational levels. This is why, again, up-to-date cybersecurity protocols with maximized across-the-board visibility is vital.
The report also covered increasingly sophisticated social engineering risks that company associates face, supply chain attack statistics, and more.
“Regulatory pressure continues to grow, and companies need a unified definition of cybersecurity due diligence with clear metrics,” said Dr. Aleksander Yampolskiy, SecurityScorecard’s CEO. “Just as credit scores standardized the financial world, companies need a universal framework to measure cybersecurity risk and define materiality.”
Click here to download and read the full threat report.
Edited by
Greg Tavarez