SecurityScorecard Threat Research: 21% of S&P 500 Companies Reported Breaches in 2023

New regulations apply new pressure as SEC heightens urgency on cybersecurity

NEW YORK – April 3, 2024 – According to the latest threat research from SecurityScorecard, 21% of S&P 500 companies experienced breaches in 2023. The new S&P 500 Cyber Threat Report details emerging trends and strategies for Chief Information Security Officers (CISOs). 

In fall 2023, the U.S. Securities and Exchange Commission (SEC) adopted landmark cybersecurity regulations, requiring publicly disclosing “material” cybersecurity incidents within four days. Previously, there were very few breach reporting requirements, which left government officials, policymakers, and investors without key information on cybersecurity incidents. 

Dr. Aleksandr Yampolskiy, CEO and Co-Founder, SecurityScorecard, stated: 

“Regulatory pressure continues to grow, and companies need a unified definition of cybersecurity due diligence with clear metrics. Just as credit scores standardized the financial world, companies need a universal framework to measure cybersecurity risk and define materiality.”

Against the backdrop of these regulatory headwinds, SecurityScorecard STRIKE threat hunters analyzed the security ratings of S&P 500 companies to find ways to improve the security of key players in the U.S. economy. 

Key findings

• 21% of S&P 500 companies reported breaches in 2023
  Attackers are chasing money. Ransomware operators view S&P 500 companies as particularly valuable targets based on their stocks’ market value and demand accordingly high ransoms. Attackers know that bigger targets are typically capable of paying high ransoms.

• 25% of these breaches impacted Financial Services and Insurance companies
  Financial institutions have some of the most robust security programs because they have substantial money and assets. The research illustrates how the interconnected nature of the financial sector means that compromising one institution or commonly used product can lead to broader impacts across the entire industry.

• 52% of companies had Exposed Personal Information
  Attackers are gaining access to employee information, facilitating social engineering attacks. Skilled threat actors combine various sources to tailor their social engineering attacks for maximum impact or to impersonate employees.

• The average Social Engineering risk grade for the S&P 500 is an “F”
  Social engineering poses a significant risk to many companies, even those with otherwise healthy risk profiles and strong security posture. Many threat actors use social engineering attack vectors because they enable attackers to circumvent technical security solutions by manipulating human users.

• Ransomware adversaries are demanding millions of dollars
  Ransomware demands for S&P 500 victims are now often in the eight-figure range. Ransomware operators often base their ransom demands on a company’s size in terms of the number of employees and its monetary value (e.g., market capitalization or annual revenue).

• Supply chain attacks have a material impact
  Attackers are going through a company’s vendors and partners if they can’t access them directly. As cited by the SEC requirements, SecurityScorecard research found that 98% of companies have a relationship with a third party that has been breached. Therefore, such third-party companies — whether public or not — should also familiarize themselves with the new regulations.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, said: 

“Companies are prioritizing vendor oversight after major supply-chain cyber attacks have affected thousands of businesses and breached data on millions of customers. The strength of a company’s cybersecurity is directly linked to the security measures of even its smallest vendors.”

Additional resources

• Download the 2024 SecurityScorecard S&P 500 Cyber Threat Report.
• Learn how to eliminate critical supply chain cyber risks with SecurityScorecard MAX. 

About STRIKE

The STRIKE threat intelligence team combines unique threat intelligence, incident response experience, and supply chain cyber risk expertise. Backed by SecurityScorecard technology, STRIKE is a strategic advisor to CISOs worldwide. STRIKE threat research empowers organizations to understand supply chain cyber risk and adversary attribution.

About SecurityScorecard

Funded by world-class investors, including Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings, response, and resilience, with more than 12 million companies continuously rated. 

Founded in 2013 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented security ratings technology is used by over 25,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight. 

SecurityScorecard makes the world safer by transforming how companies understand, improve, and communicate cybersecurity risks to their boards, employees, and vendors. SecurityScorecard achieved the Federal Risk and Authorization Management Program (FedRAMP) Ready designation, highlighting the company’s robust security standards to protect customer information, and is listed as a free cyber tool and service by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Every organization has the universal right to its trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.

Media Contact

Ashley Nakano
SecurityScorecard
[email protected]