Comment by harwoodr

It sounds like a standard threat-risk assessment applies.

How big of a threat is it/what impact will it have on business/reputation/etc.?

How likely is it to be exploited and how widely would it be considered useful to the market of threat actors?