In the two years to January 2024, almost 700 cyber incidents were reported among Russell 3000 companies in the U.S., impacting more than 10% of the firms. One-third of those involved the compromise of a supplier or other third party, and the study also identified substantial third-party aggregate risk concentration across Russell 3000 firms.
KEY TAKEAWAYS
- One-third of reported incidents among Russell 3000 firms involved a supplier or other third-party relationship, and incidents that impacted a large number of individuals were more likely to have a third-party as the root cause.
- Aggregate risk exposure across the index is high, with more than 90% of Russell 3000 firms utilizing certain third-party technologies, and more than 1,000 different unique supplier/technology pairings each being utilized by more than 10% of constituent companies.
- Companies that reported cyber incidents during the analysis period have higher risk, as measured by significantly lower ISS Cyber Risk Scores, than firms with no reported incidents.
- Of those firms reporting an incident, the score effectively rank-orders incident risk by severity, as measured by the number of individuals impacted.
Data…