Company

We’re empowering businesses to become stronger, more adaptable, and resilient.

PRESS RELEASE
ISS-Corporate Launches New Brand Reflecting Growth and Focus on Business Resilience
Solutions

Explore our suite of solutions that help businesses make informed decisions that meet the demands of the market and strengthen their organizations.

Corporate Governance

Utilize our data-driven platform to develop and manage a governance program that helps you respond to the demands of the market and your shareholders.

Executive Compensation

Take a research-backed approach to designing and monitoring executive compensation to show that your pay is aligned to performance.

Corporate Sustainability

Approach sustainability management and reporting with developed, targeted methods, and inform stakeholders and regulators of your progress.

Sustainable Finance

Get an independent, outside-in assessment of your sustainable finance offerings, ensuring they meet the highest standards demanded by the market.

Cyber Risk

Get an outside-in view of your cyber security posture so you can better identify and mitigate your cyber risk exposure.

Strategic Partnerships

Access the essential tools to inform corporate client strategies.

Resources

Explore the latest trends and practices in corporate governance, compensation, sustainability, and cyber risk.

FEATURING
Too Many Hats: Hong Kong Companies Pressed to Cut Down on “Overboarding”  

  • Company

  • Solutions

    For Advisory Firms

  • Resources

    •
    Press Release

    ISS-Corporate: U.S. Companies Face High Exposure to Third Party and Aggregate Cyber Risk

    ROCKVILLE, Md. (August 7, 2024) – ISS-Corporate, a leading provider of compensation, governance, cyber risk monitoring, and sustainability offerings to help companies improve shareholder value and reduce risk, today announced the findings of an analysis of cybersecurity breaches and aggregate cyber risk at U.S. public companies. Following the Securities and Exchange Commission’s implementation of cyber disclosure requirements for publicly traded firms in December 2023, firms are required to provide timely reporting on material cybersecurity incidents and also provide annual disclosures regarding cyber risk management practices and management and board involvement in cyber risk oversight.

    ISS-Corporate’s analysis examines cyber incidents reported by Russell 3000 companies in the two-year period leading up to December 31, 2023, leveraging data collected from 32 U.S. state reporting databases.

    The study finds that of the 693 reported cyber incidents, which impacted 10.5 percent of Russell 3000 companies, one third involved a supplier or other third-party relationship and they tended to have a broader impact. Roughly 60 percent of the reported cyber incidents impacting 100,000 or more individuals were attributable to a third party, necessitating an examination of supply-chain risk concentration and aggregate exposure.

    Aggregate risk exposure across the index is high, with ISS-Corporate data finding that more than 90 percent of Russell 3000 firms have specific individual third-party technology providers in common. Cloud concentration is also high, with as many as one-third of companies utilizing the same cloud services provider at the same specific location. The analysis also finds more than 1,000 unique supplier/technology pairings, each being utilized by more than 10 percent of constituent companies.

    In assessing the aggregate risk, the report leverages data from the ISS Cyber Risk Score platform. The ISS Cyber Risk Score is a scaled representation of the likelihood that an organization will suffer a material security incident within the next 12 months. The score is calculated by a machine learning model trained on reported cyber incidents and leverages several categories of technical information, including the extent and configuration of assets exposed to the Internet, evidence of compromise, and the use of best practices in website construction. Companies that reported cyber incidents during the analysis period were generally found to have higher risk, as measured by significantly lower ISS Cyber Risk Scores, than firms with no reported incidents.

    “Third party risk can be difficult for companies to manage, and even harder for their stakeholders to effectively assess, with some large firms having ten thousand or more suppliers,” said Doug Clare, Managing Director for Cyber Strategy at ISS-Corporate. “Assessing and managing aggregate exposures to third and even fourth party cyber risk is an increasingly important part of a risk manager’s role. The downstream impacts of commonly deployed single points of failure can have severe and consequential impacts for businesses and consumers.”

    Read the full analysis from ISS-Corporate here.

    ISS-Corporate is a leading provider of robust SaaS and expert advisory services to companies, globally. ISS-Corporate’s datadriven, research-backed Compass platform empowers businesses to understand and shape the signals they send to institutional investors, regulators, lenders, and other key stakeholders. By delivering essential data, tools, and advisory services, ISS-Corporate can help businesses around the world to be more resilient, align with market demands, and proactively manage governance, compensation, sustainability, and cyber risk initiatives. ISS Corporate Solutions, Inc. (“ISSCorporate”) is a wholly owned subsidiary of Institutional Shareholder Services Inc. (“ISS”) and part of the ISS STOXX GmbH group of companies. ISS-Corporate provides advisory services, analytical tools and publications to companies to enable them to improve shareholder value and reduce risk through the adoption of improved corporate governance practices. The ISS STOXX Governance and ESG research teams, which are separate from ISS-Corporate, will not give preferential treatment to, and are under no obligation to support, any proxy proposal of a corporate issuer nor provide a favorable rating, assessment, and/or any other favorable results to a corporate issuer (whether or not that corporate issuer has purchased products or services from ISS Corporate). No statement from an employee of ISS-Corporate should be construed as a guarantee that ISS FOR IMMEDIATE RELEASE STOXX will recommend that its clients vote in favor of any particular proxy proposal or provide a favorable rating, assessment or other favorable result. For more information, please visit https://www.iss-corporate.com

    ISS STOXX GmbH, through its group companies, is a leading provider of comprehensive and data-centric research and technology solutions that help capital market participants identify investment opportunities, detect qualitative and quantitative portfolio company risks, and meet evolving regulatory requirements. With roots dating back to 1985, we today deliver world-class benchmark and custom indices across asset classes and geographies and serve as a premier source of independent corporate governance, sustainability, cyber risk, and fund intelligence research, data, and related offerings. Our products and services give clients the scale and leverage they need to grow their business more effectively and efficiently. ISS STOXX, which is majority owned by Deutsche Börse Group, is comprised of more than 3,800 professionals operating across 30 global locations in 20 countries. Its approximately 5,500 clients include many of the world’s leading institutional investors who turn to ISS STOXX for its objective and varied offerings, as well as companies focused on ESG, cyber, and governance risk mitigation as a shareholder value enhancing measure. Clients rely on ISS STOXX’s expertise to help them make informed decisions to benefit their stakeholders.