Cybersecurity – ESG or impact?
Cybersecurity is becoming an increasingly prominent topic. The World Economic Forum published its Global Risks Report for 2024 and cyber-attack was ranked the 5th “most likely to present a material crisis on a global scale in 2024”. 1 For private sector stakeholders and governments, it ranked 3rd.
The cost of cyber-attacks is rising. The global cost of cybercrime damage is expected to hit $10.5 trillion annually by 2025, up from $3 trillion in 2015.2 Lloyd’s of London estimate that a major global cyber-attack has the potential to trigger $53bn of economic losses, equivalent to a natural disaster the scale of superstorm Sandy.3
The frequency is also increasing. Research by Check Point, a major US cybersecurity company, showed that ransomware attacks reached an all-time high in 2023 with 10% of organisations worldwide targeted, a 33% increase on 2022.4
It’s clear that companies need to be considering cybersecurity as part of ESG. Intangible value, including digital assets like software and customer data, now represents 90% of the asset value of organisations. 5 That demonstrates that cyber-attacks present a material threat to the value of a company.
But should we go further and consider it as part of impact?
Cybersecurity and the environment
At WHEB, we define impact as products or services providing solutions to key sustainability challenges. To qualify, we would need to establish that cybersecurity is addressing an aspect of sustainability.
Looking first at the UN Sustainable Development Goals, there isn’t a goal that deals explicitly with cybersecurity. However, considering the definitions of a few of them there are reasons to believe that cybersecurity could be a contributing factor to achieving a number of goals:
Goal 6: Ensure availability and sustainable management of water and sanitation for all.
Goal 7: Ensure access to affordable, reliable, sustainable and modern energy for all.
Goal 9: Build resilient infrastructure, promote inclusive and sustainable industrialisation and foster innovation.
Goal 11: Make cities and human settlements inclusive, safe, resilient and sustainable.
The increasing use of digital and connectivity tools in each of these areas creates significant cybersecurity risks. There are numerous examples of energy infrastructure being targeted.6 Hackers have also targeted water treatment facilities in the US and Australia.7
The energy transition relies heavily on digital technologies and interconnectedness. As we wrote in a recent article, modernisation of the grid is critical for managing the increasing contribution of renewable energy and greater electrification. Attackers are increasingly targeting these operational technologies and in 2021 a survey of cybersecurity experts identified the energy sector as the most likely to suffer attacks on control systems.8
In his recent cybersecurity strategy paper, President Biden included a specific objective, “secure our clean energy future”.9 This feels like a clear demonstration of the importance of the issue to sustainability outcomes.
Cybersecurity and health
Digital technologies also increase vulnerability in other areas of sustainability, such as health. In 2017, the US Food and Drug Administration recalled 500,000 pacemakers due to the risk of hackers altering the patient’s heartbeat. In 2020 a hospital in Germany was forced to close its emergency department after a ransomware attack.10
The attacks are growing in scale. In February this year, a division of UnitedHealth Group in the US was the subject of a cyber-attack that left healthcare providers unable to fill prescriptions or get reimbursement for insurers. 11 A survey by the America Hospital Association found that 95% of hospitals experienced disruptions from the attack and 74% reported impacts to direct patient care.12
Technology adoption in healthcare is increasing rapidly, whether through wearable devices, hospital equipment or patient data records. That data is being used more widely too. Artificial Intelligence (AI) is a growing topic within healthcare, and high-profile AI companies like Nvidia are investing significant amounts in the industry.13
Cybersecurity and AI
The relationship between AI and sustainability is complex. What is clear is that AI is likely to increase the volume and heighten the impact of cyber-attacks.14 One emerging area is the spread of disinformation, which creates risks to elections and social cohesion.
In Slovakia’s recent election an AI-generated fake video circulated of a candidate discussing plans to manipulate the election, including buying votes15 Elections are vulnerable to a range of technological threats, including hacking, data breaches and more sophisticated forms of manipulation such as deepfakes and AI-generated disinformation.16
There will be over 40 national elections this year covering over 50% of global GDP, including the US and UK. In the US the government’s cybersecurity agency has published a Cybersecurity Toolkit to Protect Elections. One of the recommendations is the implementation of advanced technologies to detect and mitigate potential threats.
Cybersecurity and impact
At WHEB, we are in the early stages of exploring the topic of cybersecurity. But we do think there is a case for categorising it as a sustainability challenge. The challenge is a multifaceted one, and touches on many of our existing themes. The cost of ignoring the challenge is increasing, affecting more companies and more individuals every year.
Our next question is what are the solutions? This will involve looking at cybersecurity providers through the lens of our impact engine analytical framework. We are focusing on two areas where we think companies can have positive impact. First are companies providing products or services that have a differentiated outcome relative to the existing standards. Second are companies focused specifically on protecting the safety of individuals, for example through identity management software. This effectively widens the definition in our existing Safety theme beyond physical safety.
The world was slow to identify and act on existing environmental and social challenges. The consequences of that are now being felt. We hope cybersecurity will be different. And we think that we as impact investors have role to play in opening up the conversation on cybersecurity and starting to look more closely at solutions.
By Victoria MacLean
1 World Economic Forum, The Global Risks Report 2024, https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2024.pdf
2 https://cybersecurityventures.com/top-5-cybersecurity-facts-figures-predictions-and-statistics-for-2021-to-2025/
3 https://www.lloyds.com/about-lloyds/media-centre/press-releases/extreme-cyber-attack-could-cost-as-much-as-superstorm-sandy
4 Check Point, January 2024, https://blog.checkpoint.com/research/check-point-research-2023-the-year-of-mega-ransomware-attacks-with-unprecedented-impact-on-global-organizations/
5 World Economic Forum, “Cybersecurity is an environmental, social and governance issue. Here’s why”, https://www.weforum.org/agenda/2022/03/three-reasons-why-cybersecurity-is-a-critical-component-of-esg/
6 Forbes, https://www.forbes.com/sites/johntough/2022/09/29/sustainability-and-cybersecurity-the-unexpected-dynamic-duo-of-the-energy-transition/?sh=7c216a915851
7 https://www.sustainability.com/thinking/the-rising-role-of-cybersecurity-in-esg-and-how-companies-are-taking-action/
8 World Economic Forum, https://www.weforum.org/agenda/2023/10/why-the-energy-sector-and-critical-infrastructure-is-particularly-vulnerable-to-cyber-attacks/
9 The White House, https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
10 https://www.sustainability.com/thinking/the-rising-role-of-cybersecurity-in-esg-and-how-companies-are-taking-action/
11 CNBC, https://www.cnbc.com/2024/03/27/unitedhealth-group-paid-over-3-billion-to-providers-since-cyberattack.html
12 American Hopsital Association, https://www.aha.org/news/news/2024-03-15-aha-survey-change-healthcare-cyberattack-having-significant-disruptions-patient-care-hospitals-finances
13 CNBC, https://www.cnbc.com/2024/03/24/nvidias-ai-ambitions-in-medicine-and-health-care-are-becoming-clear.html
14 National Cyber Security Centre, https://www.ncsc.gov.uk/report/impact-of-ai-on-cyber-threat
15Bloomberg, https://www.bloomberg.com/news/newsletters/2023-10-04/deepfakes-in-slovakia-preview-how-ai-will-change-the-face-of-elections
16 World Economic Forum, https://www.weforum.org/agenda/2023/11/elections-cybersecurity-ai-deep-fakes-social-engineering/