Today Kovrr, the leading global provider of on-demand cyber risk quantification (CRQ) solutions, published its latest cyber risk management research, Cyber Risk and Financial Resilience in the S&P 500. The report explores the likely monetary losses companies face in the wake of an event and offers critical insights into the resilience of the largest US enterprises, along with the broader market implications.
To assess the market’s relative strength against cyber incidents, Kovrr’s Cyber Risk and Financial Resilience in the S&P 500 report analyzes two key perspectives: profitability impact and long-term capital impact. The former compares a large but likely scenario, with a 10% chance of occurring in any given year, against the company’s profitability as reported in its previous year’s income statement, while the latter assesses a much rarer scenario, with a 1% chance of happening annually, against the available shareholders’ capital, providing insights into the downstream consequences.
Impact of Cyber Events on Profitability and Insolvency Risk
Many S&P 500 companies that run a profit and have a positive overall value are reasonably financially resilient to losses from a cyber attack, losing no more than 5% of their profits if they experienced a cyber event that had a 10% chance of occurring in any year, such as a common data breach or ransomware event. However, a select few are at a heightened risk of insolvency, with 8 suffering damages that would exceed 10% of their annual profits.
When examining the less common but plausible cyber events that have just a 1% chance of happening each year (i.e., a catastrophe, not unlike the July 2024 CrowdStrike outage), the report identifies at least one corporation that would almost certainly face insolvency if it endured an attack. Likewise, there is one other company that would experience financial losses of at least a third of its Shareholder Equity, significantly hindering its likelihood of recovery.
“Financial instability of even a small number of major enterprises could have a ripple effect, theoretically destabilizing investor confidence and the overall economy,” said Yakir Golan, Kovrr CEO. “Taking this level of risk into account along with the expanding reliance on information technology systems, both within companies and across supply chains, the result is a higher level focus on the importance of cost-effective cyber risk management strategies.”
Risk Resilience Measured Across Industries and Revenue Bands
The Cyber Risk and Financial Resilience in the S&P 500 report breaks down resiliency results further by industry and revenue, revealing that the Finance sector faces the lowest financial impact from a cyber attack in both the 10% annual probability and 1% annual probability scenarios. These findings highlight the industry’s already substantial investment into proactive cybersecurity measures, most likely driven by strict regulatory obligations.
On the other end of the spectrum, the Services sector faces the largest likely impact due to those cyber events with a 10% annual probability. The Retail Trade industry is most vulnerable to those incidents with just a 1% chance of occurring each year.
In terms of the relationship between resilience and annual profits, enterprises with higher revenues are generally more resilient to cyber events with a 10% annual probability, although there are exceptions depending on industry specifics.
The relationship between revenue and long-term resilience, however, is more complex. Larger companies, which typically have a diversified risk profile, may show greater proportional impacts on Shareholder Equity in extreme scenarios due to lower reserved capital relative to their size.
Despite the general stability of the S&P 500, the propensity for an enterprise to fall victim to a cyber attack that would leave it insolvent demands that market stakeholders carefully assess whether they have the capital to cover the events forecasted within their specific cyber risk profile.
By quantifying risks and calculating the likely monetary implications, cybersecurity leaders can facilitate a more informed decision-making process amongst those at the highest organizational levels, ensuring the budget is appropriately allocated and risk transfer mechanisms are in place to withstand the long and short-term impacts of a cyber event.
“Cyber risk management is no longer just a technical issue; it’s a critical market concern that demands evaluating threat intelligence tailored to one’s organization’s unique exposure. The need to involve any organizational leader who is accountable for bottom line impact in cybersecurity decisions is another significant outcome in today’s risk era,” added Golan.
For full access to Kovrr’s Cyber Risk and Financial Resilience in the S&P 500 report, please visit https://www.kovrr.com/reports/cyber-risk-and-financial-resilience-in-the-sp-500.
About Kovrr
Kovrr’s cyber risk quantification platform empowers enterprise decision-makers to manage cyber exposure more effectively by providing an in-depth risk analysis that drives actionable, financially justified decisions. For more information, please visit www.kovrr.com or follow us on Twitter or LinkedIn.