ITAM influence on cyber risk becoming a factor in credit ratings

IT asset management (ITAM) and its relationship to good cyber security practice and risk management is becoming a vital element in determining an organisation’s ability to obtain credit, and those that lack an appropriate ITAM strategy may find their ratings adversely effected, according to credit ratings agency Standard & Poor’s (S&P) Global Ratings.

In its report, Cyber risk insights: IT asset management is central to cyber security, the agency explores how ITAM – defined as the practice of tracking and managing hardware, connected devices, software and networks throughout their lifecycle – is now vital to an organisation’s ability to proactively manage vulnerabilities, respond to cyber incidents and attacks, and minimise their financial impact.

It cites the 2017 breach of personal data on 149 million Brits, Americans and Canadians at fellow credit agency Equifax as a prime example of an incident in which ITAM, or lack thereof, was a decisive factor.

The US Federal Trade Commission’s (FTC’s) complaint against Equifax, which ultimately led to a multi-million dollar fine, cited an inability to maintain “an accurate inventory” of its public-facing IT assets that ultimately led to the failure to patch an Apache Struts vulnerability, which a Chinese advanced persistent threat (APT) actor was able to use to access its systems.

S&P credit analyst Paul Alvarez said: “ITAM is foundational to effective cyber security. Its absence at an organisation can be indicative of flawed cyber risk management and could weigh on our view of an entity’s creditworthiness.”

“ITAM is particularly important to the implementation of time-critical cyber security, including identifying assets with critical vulnerabilities, searching for compromised equipment or systems and lifecycle management,” said Alvarez.

S&P warned that ineffective or absent ITAM can lead to gaps and blind spots in organisations’ ability to conduct appropriate cyber risk management, leading to increased vulnerability, compliance issues, inefficiencies and sub-optimal incident response.

It said that these gaps more usually reflected a lack of attention or resource dedicated to ITAM, but also acknowledged that many IT and security teams do find it hard to meet the bespoke needs of differing ITAM systems, which can be determined by multiple factors such as complexity, size and operational area.

S&P said that for ITAM to properly fulfil its function, it must perform a minimum of functions and be subject to ongoing support.

Assets that need to be protected must be properly protected and effectively tracked, and there need to be processes in place to maintain that degree of oversight, which ideally will cover a wide range of information, including network addresses; hardware type, such as desktop or laptop PC, or server; software, including both operating systems and applications; ownership details; configuration settings; and how critical the asset is to the organisation.

S&P added that while responsibility for ITAM has traditionally fallen to the IT team, the most effective practitioners break out of this silo and share ownership and management across different beats. As an example, says the report, the security team will often have data that can help the IT team take an accurate inventory of exactly what assets it has on its books, which helps everyone.

“In our view,” the report concludes, “ITAM should be directed by explicit policy that provides the authority for the system to be effective and assigns clear roles and responsibilities.”