Cyber Attackers Targeted 10% of Russell 3000 Companies in 2022-23, Study Says

One-tenth of Russell 3000 companies got hit with cyberattacks in 2022 and 2023, according to a report by ISS Corporate, part of ISS STOXX, which owns CIO. There were roughly 700 digital incidents involving U.S. companies in the index in that time, the study found.

Thus far in 2024, digital assaults have affected such large companies as AT&T, Ticketmaster Entertainment and Bank of America. At AT&T, hackers accessed data on 7.6 million current and 66.4 million former customers. They stole Social Security numbers, account numbers and passwords.

Many companies, of course, outsource their infotech to cloud providers for back office and customer relations—and that makes them especially at risk, the report stated. So-called ransomware, when the hacker extorts a large sum, is the most well-known danger.

Trouble is, it’s hard to figure out just how vulnerable a company, per Ajit Jain, head of insurance for Berkshire Hathaway. A widely used web supplier “may accumulate into an aggregation of potential cyber losses,” the study quoted him as saying. If a large cloud provider’s platform were attacked and came to a standstill, the impact would be “huge,” and “that is what scares us,” he observed.

Want the latest institutional investment industry news and insights? Sign up for CIO newsletters. 

The jeopardy is broad-ranging. Some 90% of Russell 3000 corporations use third-party information technology providers, the study found. Companies with low cyber risk scores, as calculated by ISS Corporate, are the most at risk, the report warned. The score is computed by collecting data on a company’s digital security, then measuring it against those of other businesses.

Cybersecurity breaches are costly, and insuring against them is, too. From 2018 through 2022, the average claim cost for large companies (defined as worth $2 billion or more in yearly revenue) during that time span, was $13.8 million, the study said. Ransomware costs were one-third of claims for large corporations, averaging $43.4 million.

The impact on stockholders is hard to measure, the study contended, “as the market seems to punish some firms quickly and excuse others indefinitely.” As an example of the former, the study pointed to MGM Resorts International, which suffered a breach that it disclosed last October. The casino and hotel company saw its shares tumble, but they recovered by year-end.

The Securities and Exchange Commission recently required public companies to disclose cyber incidents in a timely fashion. The ISS Corporate report noted that the SEC mandate “is already driving a change in behavior.” In February, about 35% of companies gave cybersecurity briefings to their boards of directors. As of June, this had grown to more than 98%.

Stepped-up cybersecurity defenses among companies also are on the rise. As the report concluded, “Being able to quickly assess potential exposure to a common catastrophic security flaw is quickly moving from ‘nice-to-have’ to ‘must-have’ for many firms.”