New Study Assesses the Cyber Resilience of the Largest U.S. Enterprises

A new report from Kovrr assesses the cyber resilience of S&P 500 companies and “explores the likely monetary losses companies face” in the aftermath of a cyberattack, according to an accompanying press release. Kovrr is a provider of cyber risk quantification solutions. (See our related article on cyber risk quantification.)

The report titled “Cyber Risk and Financial Resilience in the S&P 500” found that eight firms that trade on this stock index of the most vital large-cap companies face a 10% probability of suffering a cyberattack that erodes 10% of their annual revenue in the upcoming year.

To put the probability of this scenario into perspective, these companies face the same level of cyber risk as homeowners in hurricane-prone areas, who must weigh the odds of getting hit by a storm disastrous enough to cause extreme damage to their properties.

These findings coincide with the recent resurgence in ransomware big game hunting (BGH), where threat actors precision-target large, high-value organizations to inflict maximum damage and extract seven-to-eight-figure ransoms. In fact, two of the top-three largest ransomware payouts ever recorded took place this year: Dark Angels’ $75 million heist and ALPHV’s $22 million shakedown.

With high-value organizations being increasingly stalked by BGH-focused adversaries, the median ransomware payout has skyrocketed from $200,000 in early 2023 to $1.5 million through July of this year, according to research from blockchain intelligence firm Chainalysis.

Beyond ransom payouts, organizations can face cyber event costs in the form of revenue loss and operational disruption, incident response and remediation, customer and investor lawsuits, regulatory fines, and reputational damage. The latter can cause increased business losses and customer churn in the long term.

The Kovrr study leverages the firm’s cyber risk quantification “models to determine how cyber losses stack up against company profits and overall value, using the companies in the S&P 500 as a representative dataset, reflecting the largest entities across the US,” according to the report.

While the study modeled larger attacks individually, smaller, non-material incidents were “grouped and modeled in aggregate,” according to the report. Overall, the study found that “many S&P 500 companies that run a profit and have a positive overall value are reasonably financially resilient to losses from a cyber attack, losing no more than 5% of their profits if they experienced a cyber event that had a 10% chance of occurring in any year,” according to Kovrr.

Also, when examining “less common but plausible cyber events that have just a 1% chance of happening each year,” like a SolarWinds-style catastrophe, the report found “at least one corporation that would almost certainly face insolvency” if it suffered a breach of this magnitude, noted Kovrr.

Likewise, the press announcement said there is one other company that would experience financial losses of at least a third of its shareholder equity, significantly hindering its likelihood of recovery.

Due to investors’ vast exposure to S&P 500 index funds and individual stocks in their portfolios, “financial instability of even a small number of major enterprises could have a ripple effect, theoretically destabilizing investor confidence and the overall economy," said Kovrr chief executive Yakir Golan.

Financial Sector Resilience

In terms of sector resilience, the Kovrr report further revealed that the finance industry “faces the lowest financial impact from a cyber attack in both the 10% annual probability and 1% annual probability scenarios,” said the press release.

These findings are not surprising, given the financial sector’s substantial investment in cybersecurity and resilience, driven by strict regulatory obligations that grew out of the 2008 financial crisis. It’s unclear whether this investment has had the effect of deterring threat actors. On one hand, a World Economic Forum report published earlier this year said that the finance industry was the fourth-most targeted sector in 2023, accounting for 8.3% of attacks.

But on the other hand, 2024 research published by the International Monetary Fund said that the “financial sector has suffered more than 20,000 cyberattacks, causing $12 billion in losses, over the past 20 years.” A key consideration for financial services firms is the risk of supply-chain attacks like the MOVEit, SolarWinds, and Kaseya incidents.

The IMF notes that “financial firms increasingly rely on third-party IT service providers, and may do so even more with the emerging role of artificial intelligence.” These external providers “expose the financial industry to systemwide shocks,” according to the IMF.

As for the least resilient sector, the Kovrr report highlighted the services industry. A spokesperson for Kovrr told ExtraHop that they define services as “digital service providers e.g. Software as a Service (SaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS), Containers as a Service (CaaS).” Dovetailing with Kovrr’s findings, recent cyberattack trend data discussed in CrowdStrike’s 2024 Threat Hunting Report revealed that the technology sector was the “most frequently targeted industry for the seventh consecutive year.”

In this threat landscape, the services sector “faces the largest likely impact due to those cyber events with a 10% annual probability,” according to Kovrr’s press announcement. Kovrr also noted that the Retail Trade sector is “most vulnerable” to catastrophic incidents that have just a 1% chance of occurring on any given year.

In general, the Kovrr report found that well-capitalized enterprises are “generally more resilient to cyber events with a 10% annual probability,” the press release said. However, the media announcement noted that the “relationship between revenue and long-term resilience, however, is more complex.”

“Larger companies, which typically have a diversified risk profile, may show greater proportional impacts on Shareholder Equity in extreme scenarios due to lower reserved capital relative to their size” said Kovrr. Basically, extreme cyberattacks can impact larger companies’ stock price more dramatically than smaller companies, as the former are less likely to keep significant safety net capital in reserve.

Network Visibility and Resilience

Network visibility is essential to helping organizations build resilience against all manner of cyberattacks, including BGH ransomware attacks. The RevealX network detection and response (NDR) platform from ExtraHop sits out of band, silently recording and analyzing all network traffic flowing into, outside of, and within an organization, without degrading network performance.

RevealX baselines an organization’s normal network activity and uses a combination of rules, indicators of compromise (IOCs), and machine learning to identify in real time the tell-tale signs of a ransomware attack. These signs often include command and control beaconing, network enumeration, lateral movement, domain escalation, and data staging. Also, these attack signals are most quickly and accurately detected on the network rather than server syslogs, event logs, or other endpoint forensic processes.

By detecting early-stage ransomware activities including C2 beaconing, lateral movement, and domain escalation, RevealX gives organizations opportunities to intervene early in a ransomware attack and to stop it before threat actors can steal data or disrupt an organization’s business operations.

In addition to helping organizations build resilience through early detection of ransomware and other attacks, RevealX helps organizations maintain it during cyberattack investigations.

Typically, when organizations discover a breach, they shut down their entire infrastructure so that the attack doesn’t spread during the investigation, which severely disrupts operations and often leads to revenue loss for commercial entities.

But with the capabilities RevealX provides for capturing, reassembling, and analyzing network data, including full packets, into a meaningful attack narrative in real time, organizations can identify precisely which systems were compromised . These capabilities help enterprises make more informed decisions about what should be shut down and what systems can remain online to limit disruption and maintain resilience.

As cyberattacks increasingly threaten enterprises’ operations, and even solvency in some cases, a modern NDR platform like RevealX can help organizations optimize their cyber resilience in an unprecedented era of risk.