Topic

ISS-Corporate’s analysis examines cyber incidents reported by Russell 3000 companies in the two-year period leading up to December 31, 2023, leveraging data collected from 32 U.S. state reporting databases.

August 7, 2024

ISS-Corporate: U.S. Companies Face High Exposure to Third Party and Aggregate Cyber Risk

ROCKVILLE, Md. (August 7, 2024) – ISS-Corporate, a leading provider of compensation, governance, cyber risk monitoring, and sustainability offerings to help companies improve shareholder value and reduce risk, today announced the findings of an analysis of cybersecurity breaches and aggregate cyber risk at U.S. public companies. Following the Securities and Exchange Commission’s implementation of cyber disclosure requirements for publicly traded firms in December 2023, firms are required to provide timely reporting on material cybersecurity incidents and also provide annual disclosures regarding cyber risk management practices and management and board involvement in cyber risk oversight. ISS-Corporate’s analysis examines cyber incidents reported by Russell 3000 companies in the two-year period leading up to December 31, 2023, leveraging data collected from 32 U.S. state reporting databases.

The study finds that of the 693 reported cyber incidents, which impacted 10.5 percent of Russell 3000 companies, one third involved a supplier or other third-party relationship and they tended to have a broader impact. Roughly 60 percent of the reported cyber incidents impacting 100,000 or more individuals were attributable to a third party, necessitating an examination of supply-chain risk concentration and aggregate exposure.

Aggregate risk exposure across the index is high, with ISS-Corporate data finding that more than 90 percent of Russell 3000 firms have specific individual third-party technology providers in common. Cloud concentration is also high, with as many as one-third of companies utilizing the same cloud services provider at the same specific location. The analysis also finds more than 1,000 unique supplier/technology pairings, each being utilized by more than 10 percent of constituent companies.

In assessing the aggregate risk, the report leverages data from the ISS Cyber Risk Score platform. The ISS Cyber Risk Score is a scaled representation of the likelihood that an organization will suffer a material security incident within the next 12 months. The score is calculated by a machine learning model trained on reported cyber incidents and leverages several categories of technical information, including the extent and configuration of assets exposed to the Internet, evidence of compromise, and the use of best practices in website construction. Companies that reported cyber incidents during the analysis period were generally found to have higher risk, as measured by significantly lower ISS Cyber Risk Scores, than firms with no reported incidents.

“Third party risk can be difficult for companies to manage, and even harder for their stakeholders to effectively assess, with some large firms having ten thousand or more suppliers,” said Doug Clare, Managing Director for Cyber Strategy at ISS-Corporate. “Assessing and managing aggregate exposures to third and even fourth party cyber risk is an increasingly important part of a risk manager’s role. The downstream impacts of commonly deployed single points of failure can have severe and consequential impacts for businesses and consumers.”

Read the full analysis from ISS-Corporate here.

###

About ISS-Corporate
Companies turn to ISS Corporate Solutions, Inc. (“ISS-Corporate”) for expertise in designing and managing governance, compensation, sustainability, and cyber risk programs that align with company goals, reduce risk, and manage the needs of a diverse shareholder base by delivering data, tools, and advisory services. ISS-Corporate’s global client base extends across North America, Europe, and Asia, as well as other established and emerging markets worldwide. ISS-Corporate is a wholly owned subsidiary of Institutional Shareholder Services Inc. (“ISS”). ISS-Corporate provides advisory services, analytical tools and publications to companies to enable them to improve shareholder value and reduce risk through the adoption of improved corporate governance practices. The ISS research teams, which are separate from ISS-Corporate, will not give preferential treatment to, and are under no obligation to support, any proxy proposal of a corporate issuer nor provide a favorable rating, assessment, and/or any other favorable results to a corporate issuer (whether or not that corporate issuer has purchased products or services from ISS-Corporate). No statement from an employee of ISS-Corporate should be construed as a guarantee that ISS will recommend that its clients vote in favor of any particular proxy proposal or provide a favorable rating, assessment or other favorable result. For more information, please visit https://www.iss-corporate.com/.

About ISS STOXX
ISS STOXX GmbH, through its group companies, is a leading provider of comprehensive and data-centric research and technology solutions that help capital market participants identify investment opportunities, detect qualitative and quantitative portfolio company risks, and meet evolving regulatory requirements. With roots dating back to 1985, we today deliver world-class benchmark and custom indices across asset classes and geographies and serve as a premier source of independent corporate governance, sustainability, cyber risk, and fund intelligence research, data, and related offerings. Our products and services give clients the scale and leverage they need to grow their business more effectively and efficiently. ISS STOXX, which is majority owned by Deutsche Börse Group, is comprised of more than 3,400 professionals operating across 33 global locations in 19 countries. Its approximately 6,400 clients include many of the world’s leading institutional investors who turn to ISS STOXX for its objective and varied offerings, as well as companies focused on ESG, cyber, and governance risk mitigation as a shareholder value enhancing measure. Clients rely on ISS STOXX’s expertise to help them make informed decisions to benefit their stakeholders.

Media Contact:
Audrey Dedrick
Associate, Communications
media@iss-corporate.com

Share this
Get WEEKLY email ALERTS ON THE LATEST ISS INSIGHTS.