“Our analysis suggests that some organisations we rate may be slow to remediate highly targeted cyber vulnerabilities, increasing the risk of system compromise,” said Paul Alvarez, lead cyber risk expert at S&P Global Ratings, emphasising that weak cyber vulnerability management could harm corporate governance ratings. Photo: Shutterstock

“Our analysis suggests that some organisations we rate may be slow to remediate highly targeted cyber vulnerabilities, increasing the risk of system compromise,” said Paul Alvarez, lead cyber risk expert at S&P Global Ratings, emphasising that weak cyber vulnerability management could harm corporate governance ratings. Photo: Shutterstock

S&P Global’s recent analysis revealed that delays in managing cyber vulnerabilities increase breach risks, adding governance and financial challenges for organisations globally.

Poor vulnerability management threatens corporate ratings, cautioned S&P Global Ratings, with outdated or unpatched systems increasingly exposing organisations to cyber and governance risks. In its analysis on 28 October 2024, S&P emphasised the need to prioritise remediation efforts based on the likelihood of breaches and the severity of potential damage. The report indicated that deficiencies in vulnerability management could reflect broader cybersecurity challenges, which may adversely impact evaluations of an organisation’s risk management and internal controls.

Cyber vulnerabilities and exploitation rates

The credit ratings agency observed that many organisations that it assesses may be slow to address critical cyber vulnerabilities, resulting in a heightened likelihood of system breaches. This trend was corroborated by the 2024 Verizon Data Breach Investigations Report, which revealed that vulnerability exploitation nearly tripled in 2023. Contributing to this surge was a significant rise in known vulnerabilities, which increased from about 6,000 in 2016 to nearly 29,000 in 2023, according to information security provider Qualys. This escalation underscores a concerning trend of rapidly discovered vulnerabilities, further exposing systems to greater risks of compromise.

Not all vulnerabilities present equal risks. S&P cited Qualys, noting that in 2023, attackers had developed malicious code for over a quarter (26.5%) of identified vulnerabilities, thereby facilitating exploitation efforts. While some vulnerabilities necessitate specific conditions, such as prior access to a target system, others permit remote code execution, allowing attackers to gain control of systems from a distance.

S&P’s report underscored that systems with internet connectivity are particularly vulnerable due to an increased ‘attack surface’ from multiple connection points. This finding underscored the critical importance of identifying and securing systems with internet exposure through timely software patches. Without such measures, systems are at a heightened risk of exploitation, as evidenced in the 2023 breach of Progressive Software’s Moveit application, which allowed ransomware groups access to data files across approximately 2,700 organisations and 95m individuals. Emsisoft, a cybersecurity firm, estimated the total cost of the breach to exceed $15bn, based on IBM’s cost-per-record metrics for data breaches.

Vulnerability management

Data analysis by S&P indicated that remediation delays were prevalent across all sectors, suggesting that inconsistent vulnerability management contributed to elevated system compromise risks. While frequent remediation is generally seen as a hallmark of robust cybersecurity, S&P noted that organisations must balance remediation efforts against risks posed by the specific vulnerabilities identified. This is particularly challenging given the constant influx of new vulnerabilities, making prioritisation essential.

Some entities use the Common Vulnerability Scoring System (CVSS) to rank vulnerabilities by severity on a scale of one to ten, with higher scores indicating greater risk. In S&P’s dataset, the average CVSS score was 4.87, categorised as medium severity, and over 80% of the vulnerabilities were rated medium severity or higher. Nevertheless, several vulnerabilities in the dataset had previously been exploited by ransomware groups, with widely used products presenting frequent targets due to their broad access potential.

Persistent threat

Older vulnerabilities continue to represent significant security risks, as attackers can exploit their familiarity with these long-standing flaws. Vulnerabilities discovered in 2016 accounted for 28% of all entries in S&P’s dataset and approximately 75% of all vulnerabilities studied were identified seven or more years prior. The analysis revealed that the oldest vulnerability was over 24 years old and affected unsupported software, meaning the vulnerability could no longer be patched. In one instance, the vulnerability remained unaddressed at a company for eight months, leaving ample time for attackers to exploit it. According to S&P, such protracted remediation times might reflect inadequate vulnerability management, potentially indicative of broader cybersecurity failings within an organisation.

Remediation planning

S&P recommended that vulnerability remediation strategies should go beyond simply relying on CVSS scores and vulnerability age. Incorporating an exploit prediction security score (EPSS), developed by the forum of incident response and security teams (First), could offer organisations a dynamic risk assessment tool. The EPSS provides a predictive score on the likelihood of a vulnerability being exploited, based on its characteristics and threat intelligence. Unlike the static nature of CVSS scores, EPSS scores are updated daily to reflect the latest threat data, helping organisations identify vulnerabilities with higher exploitation probabilities.

Governance implications

S&P concluded that the number of vulnerabilities is likely to keep rising in the coming years, highlighting the essential role of vulnerability management within cybersecurity frameworks. The findings revealed that inadequate management of known flaws heightened the risks of system compromise, particularly for vulnerabilities exposed on the internet with high severity and likelihood of exploitation. Such risks could have severe consequences for organisations, including intellectual property theft, operational disruptions, reputational damage and financial losses stemming from business interruptions or ransom payments.

S&P emphasised that cyber risk management is a crucial factor in assessing a company’s governance score. While the report focused on vulnerabilities within the attack surface, poor management of these vulnerabilities may indicate weak overall cybersecurity practices, potentially negatively impacting S&P’s broader evaluations of an organisation’s governance and management structures, stated the credit ratings firm in the report.

Related articles