Key Takeaways
- Rapid detection of a cyberattack is the foundation of an organizations' ability to avert and limit financial and reputational damage from a network breach.
- Cyber detection requires, at least, the means to log activity and analyse those logs, while augmented systems can also incorporate automation, specialists, and threat hunting.
- We see weak threat detection as a deficiency in operational risk management and potentially a negative factor for an issuer's credit quality.
Organizations are coming to accept that it is a matter of when, not if, they will be targeted by cybercriminals. That realization is changing the dynamic of cyber risk management, pushing damage limitation to the forefront and, as a result, turning the spotlight on attack detection.
Detecting (preferably rapidly) when a malicious actor has access, or is attempting to gain access, to an organization's systems is the foundation on which response and recovery are built. And it is an element whose benefit can be measured in cash. The average cost of a cyber breach lasting 200 days or more was $4.86 million, technology company IBM said in its "Cost Of A Data Breach Report," published in 2022. Reducing that breach to less than 200 days cut the cost by just under a quarter, to an average $3.74 million, according to IBM.
Sums like that underline the importance of detection to companies' cyber risk management. And they highlight why S&P Global Ratings considers effective cyber detection to be integral to cyber risk management and ultimately a potential factor in the assessment of issuers' credit worthiness.
A Lifecycle Not An Event
To better understand the role that detection plays in cyber risk management it helps to understand the nature of a typical cyberattack. Contrary to common perception, cyberattacks are not singular events. Rather they are a chain of events that can take place over a matter of weeks or even months. We refer to this as the cyberattack lifecycle (see chart 1).
Understanding the nature of that lifecycle offers a foundation from which to better analyze cyber risk. It also enhances the ability to manage that risk, not least because it demonstrates how each step provides an opportunity for a target to detect malicious activity and thus break the cyberattack lifecycle and minimize damage.
Chart 1
As IBM's report shows, early detection of a cyberattack is key to limiting its cost. The longer that an attacker remains undetected and with access to a target's technology systems the greater is the opportunity for them to establish control and thus achieve their objectives. Moreover, retaking control of a system from an attacker, and remedying their actions, are major elements of the cost of a cyberattack.
Racing Against Time
Defenders are detecting cyberattacks faster, but they also face shorter attack lifecycles. About 70% of breaches not unveiled by an attacker (known as a non-actor disclosed breach) are detected in a day or less, while 20% take "months or more" to detect, according to the "Data Breach Investigations Report," published in 2022 by Verizon, a U.S. wireless network operator. The report suggests that detection speeds have notably improved in the past five years, with almost 50% of non-actor disclosed breaches taking "months or more" to detect in 2017 (see chart 2).
Verizon's figures also demonstrated the extent to which defenders are locked in an arms race, with faster detection offset by shortened attack lifecycles, notably due to the growing prevalence of ransomware attacks. In 2016, about 6% of breaches were characterized by an attacker notifying their presence to the target (known as actor disclosure), according to Verizon. By 2022, that figure had grown to 58%--suggesting that a majority of cyberbreaches go undetected until after attackers have found what they want and sent a ransom note.
Chart 2
Thankfully, defenders don't have to face the threat posed by accelerating cyberattacks alone. Government organizations are playing a growing role in incident detection. The U.S.'s Cybersecurity & Infrastructure Security Agency (CISA), the U.K.'s National Cyber Security Centre (NCSC) and the Australian Cyber Security Centre (ACSC) are developing capabilities to support public and private sector entities with incident detection, technical support, communication, and outreach.
Contribution from government organizations was likely a material contributor to the faster detection observed in Verizon's report. It also appears to be reflected in a decrease in the period between a cyber attacker's entry and detection (known as dwell time), which fell to 28 days in 2021, from 184 days in 2018, according to a report, "M-Trends 2022: Cyber Security Metrics, Insights and Guidance From the Frontlines," produced by cybersecurity firm Mandiant, a unit of Google. Those figures require some qualification as Mandiant's sample of externally detected breaches includes actor disclosure, so is skewed by the growth in ransomware attacks that result in an attacker notifying their presence.
Early Detection Is Key To Breaking The Attack Lifecycle
Issuers that quickly detect an attack afford themselves a chance to break the attack lifecycle at an early stage and thus limit financial damage and potential credit quality impacts. An attacker doesn't gain access to a target's systems until step three of five (exploitation) in the attack lifecycle. Detecting malicious activity in steps one or two (preparation and delivery) can thus nullify an attack. For example, an employee may receive a phishing email during the delivery phase of an attack. If that employee is trained in phishing awareness, and has a mechanism to report the malicious email, the target entity can respond before the attack gains access to an IT system and is able to deliver malware.
Even if that malware is delivered, resulting in a system breach, rapid detection remains crucial to damage limitation. Response and recovery typically become progressively harder and more expensive as an attack progresses through its lifecycle. Immediately following entry, an attacker may only have access to a small segment of an entity's systems and networks. Defenders, at that stage, can isolate infected systems, and or cut-off unauthorized access through targeted action. Once an attacker gains persistence and control (phase four of the lifecycle), removing them is likely to be significantly more costly and time consuming, requiring a concerted effort to identify all affected systems and restore their integrity.
Finally, if the attacker carries out their desired actions (phase five), the target entity may have to bear additional costs including business interruption, reputational damage, and regulatory penalties. The snowballing of cost and damage as a cyberattack progresses through its lifecycle makes early detection (and an effective response plan) key to an organization's cybersecurity program--not least because an attack's impact, when significant, can lead to a deterioration in credit quality.
Where To Invest
Our analysis of rated issuer's cyber preparedness contributes to (and is embedded within) our assessment of governance and operational risk management. Material deficiencies in an issuer's cybersecurity capabilities can therefore affect our view of an issuer's credit worthiness and, ultimately, influence our credit rating on an entity.
Organizations can bolster their detection capability through investment (of time and money) in three broad categories of cyber threat detection: logging, monitoring, and threat hunting (see chart 3). These elements are generally cumulative, with monitoring and threat hunting built upon, and augmenting, basic logging capabilities.
The breadth of issuers we rate means that there will be differences in organizations' requirements, which will be reflected in our expectations of their cyber security preparedness. Indeed, some organizations may not need significant capabilities (and thus investment) beyond logging and monitoring, while others will require consequential automation and threat hunting operations.
Chart 3
Threat Detection Elements And Their Roles
Logging
Logging is the practice of recording activity across an organization's systems and networks. We consider logging a foundational capability and expect it from even a basic cyber security program at a small organization. In the event of a cyberattack, effective logs will provide a record of how a company's defenses were breached, what has been compromised, and thus enable an organization (and its external assistance) to assess how best to respond and recover. This makes logging essential to enacting a coordinated and successful response to a cyberattack.
Larger or higher risk organizations may require sophisticated and automated logging operations capable of aggregating logging data and organizing it in a format useful for rapid and accurate decision making. Software that carries out these functions is widely available. Nonetheless, it remains a challenge to establish an integrated logging system that encompasses an entire organization and produces a holistic view of system activity to facilitate comprehensive incident analysis.
Monitoring
Monitoring is the scrutinizing of log data, and other sensors, for indicators of unauthorized activity on an organizations systems or networks. It should (ideally) be a real-time process, that provides the capability to detect attacks at the earliest opportunity. We expect most organizations with an internet interface, including email systems, to have a monitoring capability. For small and low-risk organizations that may consist of a series of automated alerts that warn of suspicious activity. Larger- or higher-risk organizations may require a dedicated operation, known as a security operations center (SOC), that is responsible for limiting damage by detecting and responding to cyberattacks that bypass preventative security. Such organizations may also operate a security information and event management (SIEM) platform, which spans all their systems and networks and combines log management software with real-time monitoring of security events.
Not all SIEM platforms are the same and an investment in more advanced systems can have a material impact in reducing risk. For example, organizations whose SIEM platform utilized security artificial intelligence (AI) and automation reduced the average cost of a data breach by 65.2%, or $3.05 million, according to IBM's "Cost of a Data Breach" report. Indeed, security AI and automation, which facilitate rapid detection and response to cyberattacks were more effective in reducing cyberbreach costs than any other investment analyzed by IBM.
Threat Hunting
Threat hunting is the proactive and hypothesis-driven investigation of menaces to an organization's systems or networks, utilizing a combination of log data and threat intelligence. The practice is both relatively complex, specialized, and resource intensive (often requiring significant investment) so is conducted mostly by larger organizations, or those with particularly valuable assets to protect. Threat hunting tends to pick up activity at the later stages of the attack lifecycle, so has limited use against short-lifecycle attacks such as ransomware. It can, however, be an effective countermeasure for advanced and persistent attacks, for example in uncovering and blocking a threat actor that has used long-term and undetected access to an organization's system to steal intellectual property data on an ongoing basis. It is unlikely that many small and midsized organizations will develop significant in-house threat hunting capabilities, yet the provision of threat hunting as a service by outside providers could grow.
The Threat To Credit Quality
The presence, or absence, of a cyber threat detection mechanism at an issuer is unlikely to have direct credit rating implications. However, we consider that weaknesses in an entity's threat detection capabilities indicates deficiencies in operational risk management, which can affect our view of an entity's governance practices and ultimately its credit worthiness.
Furthermore, and as the studies cited earlier confirm, organizations with weak threat detection tend to suffer heavier costs directly related to attacks. They can also be expected to suffer greater reputational damage, which could have a further financial impact. The potential magnitude of those damages makes it possible that an attack could weigh on an issuer's credit worthiness.
Given those risks, organizations lacking effective cyberattack detection capabilities can ill afford to delay investment in the necessary platforms. And they will have to keep investing. The constantly evolving cyber landscape means that security controls and defenses must develop if they are to continue to benefit credit quality. In the same way that a cyberattack is better thought of as a lifecycle rather than an event, cyber security should be considered a journey not a destination.
Related Research
- Cyber Risk Insights: Navigating Digital Disruption, Feb. 22, 2023
- Cyber Risk Management Is Credit Risk Management, Says Seminar, Nov. 01, 2022
- Cyber Brief: Multifactor Authentication Remains Effective But Not Impenetrable, Oct. 18, 2022
- Cyber Risk In A New Era: The Rocky Road To A Mature Cyber Insurance Market, July 26, 2022
Writer: Paul Whitfield
This report does not constitute a rating action.
| Primary Credit Analyst: | Martin J Whitworth, London +44 7773 128733; martin.whitworth@spglobal.com |
| Secondary Contacts: | Charlie Cowcher, CFA, London +44 7977 595797; Charlie.Cowcher@spglobal.com |
| Tiffany Tribbitt, New York + 1 (212) 438 8218; Tiffany.Tribbitt@spglobal.com |
No content (including ratings, credit-related analyses and data, valuations, model, software, or other application or output therefrom) or any part thereof (Content) may be modified, reverse engineered, reproduced, or distributed in any form by any means, or stored in a database or retrieval system, without the prior written permission of Standard & Poor’s Financial Services LLC or its affiliates (collectively, S&P). The Content shall not be used for any unlawful or unauthorized purposes. S&P and any third-party providers, as well as their directors, officers, shareholders, employees, or agents (collectively S&P Parties) do not guarantee the accuracy, completeness, timeliness, or availability of the Content. S&P Parties are not responsible for any errors or omissions (negligent or otherwise), regardless of the cause, for the results obtained from the use of the Content, or for the security or maintenance of any data input by the user. The Content is provided on an “as is” basis. S&P PARTIES DISCLAIM ANY AND ALL EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR DEFECTS, THAT THE CONTENT’S FUNCTIONING WILL BE UNINTERRUPTED, OR THAT THE CONTENT WILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. In no event shall S&P Parties be liable to any party for any direct, indirect, incidental, exemplary, compensatory, punitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation, lost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the Content even if advised of the possibility of such damages.
Credit-related and other analyses, including ratings, and statements in the Content are statements of opinion as of the date they are expressed and not statements of fact. S&P’s opinions, analyses, and rating acknowledgment decisions (described below) are not recommendations to purchase, hold, or sell any securities or to make any investment decisions, and do not address the suitability of any security. S&P assumes no obligation to update the Content following publication in any form or format. The Content should not be relied on and is not a substitute for the skill, judgment, and experience of the user, its management, employees, advisors, and/or clients when making investment and other business decisions. S&P does not act as a fiduciary or an investment advisor except where registered as such. While S&P has obtained information from sources it believes to be reliable, S&P does not perform an audit and undertakes no duty of due diligence or independent verification of any information it receives. Rating-related publications may be published for a variety of reasons that are not necessarily dependent on action by rating committees, including, but not limited to, the publication of a periodic update on a credit rating and related analyses.
To the extent that regulatory authorities allow a rating agency to acknowledge in one jurisdiction a rating issued in another jurisdiction for certain regulatory purposes, S&P reserves the right to assign, withdraw, or suspend such acknowledgement at any time and in its sole discretion. S&P Parties disclaim any duty whatsoever arising out of the assignment, withdrawal, or suspension of an acknowledgment as well as any liability for any damage alleged to have been suffered on account thereof.
S&P keeps certain activities of its business units separate from each other in order to preserve the independence and objectivity of their respective activities. As a result, certain business units of S&P may have information that is not available to other S&P business units. S&P has established policies and procedures to maintain the confidentiality of certain nonpublic information received in connection with each analytical process.
S&P may receive compensation for its ratings and certain analyses, normally from issuers or underwriters of securities or from obligors. S&P reserves the right to disseminate its opinions and analyses. S&P's public ratings and analyses are made available on its Web sites, www.spglobal.com/ratings (free of charge), and www.ratingsdirect.com (subscription), and may be distributed through other means, including via S&P publications and third-party redistributors. Additional information about our ratings fees is available at www.spglobal.com/usratingsfees.