Skip to main content

Cybersecurity: A Growing ESG and Business Risk

Posted on October 25, 2022

Melissa Hudson
Melissa Hudson
Associate Director, Research Products
Liam Zerter
Liam Zerter
Quantitative Research Manager, Methodology & Product Architecture

Cyber risk is one of the most immediate and financially material ESG risks that organizations face today.1 As companies continue to digitalize and business models shift to incorporate a complex mix of technology and data supply chains, stakeholders are reckoning with a significant realignment in global security risk. Four recent global events have reinforced this view:

1. the COVID-19 pandemic has coincided with a rapid increase in cyber incidents, including ransomware;

2. the SolarWinds supply chain attack highlighted the scope of interdependence in the cybersecurity ecosystem;

3. the Colonial Pipeline attack in the US signaled the vulnerability of critical infrastructure and cyber-physical risk; and,

4. the Russian invasion of Ukraine increased awareness of the real possibility of cyber warfare.

These types of events, along with the growing frequency and severity of losses due to cyberattacks, are placing an increased focus on the cybersecurity ecosystem as a whole. Supply chain and critical infrastructure attacks, as well as the knock-on effects of cyber espionage and cyber sabotage, demonstrate the systemic nature of this risk. In addition, ransomware-as-a-service is democratizing the hacking industry while the cost of cyber insurance grows apace - far exceeding global commercial rate increases.2

Furthermore, as the number of companies targeted has broadened, the financial impact of cyber risk has increased significantly. For example, in 2011, 49% of firms were exposed to zero cybersecurity risk; in 2018, that number had declined to 10%. In its 2022 Global Cybersecurity Outlook report, the World Economic Forum refers to the prevalence of cybersecurity risks as “the new normal”.3

These risks are becoming increasingly clear to stakeholders. High-profile breaches, including those at SolarWinds and Colonial Pipeline, have become front-page news, with a visible impact on companies, associated supply chains, and communities. The public costs of underinvestment in corporate cybersecurity are increasingly viewed as market failures, similar to those associated with environmental issues. These costs are driving increased regulation and stronger enforcement.

The Effects of the Changing Market Dynamics

The costs of corporate underinvestment in cybersecurity are often seen too late, with investors and companies taken off guard as they are suddenly confronted with significant transition risks.

Organizations that attempt to systematically estimate the frequency, severity, costs and/or impacts of cybersecurity events tend to consistently revise their baseline estimate upward. Initial models routinely underestimate the growth in security risk. For example, in April 2020, Forbes estimated that from 2014 to 2020, companies’ global external cybersecurity spending increased at a compound annual growth rate (CAGR) of 9.8%, from USD74 billion to USD130 billion, with future growth predictions out to 2026 slowing to 8.1%.4 Going forward, we now see multiple revised estimates for annual growth estimated in the low double digits. For example, Fortune Business Insights estimates a CAGR of 13.4% between 2022 and 2029.5

The cyber insurance industry is ringing the alarm on changing market dynamics and the sustainability of the current landscape. Marsh and McLennan Co. cites an inflection point in the market comparable to that faced by property insurers 30 years ago following Hurricane Andrew.6, 7 In 2021, loss ratios neared 100%, premiums have more than doubled, and increased underwriting scrutiny has led to significant reductions in coverage.8 Moreover, coverage availability is now tied closely to implementing best-in-class cybersecurity safeguards.

Revising Expectations: The New Normal

International organizations, governments, companies, and investors recognize the urgent need to mitigate cyber risk. Most Fortune 100 companies are now disclosing cybersecurity as a material risk in their Annual Reports, and their disclosures on how they are mitigating this risk are increasingly detailed.9 Like corporates, investors also recognize this risk, with RBC Global Asset Management identifying cyber risk as the top ESG concern for institutional investors.10

Governments, oversight agencies and international organizations have also greatly expanded their efforts in this domain. For example, the United States Securities and Exchange Commission’s (SEC) recently issued enforcement actions and proposed new rules for cybersecurity breach reporting and corporate disclosure.11 In response to the SolarWinds and Colonial Pipeline attacks, the US, among many other nations, began to take a more proactive approach in overseeing cybersecurity risks in the private sector. To this end, US president, Joe Biden, issued an Executive Order on cybersecurity in March 2021 to mandate enhanced security within the software supply chain and facilitate private-public information sharing.12 Following Russia’s invasion of Ukraine in February 2022, Biden expanded this mandate to public-private action plans for the electricity, pipeline and water sectors. Also, a directive was issued instructing federal government departments and agencies to leverage all existing authorities to mandate new cybersecurity defense measures.13

Companies and investors seem to be adjusting their forecasts to account for attacks on critical infrastructure, new methods, the democratization of hacking technology, higher cost/lower coverage cyber insurance, and increasing cybersecurity regulation and standards. The 2022 Allianz Risk Barometer survey of risk management professionals cite cyber incidents as the number one business risk, and business interruption at number two, with more than 50% of the identified “business interruptions” related to cybersecurity failures.14 This represents a profound change in the cybersecurity risk landscape.

Access the full report

impact of cyberattacks on stock prices

 

Sources:

1. World Economic Forum (2022); Global Cybersecurity Outlook: Insight Report 2022; accessed (13.07.2022) at: https://www.weforum.org/reports/global-cybersecurity-outlook-2022/

2. Marsh (2021); “US Pricing Q3 2021 | Global Insurance Market Index | Marsh”; Marsh; accessed (06.07.2022) at: https://www.marsh.com/fr/en/services/insurance-market-and-placement/insights/us-gimi-q3-2021.html

3. World Economic Forum (2022); Global Cybersecurity Outlook: Insight Report 2022; accessed (13.07.2022) at: https://www.weforum.org/reports/global-cybersecurity-outlook-2022/

4. Columbus, L. (2020); “2020 Roundup Of Cybersecurity Forecasts And Market Estimates”; accessed (06.07.2022) at: https://www.forbes.com/sites/louiscolumbus/2020/04/05/2020-roundup-of-cybersecurity-forecasts-and-market-estimates/?sh=4e49cb0e381d

5. Fortune Business Insights (2022); “Cyber Security Market” Fortune Business Insights; accessed (06.07.2022) at: https://www.fortunebusinessinsights.com/industry-reports/cyber-security-market-101165

6. Hurricane Andrew hit the Bahamas and the southern United States as a Category 5 event in 1992. It was by far the most destructive hurricane to hit Florida to that date. As a result of the destruction, almost one million policyholders lost insurance coverage after more than 10 insurance companies went bankrupt. In response, the state government created a new regime to restore adequate insurance capacity.

7. Marsh (2021); “Cyber Insurance Market Overview: Fourth Quarter 2021”; Marsh; accessed (06.07.2022) at: https://www.marsh.com/us/services/cyber-risk/insights/cyber-insurance-market-overview-q4-2021.html

8. Financial Times (2022); “Companies face soaring prices for cyber insurance”; Financial Times; accessed (13.07.2022) at: https://www.ft.com

9. Klemash, S. et. al. (2020); “What Companies are Disclosing About Cybersecurity Risk and Oversight”; Harvard Law School Forum on Corporate Governance; accessed (06.07.2022) at: https://corpgov.law.harvard.edu/2020/08/25/what-companies-are-disclosing-about-cybersecurity-risk-and-oversight/

10. RBC (2020); “Cyber security is the top ESG concern for institutional investors”; RBC Global Asset Management;  accessed (06.07.2022) at: https://www.rbcgam.com/en/ca/article/cyber-security-is-the-top-esg-concern-for-institutional-investors/detail

11. Malina, S. et.al (2022); “SEC Continues Rolling Out Cybersecurity Rules, this Time Targeting Public Companies”; Greenberg Traurig LLP (gtlaw.com); accessed (06.07.2022) at: https://www.gtlaw.com/en/insights/2022/3/sec-continues-rolling-out-cybersecurity-rules-this-time-targeting-public-companies

12. The Legal Intelligencer (2021); “Biden’s Executive Order Strengthens Government’s Cybersecurity Practices”; www.blankrome.com; accessed (06.07.2022) at: https://www.blankrome.com/publications/bidens-executive-order-strengthens-governments-cybersecurity-practices 

13. The White House (2022); “FACT SHEET: Act Now to Protect Against Potential Cyberattacks”; The White House; accessed (06.07.2022) at: https://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/fact-sheet-act-now-to-protect-against-potential-cyberattacks/ 

14. Allianz Group (2022); Allianz Risk Barometer 2022; January 2022; accessed (13.07.2022) at: Allianz Risk Barometer 2022

Recent Content

Biodiversity in the Balance Revisited | Sustainalytics

Biodiversity in the Balance: Revisiting Portfolio Risks

On the occasion of COP16, this article updates previous research from Morningstar Sustainalytics showing how investing in companies facing high levels of risk associated with biodiversity loss can have a material effect on long-term portfolio performance.

Green Buildings on the Rise | Morningstar Sustainalytcs

Green Buildings on the Rise: Why Building Products Matter

This article explains the role of building products companies in the global green building transition and why investors should consider them as part of their sustainable portfolios.

The Current State of EU Taxonomy Alignment in 2024 | Morningstar Sustainalytics

The Current State of EU Taxonomy Alignment in 2024

This article summarizes the findings from our first EU Taxonomy Reporting Review, examining alignment to KPIs on revenue, opex, and capex on more than 1,300 non-financial companies over the last two years.

Controversies Over Forever Chemicals Navigating the US Landscape of PFAS Regulations |Morningstar Sustainalytics

Controversies Over ‘Forever Chemicals’: Navigating the US Landscape of PFAS Regulations

The new US EPA drinking water standards and the CERCLA designation of PFOA and PFOS as hazardous substances show increased regulatory oversight and the expanding scope of potential liabilities across the supply chain. This report explores the latest regulatory developments concerning PFAS in the United States.