Companies fall short on curbing cybersecurity risks from vendors: Moodys

By Jim Tyson for CFODive.com

• Most companies and organizations in the U.S. and Canada fall short on limiting cybersecurity risks from third-party vendors even as they give cybermanagers more clout and boost spending on averting attacks, Moody’s Investors Service said in a report.

• “Third-party vendor risk management sees little improvement” since 2021, Moody’s found in a survey of about 1,100 companies and government-affiliated organizations. “Apart from financial services and infrastructure issuers — and despite a series of supply-chain attacks — the share of organizations requiring new or periodic third-party vendor assessments has not risen since 2021.”

• At the same time, cybermanagers wield more influence, with 90% reporting to a C-suite executive compared with 62% in 2021, Moody’s said. Companies have also boosted cybersecurity budgets 65% during the past five years, funding 25% growth in cybersecurity talent.

Cybersecurity risks are rising, with generative artificial intelligence expected to favor attackers over the short-to-medium term, Moody’s said. Cyberattacks annually surged 26% on average from 2017 until 2023, the rating firm said, citing University of Maryland data.

“This number is likely to be understated since organizations are often not required to report cyberattacks,” according to Moody’s.

Meanwhile, annual global ransomware payments exceeded $1 billion for the first time last year, Moody’s said, citing Chainanalysis, a cybersecurity firm.

Rising premiums have not reduced demand for cybersecurity insurance, according to Moody’s.

The share of survey respondents who said they carry specialized cybersecurity insurance policies rose to 87%, an increase of 21 percentage points from 2021, despite an average 55% increase in insurance premiums from 2020 until 2022, Moody’s said.

Private companies and public sector organizations in recent years have improved their “cyber hygiene,” embracing basic best practices to reduce the risk of cyberattack such as training against phishing, Moody’s said. Multifactor authentication and system backups at least weekly are nearly “industry standard” across North America.

Yet there has been little progress in the use of more advanced and expensive cybersecurity methods, including red team/purple team simulated attacks, Moody’s said.

By strengthening their in-house cybersecurity expertise, companies and public sector organizations have reduced the number of third parties accessing their networks, Moody’s said.

Yet reinforced internal safeguards may not prevent a breach tied to a software provider or other vendor, Moody’s said. While financial services and infrastructure organizations have intensified their assessment of vendor cybersecurity, the share of organizations requiring new or periodic assessments of such risk has not improved since 2021.

“Exposure to cyberrisk continues to grow through digitization, technology innovations, increased interdependencies and a constant rise in the frequency and sophistication of attacks,” according to Moody’s.

“The elevation of the cybermanager’s role, the internalization of cyberstaff and the prevalence of cybersecurity investments in line item budgeting indicate that the industry is recognizing that cyber risk is here to stay,” Moody’s said.