25 May 2026
Cybersecurity: Accelerating information security programs to control rising breach risks
Tomas Pintado | Sustainability Analyst, Research & Innovation, S&P Global Sustainable1
Information security breaches pose operational and financial risks as organizations digitalize their business models. Incidents can stem from malicious attacks, technical failures and human error, and their impacts range from system downtime and theft of sensitive data to regulatory fines, litigation and third-party operational disruptions. A sound information security management system extends well beyond basic awareness training or perimeter controls such as firewalls and encryption. It requires systematic vulnerability testing, ongoing monitoring, and assessment of actual data breaches and near-miss incidents.
Without reliable information on how often incidents occur, how severe they are and where controls fail, companies risk underestimating their exposure, misallocating resources and allowing vulnerabilities to persist. Evidence shows that cyber incidents trigger significant negative stock market reactions, with shareholder losses far exceeding direct costs, reflecting the market’s reassessment of previously underappreciated risks. Firms that fail to provide transparent, timely information risk sharper valuation impacts when incidents reveal exposures, consistent with capital markets penalizing uncertainty and information gaps.[1] By contrast, organizations that systematically track and analyze breach data can refine their controls, strengthen business continuity planning and potentially reduce cash flow volatility over time, supporting operational resilience and long-term value creation.
Within our ESG Scores and Raw Data, underpinned by the S&P Global Corporate Sustainability Assessment (CSA), we assess the extent to which companies disclose their preparedness to prevent and respond to information security issues, capturing the disclosed control mechanisms they use to safeguard their information. Companies are scored from zero to 100, with higher scores reflecting more comprehensive and formalized programs, as evidenced by company disclosures, including where companies provide publicly verifiable documentation (e.g., third-party assurances, audits and certifications, where disclosed). A score of zero is assigned where relevant information is not publicly disclosed or does not meet CSA expectations.
The CSA is an annual evaluation of sustainability practices covering about 14,000 companies worldwide. In this review, we analyze the information security management programs of 11,765 public companies across 62 industries globallyassessed in the 2025 research cycle. Our analysis examines whether companies that have disclosed cybersecurity breaches tend to exhibit more robust information security management systems.
Figure 1 shows that 75% of companies have implemented information security awareness training for employees. Meanwhile, just over half of companies have security-related business continuity plans, reflecting efforts to prevent potential threats, limit damage and recover systems when breaches occur. More advanced, preventive practices were less widespread, with 40% of companies conducting third-party vulnerability analysis or simulated hacker attacks. This pattern suggests a preference for reactive capabilities over proactive internal and external vulnerability testing. Moreover, only 33% of companies have implemented third-party verification of their systems, slightly above the share conducting internal audits.
The chart also reveals gaps in how companies manage information security risks. While 45% of companies disclosed data breach information for the latest fiscal year — whether reporting one or more incidents or explicitly confirming that no breaches occurred — only 17% have implemented front-line escalation and early warning mechanisms. These mechanisms include employee reporting channels for incidents, vulnerabilities and suspicious activities. This imbalance highlights a disconnect between monitoring realized breaches and proactively identifying and managing information security risks.
Figure 2 shows that, on average, companies disclosing one or more information security breaches achieved higher category scores than peers reporting zero incidents, which in turn scored well above companies that did not disclose breaches. This pattern holds across most sectors, except for consumer staples, consumer discretionary and real estate.
Across sectors, companies that did not disclose cybersecurity breach information in public reporting also tended to have the lowest scores in this category. This may reflect differences in publicly available documentation, disclosure practices, and monitoring or governance maturity. The observed relationships between disclosure and higher scores are correlational and may be influenced by factors such as regulatory requirements, sector-specific disclosure norms and differences in reporting practices, rather than indicating causation.
Overall, the data indicates that higher-scoring companies are more likely to track and report incidents, and that transparency on breaches is associated with more developed information security management practices in disclosed information. By contrast, low scores among nondisclosing companies may reflect more limited publicly available information, differences in monitoring approaches or varying levels of documentation.
At an aggregate level, information security management scores varied across sectors, reflecting differences in data intensity, regulatory exposure and operational risk. The financials sector led due to high cybersecurity materiality; the information technology and communication services sectors also showed elevated exposure as data-driven businesses. Lower scores in the consumer, real estate and materials sectors may reflect lower perceived materiality, though increasing digitalization could raise future risk relevance.
Across the dataset, results suggest that information security management programs are broadly adopted across sectors, but gaps in depth, consistency and execution exist and could lead to tangible financial impacts. Given that ineffective information security practices can trigger operational failures, the loss or theft of sensitive data, fines, penalties and reputational damage, uneven implementation of information security programs across organizations leaves enterprise value exposed.
Effective monitoring and systematic assessment of data are foundational elements of a mature information security management framework. When breach metrics are combined with clear employee escalation processes and supported by regular internal and external audits, incident information becomes more timely, reliable and useful for decision-making. This approach helps to reduce the likelihood of repeat events and limits their financial and operational impact.
As regulatory expectations, supervisory scrutiny and cyberthreat intensity continue to increase, companies that close these gaps — by aligning preventive controls with rapid escalation mechanisms and transparent breach analytics — may be better positioned to manage volatility in information security risks and help to support long‑term value through resilient and trusted digital operating models.
[1] Kamiya, S., et al. (2021). “Risk management, firm reputation, and the impact of successful cyberattacks on target firms.” Journal of Financial Economics 139(3), 719‒749.
Disclaimer
This content (including any information, data, analyses, opinions, ratings, scores, and other statements) (“Content”) has been prepared solely for information purposes and is owned by or licensed to S&P Global and/or its affiliates (collectively, “S&P Global”).
This Content may not be modified, reverse engineered, reproduced or distributed in any form by any means without the prior written permission of S&P Global. You acquire absolutely no rights or licenses in or to this Content and any related text, graphics, photographs, trademarks, logos, sounds, music, audio, video, artwork, computer code, information, data and material therein, other than the limited right to utilize this Content for your own personal, internal, non-commercial purposes or as further provided herein.
Any unauthorized use, facilitation or encouragement of a third party’s unauthorized use (including without limitation copy, distribution, transmission, modification, use as part of generative artificial intelligence or for training any artificial intelligence models) of this Content or any related information is not permitted without S&P Global’s prior consent and shall be deemed an infringement, violation, breach or contravention of the rights of S&P Global or any applicable third party (including any copyright, trademark, patent, rights of privacy or publicity or any other proprietary rights).
This Content and related materials are developed solely for informational purposes based upon information generally available to the public and from sources believed to be reliable. S&P Global gives no representations or warranties regarding the use of this Content and/or its fitness for a particular purpose including but not limited to any regulatory reporting purposes and references to a particular investment or security, a score, rating or any observation concerning an investment or security that is part of this Content is not a recommendation to buy, sell or hold such investment or security, does not address the suitability of an investment or security and should not be relied on as investment or regulation related advice.
The Content should not be relied on and is not a substitute for the skill, judgment and experience of the user, its management, employees, advisors and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives.
S&P Global shall have no liability, duty or obligation for or in connection with this Content, any other related information (including for any errors, inaccuracies, omissions or delays in the data) and/or any actions taken in reliance thereon. In no event shall S&P Global be liable for any special, incidental, or consequential damages, arising out of the use of this Content and/or any related information.
The S&P and S&P Global logos are trademarks of S&P Global registered in many jurisdictions worldwide. You shall not use any of S&P Global’s trademarks, trade names or service marks in any manner, and in no event in a manner accessible by or available to any third party. You acknowledge that you have no ownership or license rights in or to any of these names or marks.
Adherence to S&P's Internal Policies
S&P Global adopts policies and procedures to maintain the confidentiality of non-public information received in connection with its analytical processes. As a result, S&P Global employees are required to process non-public information in accordance with the technical and organizational measures referenced in the internal S&P Global Information Security and Acceptable Use policies and related guidelines.
Conflicts of Interest
S&P Global is committed to providing transparency to the market through high-quality independent opinions. Safeguarding the quality, independence and integrity of Content is embedded in its culture and at the core of everything S&P Global does. Accordingly, S&P Global has developed measures to identify, eliminate and/or minimize potential conflicts of interest for Sustainable1 as an organization and for individual employees. Such measures include, without limitation, establishing a clear separation between the activities and interactions of its analytical teams and non-analytical teams; email surveillance by compliance teams; and policy role designations. In addition, S&P Global employees are subject to mandatory annual training and attestations and must adhere to the Sustainable1 Independence and Objectivity Policy, the Sustainable1 Code of Conduct, the S&P Global Code of Business Ethics and any other related policies.
See additional Disclaimers at https://www.spglobal.com/en/terms-of-use
Copyright© 2026 S&P Global Inc. All rights reserved.