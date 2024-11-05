Analysts from S&P Global Ratings recently examined 7,000 rated entities to assess their vulnerability to cyberattacks and their management of cyberrisks. Sectors within the rated universe have different likelihoods of being targeted by malicious actors. The credit implications of an attack also vary, with sectors such as healthcare and telecom and cable facing the highest risk due to the sensitivity of the data they process. However, S&P Global Ratings considers all businesses of material scope vulnerable to cyberattacks since all competitive companies are part of the interconnected digital economy.

There are various ways malicious actors can subvert IT security. Many attackers rely on known software vulnerabilities to gain access to computer systems. In the modern digital economy, it is unsurprising that the number of known vulnerabilities increased to 29,000 in 2023 from 4,000 in 2022. This rise in vulnerabilities is partly a reflection of increased security research and improved detection tools and techniques.

Hackers have built malicious code to exploit 26.5% of the identified vulnerabilities, according to cybersecurity firm Qualys. It is far easier for hackers to gain access to sensitive data when they can use established exploits. The older the unpatched or mitigated vulnerability, the easier it is for hackers to leverage existing software exploits. Among the companies with identified vulnerabilities in the rated entities, 28% had vulnerabilities that were discovered seven years ago. Analysis revealed that the oldest vulnerability was over 24 years old and affects software that is no longer supported by the vendor. Over 80% of the detected vulnerabilities were considered medium severity or higher.

Among the companies included in the analysis, the average score equated to medium severity exposure to cyberattacks. More connectivity, defined as the number of digital connections with outside systems, increases the risk of exposure to cyberattacks from malicious actors. Companies that had thoughtful system redundancy design, rapid responses and cyber insurance scored more positively and were seen as having less exposure to credit impacts from cyberattacks.

Cyberrisk appears to be on a steady upward trajectory, exposing companies to stolen intellectual property, operational interruption, reputational loss and financial impacts. S&P Global Ratings considers the management of cyberrisk an important governance issue that can impact a rating. The likelihood of a rating impact due to cyberrisk for any individual entity also depends on the severity of the cyberattack, as well as management's mitigation and recovery plans.

