A new report out today from security ratings firm SecurityScorecard Inc. today on security at S&P 500 companies finds that 21% experienced a data breach in 2023, as new regulations heighten the urgency of cybersecurity.

The targeting of S&P 500 companies is said to be due to attackers chasing money, with ransomware operators viewing top companies as particularly valuable targets thanks to their market value and demand accordingly high ransoms. Attackers know that bigger targets are typically capable of paying high ransoms.

Of the S&P 500 companies that experienced a breach in 2023, 25% were financial services and insurance companies. Although the report notes that financial institutions have some of the most robust security programs given the substantial money and assets they handle, the interconnected nature of the financial sector means that compromising one institution or commonly used product can lead to broader impacts across the entire industry.

Among the companies breached, 52% of attacks involved companies that exposed personal information. Attackers are particularly focused on gaining access to employee information to facilitate social engineering attacks, with skilled threat actors able to combine various sources to tailor their social engineering attacks for maximum impact or to impersonate employees.

Perhaps not surprisingly, given the level of data exposure and attacks, the average social engineering risk grade for the S&P 500 was found to be a “F.” The report explains that social engineering poses a significant risk to many companies, even those with otherwise healthy risk profiles and strong security posture and that many threat actors use social engineering attack vectors because they enable attackers to circumvent technical security solutions by manipulating human users.

Other findings in the report include that ransomware demands from S&P 500 victims are now often in the eight-figure range, with ransomware operators basing their ransom demands on the company’s size in terms of the number of employees and market cap.

The report also warns that attackers are going through a company’s vendors and partners if they can’t access them directly. SecurityScorecard research has found that 98% of companies have a relationship with a third party that has been breached.

The findings come following the introduction of cybersecurity disclosure requirements mandated by the U.S. Securities and Exchange Commission in December. Companies are now required to disclose cybersecurity incidents, with some exceptions, within four days of their occurring.

Image: SecurityScorecard