Skip to main content

Cybersecurity: A Growing ESG and Business Risk

Posted on October 25, 2022

Melissa Hudson
Melissa Hudson
Associate Director, Research Products
Liam Zerter
Liam Zerter
Quantitative Research Manager, Methodology & Product Architecture

Cyber risk is one of the most immediate and financially material ESG risks that organizations face today.1 As companies continue to digitalize and business models shift to incorporate a complex mix of technology and data supply chains, stakeholders are reckoning with a significant realignment in global security risk. Four recent global events have reinforced this view:

1. the COVID-19 pandemic has coincided with a rapid increase in cyber incidents, including ransomware;

2. the SolarWinds supply chain attack highlighted the scope of interdependence in the cybersecurity ecosystem;

3. the Colonial Pipeline attack in the US signaled the vulnerability of critical infrastructure and cyber-physical risk; and,

4. the Russian invasion of Ukraine increased awareness of the real possibility of cyber warfare.

These types of events, along with the growing frequency and severity of losses due to cyberattacks, are placing an increased focus on the cybersecurity ecosystem as a whole. Supply chain and critical infrastructure attacks, as well as the knock-on effects of cyber espionage and cyber sabotage, demonstrate the systemic nature of this risk. In addition, ransomware-as-a-service is democratizing the hacking industry while the cost of cyber insurance grows apace - far exceeding global commercial rate increases.2

Furthermore, as the number of companies targeted has broadened, the financial impact of cyber risk has increased significantly. For example, in 2011, 49% of firms were exposed to zero cybersecurity risk; in 2018, that number had declined to 10%. In its 2022 Global Cybersecurity Outlook report, the World Economic Forum refers to the prevalence of cybersecurity risks as “the new normal”.3

These risks are becoming increasingly clear to stakeholders. High-profile breaches, including those at SolarWinds and Colonial Pipeline, have become front-page news, with a visible impact on companies, associated supply chains, and communities. The public costs of underinvestment in corporate cybersecurity are increasingly viewed as market failures, similar to those associated with environmental issues. These costs are driving increased regulation and stronger enforcement.

The Effects of the Changing Market Dynamics

The costs of corporate underinvestment in cybersecurity are often seen too late, with investors and companies taken off guard as they are suddenly confronted with significant transition risks.

Organizations that attempt to systematically estimate the frequency, severity, costs and/or impacts of cybersecurity events tend to consistently revise their baseline estimate upward. Initial models routinely underestimate the growth in security risk. For example, in April 2020, Forbes estimated that from 2014 to 2020, companies’ global external cybersecurity spending increased at a compound annual growth rate (CAGR) of 9.8%, from USD74 billion to USD130 billion, with future growth predictions out to 2026 slowing to 8.1%.4 Going forward, we now see multiple revised estimates for annual growth estimated in the low double digits. For example, Fortune Business Insights estimates a CAGR of 13.4% between 2022 and 2029.5

The cyber insurance industry is ringing the alarm on changing market dynamics and the sustainability of the current landscape. Marsh and McLennan Co. cites an inflection point in the market comparable to that faced by property insurers 30 years ago following Hurricane Andrew.6, 7 In 2021, loss ratios neared 100%, premiums have more than doubled, and increased underwriting scrutiny has led to significant reductions in coverage.8 Moreover, coverage availability is now tied closely to implementing best-in-class cybersecurity safeguards.

Revising Expectations: The New Normal

International organizations, governments, companies, and investors recognize the urgent need to mitigate cyber risk. Most Fortune 100 companies are now disclosing cybersecurity as a material risk in their Annual Reports, and their disclosures on how they are mitigating this risk are increasingly detailed.9 Like corporates, investors also recognize this risk, with RBC Global Asset Management identifying cyber risk as the top ESG concern for institutional investors.10

Governments, oversight agencies and international organizations have also greatly expanded their efforts in this domain. For example, the United States Securities and Exchange Commission’s (SEC) recently issued enforcement actions and proposed new rules for cybersecurity breach reporting and corporate disclosure.11 In response to the SolarWinds and Colonial Pipeline attacks, the US, among many other nations, began to take a more proactive approach in overseeing cybersecurity risks in the private sector. To this end, US president, Joe Biden, issued an Executive Order on cybersecurity in March 2021 to mandate enhanced security within the software supply chain and facilitate private-public information sharing.12 Following Russia’s invasion of Ukraine in February 2022, Biden expanded this mandate to public-private action plans for the electricity, pipeline and water sectors. Also, a directive was issued instructing federal government departments and agencies to leverage all existing authorities to mandate new cybersecurity defense measures.13

Companies and investors seem to be adjusting their forecasts to account for attacks on critical infrastructure, new methods, the democratization of hacking technology, higher cost/lower coverage cyber insurance, and increasing cybersecurity regulation and standards. The 2022 Allianz Risk Barometer survey of risk management professionals cite cyber incidents as the number one business risk, and business interruption at number two, with more than 50% of the identified “business interruptions” related to cybersecurity failures.14 This represents a profound change in the cybersecurity risk landscape.

Access the full report

impact of cyberattacks on stock prices



1. World Economic Forum (2022); Global Cybersecurity Outlook: Insight Report 2022; accessed (13.07.2022) at:

2. Marsh (2021); “US Pricing Q3 2021 | Global Insurance Market Index | Marsh”; Marsh; accessed (06.07.2022) at:

3. World Economic Forum (2022); Global Cybersecurity Outlook: Insight Report 2022; accessed (13.07.2022) at:

4. Columbus, L. (2020); “2020 Roundup Of Cybersecurity Forecasts And Market Estimates”; accessed (06.07.2022) at:

5. Fortune Business Insights (2022); “Cyber Security Market” Fortune Business Insights; accessed (06.07.2022) at:

6. Hurricane Andrew hit the Bahamas and the southern United States as a Category 5 event in 1992. It was by far the most destructive hurricane to hit Florida to that date. As a result of the destruction, almost one million policyholders lost insurance coverage after more than 10 insurance companies went bankrupt. In response, the state government created a new regime to restore adequate insurance capacity.

7. Marsh (2021); “Cyber Insurance Market Overview: Fourth Quarter 2021”; Marsh; accessed (06.07.2022) at:

8. Financial Times (2022); “Companies face soaring prices for cyber insurance”; Financial Times; accessed (13.07.2022) at:

9. Klemash, S. et. al. (2020); “What Companies are Disclosing About Cybersecurity Risk and Oversight”; Harvard Law School Forum on Corporate Governance; accessed (06.07.2022) at:

10. RBC (2020); “Cyber security is the top ESG concern for institutional investors”; RBC Global Asset Management;  accessed (06.07.2022) at:

11. Malina, S. (2022); “SEC Continues Rolling Out Cybersecurity Rules, this Time Targeting Public Companies”; Greenberg Traurig LLP (; accessed (06.07.2022) at:

12. The Legal Intelligencer (2021); “Biden’s Executive Order Strengthens Government’s Cybersecurity Practices”;; accessed (06.07.2022) at: 

13. The White House (2022); “FACT SHEET: Act Now to Protect Against Potential Cyberattacks”; The White House; accessed (06.07.2022) at: 

14. Allianz Group (2022); Allianz Risk Barometer 2022; January 2022; accessed (13.07.2022) at: Allianz Risk Barometer 2022

Recent Content

The Transformative Potential of Green Ammonia for the Shipping Industry | Morningnstar Sustainalytics

The Transformative Potential of Green Ammonia for the Shipping Industry

This article explores the potentially transformative role of green ammonia in the shipping sector, its environmental benefits, the challenges to its adoption, and broader implications for the market and other industries.

Six Best Practices for the Low Carbon Transition | Morningstar Sustainalytics

Six Best Practices Followed by Industries Leading the Low Carbon Transition

In this article, we take a closer look at the leading industries under the Morningstar Sustainalytics Low Carbon Transition Rating (LCTR) and examine the best practices that have allowed them to emerge as leaders in managing their climate risk.

Incentivizing Change: How ESG-Linked Compensation Can Advance Sustainability Initiatives

Discover how implementing quantifiable ESG targets for compensation incentives can help companies and their investors achieve their sustainability goals.

Navigating the EU Regulation on Deforestation-Free Products (EUDR): 5 Key Questions Answered About Company Readiness and Investor Risk

Navigating the EU Regulation on Deforestation-Free Products: 5 Key EUDR Questions Answered About Company Readiness and Investor Risk

The EUDR comes into effect in December 2024, marking an important step in tackling deforestation. In this article, we answer five key questions who the EUDR applies to, how companies are meeting the requirements, and the risks non-compliance poses to both companies and investors