Fitch Ratings has warned of a potential increase in cyber risk as corporate and infrastructure cybersecurity budgets across the US come under increasing pressure due to poor revenue outlooks.
Analysts note that cybersecurity spending is often viewed as an added cost rather than an essential business expense, with ROI metrics difficult to quantify, unlike other types of spending and investment.
With economic uncertainty, rapid interest rate hikes to combat inflation, and the negative effects of a strong US dollar on large multinational companies, cybersecurity investment may therefore be significantly reduced, Fitch says.
This will likely increase the downside risk of attacks, although large companies, critical infrastructure and regulated industries should fare better than small-to-medium companies in unregulated industries and lower margin sectors, the rating agency said.
However, a large cyber budget does not necessarily translate to better cybersecurity, nor is it an effective risk metric, as it is difficult to distinguish if budgets are appropriately funded.
Substantial budgets can be indicative of a larger attack surface, an inefficient use of resources or higher reliance on legacy technology.
According to a Q4 2021 Information Systems Audit and Control Association (ISACA) survey of 2,031 of its member firms, only 42% categorized cybersecurity budgets as appropriately funded, 63% reported unfilled positions and only 41% performed annual cyber-risk assessments, Fitch notes.
Notable gaps in cybersecurity include security control implementation, coding, software development, and data- and networking-related topics.
“Institutions that were deficient in budgetary allocations may face further difficulty in responding to or preventing cyberattacks if relegated to focusing on dollar spend instead of security outcome,” Fitch commented.”
“The interconnected digital ecosystem has also exposed vulnerability in supply chains, and the critical importance of third- and fourth-party vendor risk management to a company,” it continued.
“The shift to hybrid work-from-home models and ongoing adaptations required to maintain cybersecurity best practices will require additional security adaptations and budget allocations.”