Trends in data protection breaches at listed companies

In the two years to January 2024, nearly 700 cyber incidents were reported at Russell 3000 companies in the U.S., affecting more than 10% of companies. A third of these involved the compromise of a supplier or other third party, and the study also found a significant concentration of overall third-party risk across all Russell 3000 companies.

Key findings

• One-third of the incidents reported at Russell 3000 companies involved a supplier or other third party, and incidents involving a large number of people were more likely to have been caused by a third party.
• The aggregate risk exposure across the index is high: More than 90% of Russell 3000 companies use some third-party technology, and more than 10% of index companies each use over 1,000 different unique supplier/technology pairings.
• Companies that reported cyber incidents during the analysis period are at higher risk, as measured by significantly lower ISS Cyber ​​Risk Scores, than companies that did not report any incidents.
• For companies that report an incident, the score effectively ranks the incident risk by severity, measured by the number of people affected.

Data breaches and other security incidents continue to make headlines and negatively impact companies, their customers and their shareholders. Ransomware incidents continue to dominate the headlines, but a wide range of incident types continue to pose challenges for publicly traded companies. Managing these risks is critical and therefore requires significant time, money and attention from executives and board members. Regulators have also become increasingly aware of the issue.

The SEC has introduced its long-awaited disclosure requirements for publicly traded companies, requiring timely market reporting of breaches, annual disclosures on cyber risk management practices, and management and board involvement in oversight. This is already driving behavior change. A review of disclosure data for Russell 3000 companies as of February 2024 found that about 35% of companies offered regular cybersecurity briefings to their boards. By June, that proportion had increased to over 98% of companies.

It will take time to measure the true impact of these changes on performance, but companies should expect increased scrutiny as detailed disclosures become the norm and shareholders expect them. These disclosures will undoubtedly help to ensure investors are better informed. However, there are also objective, technical assessments of cyber risk that are playing an increasingly important role in both self-assessment and stakeholder assessments of cyber risk.

As demonstrated in this paper, the ISS Cyber ​​Risk Score provides objective insights into cyber risks and can serve as valuable input for companies and stakeholders seeking to manage risk across a corporate portfolio.

According to the 2023 NetDiligence® Cyber ​​Claims Study, the average cost of insurance claims related to cybersecurity breaches for small and medium-sized businesses (SMBs) between 2018 and 2022 was $175,000. At the height of the pandemic in 2020, SMBs had the most claims and the highest costs. Since then, the number of claims has dropped by half and the average size by about 25%. Still, the numbers suggest that serious risks remain. The average claim cost for large companies with annual revenue of $2 billion or more was $13.8 million over the same 5-year period.

Certain loss classes, reflecting specific types of cyber incidents, cost more. Ransomware costs, which account for one-third of large enterprise losses, averaged $43.4 million. For smaller companies, the cost per incident from ransomware losses is almost twice as high as non-ransomware losses. According to the loss data, the Verizon Data Breach Investigations Report 2024 indicates that ransomware or similar extortion incidents account for about one-third of all incidents.

Not surprisingly, ransomware has also played a major role in the largest and most headline-grabbing security breaches of recent times, including the 2023 incident that led to the closure of MGM Resorts in September and an attack that crippled UnitedHealth in early 2024. UnitedHealth CFO John Rex has stated that the cost for the full year will be between $1.4 billion and $1.6 billion.

Shareholder impacts are harder to discern because the market seems quick to punish some companies and indefinitely forgive others. The MGM Resorts incident had a $100 million impact on third-quarter results. The stock price was quickly and significantly impacted in the days following the incident, but has since recovered. UnitedHealth appears to have been spared significant share price impacts in the medium term. Some impacts, such as fines and litigation, occur later, but can be financially significant and impact shareholders later. Much depends on the financial strength and diversity of the company suffering the loss. Regardless, it will always be difficult to estimate the long-term value that might have been realized had cyber losses been avoided and the lost profits productively used to increase shareholder value.

The insights presented in this report are based on ISS-Corporate's analysis of the Russell 3000 over a two-year period ending December 31, 2023. The data used for the analysis comes from the ISS Cyber ​​Risk Score platform, which serves as the delivery engine for the score.

The ISS Cyber ​​Risk Score is calculated by a machine learning model trained on reported cyber incidents. It is a scaled representation of the likelihood that an organization will be affected by a significant security incident within the next 12 months, ranging from 300 (highest risk) to 850 (lowest risk). The score is calculated based on an organization's observed behavior, measured against its current and historical security posture. The signal data is essentially generated by an assessment of the type and extent of compromise of IT assets, the configuration and health of internet-facing networks, and the content and makeup of domains of the company in question. It also takes into account firmographic factors (size and industry) and reported evidence of endpoint compromises.

The total number of companies included in the analysis is 2,928. Twenty Russell 3000 companies were excluded from the list due to missing data.

The average value of these companies is 698. Companies with higher values ​​have a below-average risk. Companies with lower values ​​have an above-average risk. The standard deviation is 86 points.

The study uses cyber incident data drawn primarily from reporting databases in 32 U.S. states. These states have mandatory security incident reporting requirements for companies operating there, and the data is publicly available. Since most larger companies operate in multiple states, incident reporting is likely to include most significant incidents.

The following is the distribution of points across the Russell 3000.

Using this data, we identified 693 incidents that affected the population studied. A total of 310 companies (10.5%) reported one or more incidents. 232 incidents were reported as being caused or involved by third parties – almost exactly one-third of the total. The rest were catalogued as an incident type consistent with a direct or first-party event.

Incidents were also categorized by size based on the extent of the data compromised, measured by the number of people affected. Incidents that affected the data of 100,000 or more people were classified as extra-large, 10,000 or more as large, 100 or more as medium, and less than 100 as small. The largest recorded incident affected 60 million people. There were 14 individual incidents that affected more than 1 million people.

About 20% of reported incidents do not capture the underlying cause of the incident. The remaining nearly 30% are not purely technical issues but involve human error (e.g. human error, social engineering). This ratio is lower than the statistics in the Verizon Data Breach Investigations Report 2024, which analyzes a much broader range of organizations. According to Verizon, 68% of cyber incidents involve a “human element.” For a more detailed analysis of the impact and measurement of human error in cyber incidents, see Human problems: The human factor in cyber risks

Ransomware is not explicitly included as a category in the study dataset, but malware is. Interestingly, malware is more frequently present in the larger incidents. A malware element is found in almost 10% of the medium, large, and extra-large categories, but in less than 2% of the small incidents.

The link to the full article can be found here.

1ISS ESG Review of Disclosure Information for Russell 3000 Companies (GQS FactorID 404), H1 2024. (back)

2NetDiligence Cyber ​​​​Claims Study, 2023 Report. (back)

3Data Leakage Investigation Report 2024, Verizon Business. (back)

4“UnitedHealth paid hackers $22 million, fixes will soon cost billions,” Forbes, April 30, 2024.(go back)

5Data Leakage Investigation Report 2024, Verizon Business. (back)