1 in 5 S&P 500 Companies Reported Breaches Last Year

Ransomware demands and supply chain targeting continues to escalate.

Financial Cyber

According to the latest threat research from SecurityScorecard, 21 percent of S&P 500 companies experienced breaches in 2023. The new S&P 500 Cyber Threat Report details emerging trends and strategies. According to Dr. Aleksandr Yampolskiy, CEO and Co-Founder of SecurityScorecard, “Regulatory pressure continues to grow, and companies need a unified definition of cybersecurity due diligence with clear metrics. Just as credit scores standardized the financial world, companies need a universal framework to measure cybersecurity risk.”

SecurityScorecard STRIKE threat hunters analyzed the security ratings of S&P 500 companies to find ways to improve the security of key players in the U.S. economy. Their findings show:

  • 21 percent of S&P 500 companies reported breaches in 2023. Attackers are chasing money. Ransomware operators view S&P 500 companies as particularly valuable targets based on their stocks’ market value and demand accordingly high ransoms. Attackers know that bigger targets are typically capable of paying high ransoms.
  • 52 percent of companies had personal information exposed. Attackers are gaining access to employee information to facilitate social engineering attacks. Skilled threat actors combine various sources to tailor their attacks for maximum impact, or to impersonate employees.
  • The average Social Engineering risk grade for the S&P 500 is an “F”. Many threat actors use social engineering attack vectors because they enable attackers to circumvent technical security solutions by manipulating human users.
  • Ransomware demands for S&P 500 victims are now often in the eight-figure range. Ransomware operators often base their ransom demands on a company’s size in terms of the number of employees and its monetary value (e.g., market capitalization or annual revenue).
  • Supply chain attacks have a material impact. Attackers are going through a company’s vendors and partners if they can’t access them directly. As cited by the SEC requirements, SecurityScorecard research found that 98 percent of companies have a relationship with a third party that has been breached. Therefore, such third-party companies — whether public or not — should also familiarize themselves with the new regulations.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence, stated, “Companies are prioritizing vendor oversight after major supply chain cyber attacks have affected thousands of businesses and breached data on millions of customers. The strength of a company’s cybersecurity is directly linked to the security measures of even its smallest vendors.”

In fall 2023, the U.S. Securities and Exchange Commission (SEC) adopted landmark cybersecurity regulations, requiring publicly disclosing “material” cybersecurity incidents within four days. Previously, there were very few breach reporting requirements, which left government officials, policymakers, and investors without key information on cybersecurity incidents

More in Cybersecurity