An outside IT security group states that we have a vulnerability in our system security. Should I address immediately or put it on the list?
Even if there is no evidence that a breach occurred, but a security lapse exists, or has existed, then an organization may have financial exposure. So, you should address it immediately.
If the data that was potentially exposed includes personal identifiers, then organizations can face private causes of action from employees and/or consumers, typically in the form of class actions.
The other risk is from government regulators, federal and state, even if no financial data was exposed, but personal identifiers were at risk.
For example, the New York Attorney General recently fined Wegmans $400,000 for "reckless handling and exposing" of the personal information of 830,000 New Yorkers, even though there was no evidence that any data was taken and not one dollar of loss was shown.
To quote the press release:
Today, Wegmans is paying the price for recklessly handling and exposing millions of consumers' personal information on the internet. In the 21st century, there's no excuse for companies to have poor cybersecurity systems and practices that hurt consumers.
The final takeaway is that your data system is like a long-haul truck, subject to inspection and fines from multiple sources, even if you have never had a wreck. So, while focusing on post-breach response is important, pre-breach exposure exists as well.