ITAM influence on cyber risk becoming a factor in credit ratings

October 6, 2023

ITAM influence on cyber risk becoming a factor in credit ratings, Alex Scroxton,, August 16, 2023

Credit agency S&P Global Ratings warns that organizations that pay inadequate attention to IT asset management as a factor in their cyber risk management processes may find their creditworthiness takes a dive

IT asset management (ITAM) and its relationship to good cyber security practice and risk management is becoming a vital element in determining an organisation’s ability to obtain credit, and those that lack an appropriate ITAM strategy may find their ratings adversely effected, according to credit ratings agency Standard & Poor’s (S&P) Global Ratings.

In its report, Cyber risk insights: IT asset management is central to cyber security, the agency explores how ITAM – defined as the practice of tracking and managing hardware, connected devices, software and networks throughout their lifecycle – is now vital to an organisation’s ability to proactively manage vulnerabilities, respond to cyber incidents and attacks, and minimise their financial impact.

It cites the 2017 breach of personal data on 149 million Brits, Americans and Canadians at fellow credit agency Equifax as a prime example of an incident in which ITAM, or lack thereof, was a decisive factor.

The US Federal Trade Commission’s (FTC’s) complaint against Equifax, which ultimately led to a multi-million dollar fine, cited an inability to maintain “an accurate inventory” of its public-facing IT assets that ultimately led to the failure to patch an Apache Struts vulnerability, which a Chinese advanced persistent threat (APT) actor was able to use to access its systems.

S&P credit analyst Paul Alvarez said: “ITAM is foundational to effective cyber security. Its absence at an organisation can be indicative of flawed cyber risk management and could weigh on our view of an entity’s creditworthiness.”

To access the full article, click here