Cybersecurity negligence and resulting vulnerability have become increasingly critical as the number of known vulnerabilities surges. In a recent report, S&P Global Ratings warns that organizations slow to remediate highly targeted cyber vulnerabilities may face significant governance issues. Such delays increase the risk of system compromises and could negatively influence S&P’s assessment of an entity’s risk management and internal controls.
The report highlights that vulnerability exploitation nearly tripled in 2023, emphasizing the urgent need for effective vulnerability management. S&P’s analysis suggests that some rated organizations may be slow to address known security flaws, thereby heightening the risk of cyberattacks.
Our thoughts on the report follow; you can see them for yourself here.
Surge in Cyber Vulnerabilities
Vulnerability exploitation has seen a dramatic increase in 2023, according to the 2024 Verizon Data Breach Investigations Report. Qualys, an information security solutions provider, reported that 29,000 vulnerabilities were discovered this year, up by about 4,000 from the previous year. This marks an acceleration of a long-term trend of increasing vulnerabilities.
Factors Driving the Increase
Several factors contribute to the growth in identified vulnerabilities:
Increased Security Research: Competitions and bug bounty programs have spurred more extensive security research, leading to more discoveries.
Improved Detection Tools: Advanced tools and techniques are uncovering additional issues that were previously undetectable.
Application Complexity: The growing complexity of software applications adds more potential points of failure, resulting in additional vulnerabilities.
Financial and Operational Risks
Organizations have suffered significant financial and operational damage due to vulnerability exploitation. The potential for harm exists both at the individual entity level and systemically. Mitigating factors like system redundancy, rapid response plans, and cyber insurance can limit credit quality impacts. However, the frequency of attacks on known vulnerabilities underscores the importance of proactive vulnerability management.
Not All Vulnerabilities Are Equal
Not all vulnerabilities pose the same level of risk:
Exploitable Vulnerabilities: Over a quarter (26.5%) of identified vulnerabilities have malicious code developed by hackers, making exploitation easier.
Preconditioned Vulnerabilities: Some require specific conditions, like prior system access, before they can be exploited.
Critical Vulnerabilities: The most severe can allow attackers to run malicious code remotely, potentially taking over systems from a distance.
Internet-Exposed Systems at Higher Risk
Systems directly connected to the internet are generally more susceptible to attacks:
Expanded Attack Surface: Increased connectivity raises exposure risks, making identifying and securing internet-exposed systems essential.
Prompt Patching: Applying security patches promptly reduces the window of opportunity for attackers.
High-Profile Breaches Highlight Dangers
Exploitation of vulnerabilities on the attack surface can have severe consequences:
MOVEit Breach: In 2023, attackers exploited a vulnerability in MOVEit, a data transfer application by Progress Software.
Widespread Impact: Approximately 2,700 organizations and 95 million individuals were affected.
Financial Cost: Emsisoft calculated the total cost at over $15 billion using IBM’s data breach cost estimates.
Analysis of Vulnerability Management Practices
S&P analyzed vulnerability data for over 7,000 rated entities in the financial and corporate sectors to assess how organizations manage cyber risks. The data was compiled in 2023 by cybersecurity specialist Guidewire, which scanned internet-accessible systems for vulnerabilities that could increase the risk of compromise.
Infrequent Remediation Is Common
The analysis revealed that infrequent remediation of vulnerabilities is widespread across industries:
Heightened Risk: Lax vulnerability management could contribute to a higher likelihood of system compromises.
Industry-Wide Issue: This problem is not isolated to specific sectors but is common across various industries.
Prioritizing Remediation Efforts
While remediation frequency is an indicator of good cyber risk management, it must be balanced against the risks posed by specific vulnerabilities:
Common Vulnerability Scoring System (CVSS): Organizations often use CVSS to prioritize remediation, scoring vulnerabilities from one to 10 based on severity.
Average Scores: The average CVSS score in the analyzed dataset was 4.87 (medium severity), with over 80% rated medium severity or higher.
Risks of Older Cybersecurity Vulnerabilities
Older vulnerabilities present added risks due to attackers’ familiarity with them:
Prevalence: Vulnerabilities discovered in 2016 constituted the largest group in the dataset at 28%.
Long-Term Exposure: Nearly three-quarters were discovered seven or more years ago.
Unsupported Software: Some vulnerabilities affect software no longer supported by vendors, making them impossible to patch.
The Need for Nuanced Remediation Planning
Effective remediation planning requires nuance beyond just CVSS scores and vulnerability age:
Exploit Prediction Security Score (EPSS): Incorporating EPSS adds context by estimating the likelihood of exploitation.
Dynamic Scoring: EPSS scores are updated daily, reflecting real-world exploitation data.
Combined Approach: Using both CVSS and EPSS helps identify cybersecurity vulnerabilities posing the greatest risk.
Combining CVSS and EPSS Enhances Risk Assessment
An example illustrates the benefits of this combined approach:
Medium Severity, High Risk: A vulnerability with a CVSS score of 5.3 (medium severity) but an EPSS score over 0.9 indicates a high likelihood of exploitation.
Prioritization: Such cybersecurity vulnerabilities should be prioritized for immediate remediation despite their medium CVSS score.
Implications for Credit Ratings and Governance
Poor vulnerability management can be a material risk factor affecting credit ratings:
Increased Risks: Slow remediation exposes systems to intellectual property theft, operational disruptions, reputational damage, and financial losses.
Assessment Criteria: S&P considers cyber risk management in evaluating an issuer’s management and governance.
Broader Deficiencies: Indicators of weak vulnerability management may reflect broader shortcomings in risk practices.
Conclusion: Prompt Action Is Essential
Organizations must prioritize effective vulnerability management to mitigate cyber risks:
Immediate Remediation: Addressing vulnerabilities with high probabilities of exploitation is crucial.
Governance Concerns: Failure to act not only increases system compromise risk but may also impact governance assessments and credit ratings.
Proactive Measures: Implementing nuanced remediation strategies can better protect organizations from evolving cyber threats.
Other News: The Aviation Industry and Cyber Risk – SecurityScorecard Report(Opens in a new browser tab)
Other News: Cyber security companies are thriving — even when they fail.