According to the latest threat research from SecurityScorecard, 21% of S&P 500 companies experienced breaches in 2023. The new S&P 500 Cyber Threat Report details emerging trends and strategies for Chief Information Security Officers (CISOs).
In fall 2023, the U.S. Securities and Exchange Commission (SEC) adopted landmark cybersecurity regulations, requiring publicly disclosing “material” cybersecurity incidents within four days. Previously, there were very few breach reporting requirements, which left government officials, policymakers, and investors without key information on cybersecurity incidents.
Dr. Aleksandr Yampolskiy, CEO and Co-Founder, SecurityScorecard, stated:
“Regulatory pressure continues to grow, and companies need a unified definition of cybersecurity due diligence with clear metrics. Just as credit scores standardized the financial world, companies need a universal framework to measure cybersecurity risk and define materiality.”
Against the backdrop of these regulatory headwinds, SecurityScorecard STRIKE threat hunters analyzed the security ratings of S&P 500 companies to find ways to improve the security of key players in the U.S. economy.
Key findings
- 21% of S&P 500 companies reported breaches in 2023
Attackers are chasing money. Ransomware operators view S&P 500 companies as particularly valuable targets based on their stocks’ market value and demand accordingly high ransoms. Attackers know that bigger targets are typically capable of paying high ransoms.
- 25% of these breaches impacted Financial Services and Insurance companies
Financial institutions have some of the most robust security programs because they have substantial money and assets. The research illustrates how the interconnected nature of the financial sector means that compromising one institution or commonly used product can lead to broader impacts across the entire industry.
- 52% of companies had Exposed Personal Information
Attackers are gaining access to employee information, facilitating social engineering attacks. Skilled threat actors combine various sources to tailor their social engineering attacks for maximum impact or to impersonate employees.
- The average Social Engineering risk grade for the S&P 500 is an “F”
Social engineering poses a significant risk to many companies, even those with otherwise healthy risk profiles and strong security posture. Many threat actors use social engineering attack vectors because they enable attackers to circumvent technical security solutions by manipulating human users.
- Ransomware adversaries are demanding millions of dollars
Ransomware demands for S&P 500 victims are now often in the eight-figure range. Ransomware operators often base their ransom demands on a company’s size in terms of the number of employees and its monetary value (e.g., market capitalization or annual revenue).
- Supply chain attacks have a material impact
Attackers are going through a company’s vendors and partners if they can’t access them directly. As cited by the SEC requirements, SecurityScorecard research found that 98% of companies have a relationship with a third party that has been breached. Therefore, such third-party companies — whether public or not — should also familiarize themselves with the new regulations.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, said:
“Companies are prioritizing vendor oversight after major supply-chain cyber attacks have affected thousands of businesses and breached data on millions of customers. The strength of a company’s cybersecurity is directly linked to the security measures of even its smallest vendors.”