Good ITAM practices are now critical to achieving a good credit rating. This is acccording to a new report by the global credit ratings agency S&P Global Ratings. In its new report, Cyber risk insights: IT asset management is central to cyber security, S&P has warned that organisations that pay inadequate attention to ITAM as a factor in their cyber risk management processes may find their creditworthiness impacted.
In other words, ITAM is now critical to achieving a good credit rating.
In the report, the agency explores how ITAM (which it defines as the practice of tracking and managing hardware, connected devices, software and networks throughout their lifecycle) is now vital to an organisation’s ability to proactively manage vulnerabilities, respond to cyber incidents and attacks, and minimise their financial impact.
The report cites the much-quoted 2017 Equifax data breach which saw the personal data of 149 million people exposed as a prime example of an incident in which a lack of adequate ITAM was a decisive factor.
The US Federal Trade Commission’s (FTC’s) complaint against Equifax, which ultimately led to a multi-million dollar fine, cited an inability to maintain “an accurate inventory” of its public-facing IT assets that ultimately led to the failure to patch an Apache Struts vulnerability, which a Chinese advanced persistent threat (APT) actor was able to use to access its systems.
As reported in Computer Weekly, S&P credit analyst Paul Alvarez said: “ITAM is foundational to effective cyber security. Its absence at an organisation can be indicative of flawed cyber risk management and could weigh on our view of an entity’s creditworthiness.”
“ITAM is particularly important to the implementation of time-critical cyber security, including identifying assets with critical vulnerabilities, searching for compromised equipment or systems and lifecycle management,” said Alvarez.
We have previously reported on the contribution of poor ITAM practices to the Equifax data breach. This S&P report provides further evidence, if any more was needed, of the importance of ITAM on cyber security. And not just on cyber security, but on a company’s credit rating as well. With the total cost of the Equifax breach now in excess of $2bn in terms of mitigation, remediation, and lawsuits it’s not surprising that a credit agency should be paying close attention to how an organization manages its technology assets. Fellow credit ratings agency Moody’s downgraded Equifax to Negative in the wake of the breach.
This is a golden piece of news for anyone who is struggling to justify the expansion of their ITAM remit in today’s economic environment. We have said time and again that if you want to influence your stakeholders, you need to speak their language. Well, if there’s one language every CFO, CIO and even CEO understand – it is credit ratings. A downgrade from S&P can be devastating – even fatal – so the next time your CIO or CFO asks “what is the value of ITAM?” just show them this report.