The Cybersecurity of the S&P 500: An in-depth analysis from SecurityScorecard

In fall 2023, the U.S. Securities and Exchange Commission (SEC) adopted landmark cybersecurity regulations, requiring public companies to disclose “material” cybersecurity incidents within four days. Prior to this, there were very few breach reporting requirements, leaving business leaders, government officials, policymakers, and investors without key information on cybersecurity incidents. This move by the SEC represents a shift away from decades-old voluntary compliance guidelines to a more aggressive regulatory approach across the cybersecurity landscape. 

Even if an organization has a robust cybersecurity posture, attackers are going through its vendors and partners if they can’t access the organization directly. As many as 98% of companies have a relationship with a third party that has been breached. Against this backdrop, SecurityScorecard has released the 2024 SecurityScorecard S&P 500 Cyber Threat Report, an in-depth analysis of cybersecurity incidents, third-party cyber risk, and security ratings of the members of the S&P 500 U.S. stock market index. The purpose of this research was two-fold: to help improve key members of the U.S. economy; and to guide third-party risk management (TPRM) teams. 

 

 

Key finding: 21% of S&P companies breached in 2023

One point of interest from the report was that 21% of S&P 500 companies reportedly experienced breaches in 2023. Though nation-state and politically-motivated cyberattacks have been on the rise in recent years, cyber criminals are still primarily motivated by money. The companies in the S&P 500 represent key economic drivers of the economy, and therefore make more attractive targets for ransomware campaigns. 

According to our recent Global Cyber Resilience Scorecard, ten threat actor groups are responsible for 44% of global cyber incidents. The most notable being the mid-2023 campaign by the criminal group C10p, in which it exploited CVE-2023-34362, a zero-day vulnerability in the MOVEit file transfer software of Progress Software. This campaign affected multiple S&P 500 members directly, as actual users of MOVEit, as well as indirectly, via vendors using MOVEit. Though still ongoing, the MOVEit breach alone is projected to cost around $65B USD. 

 

Many breaches originate with third parties

Our research also found that many breaches affecting S&P 500 members occurred via third parties, rather than at the companies themselves. These vendors often provide software or other IT products and services. This threat highlights the importance of identifying and assessing the security posture of all Nth parties in a company’s digital ecosystem.

 

Supply chains at risk 

Further analysis shows that 25% of the breaches impacted financial services and insurance companies. In the financial sector, specifically, the reliance on common service third-party providers means attacks have a higher probability of having systemic implications and could make entire sectors vulnerable. To underscore this point, financial entities throughout the European Union are preparing for the Digital Operational Resilience Act (DORA), a piece of legislation that will strengthen the cyber resilience and the digital supply chains of credit institutions, investment firms, insurers, and more. Similarly, in the U.S. the SEC’s new regulations seek to bolster the digital supply chain against such threats. 

Many industries — such as telecommunications, healthcare, financial services, energy, and technology — are interconnected, resulting in a complex matrix of risk interdependencies that policymakers and business executives around the world are attempting to address with laws, policies, and risk management strategies. 

 

Social engineering poses significant risk

One of the more surprising findings from the report is how many companies are vulnerable to social engineering. Social engineering poses a significant risk to many companies, even those with otherwise healthy risk profiles and strong security posture. Many threat actors use social engineering attack vectors because they enable attackers to circumvent technical security solutions by manipulating human users. 

 

Final thoughts

Earlier this year, SecurityScorecard released the Cyber Resilience Scorecard, which found that a nation’s economic prosperity is closely tied to its ability to navigate the complex landscape of cyber threats. The report found that higher income regions exhibit better cybersecurity hygiene and lower cyber risk. Put simply: wealthier countries are generally better equipped to invest in resilient and safe infrastructure and to implement and maintain active security programs. 

 

Recommendations for enhancing cybersecurity

While strong security certainly costs money, large security investments don’t guarantee a strong security posture. Even organizations with vast sums invested in technical security solutions are still vulnerable to social engineering attacks that exploit human vulnerabilities to circumvent those technical defenses. 

Organizations that have already invested heavily in technical security measures would also benefit by focusing on: security awareness training for employees; monitoring for dark web data disclosures; and encouraging discretion and caution in the use of professional networking services and other social media. 

To read more insights, as well as further security recommendations, download the 2024 SecurityScorecard S&P 500 Cyber Threat Report today.