Skip to main content

Cybersecurity: A Pervasive Risk

Posted on October 30, 2019

Moin Syed
Moin Syed
Manager Technology, Media and Telecommunications Research

In 2017, in the wake of the WannaCry ransomware attack, we argued that the event should be seen as a cybersecurity wake up call. Since then, cybersecurity risks have remained a source of uncertainty for most companies, driven by the increasing intensity, both in volume and impact, of cyberattacks. These risks are compounded by the continuous expansion of critical infrastructure (energy grids, utilities, hospitals) to digital platforms and the breadth of sensitive information that is housed in online servers. As a result, the pool of lucrative targets for malicious actors continues to grow. This is reflected in the notable rise in the number cyber insurance claims. According to a study by AIG, 2018 had the same number of cyber insurance claims as the preceding two years combined.[i]

Beyond the headlines

Since WannaCry, cyber risk has moved up the list of priorities with key international organizations as well as executive surveys flagging it as a critical business risk. Studies continue to show that the costs associated with data breaches remains significant. According to a study by IBM and the Ponemon Institute, the current average cost related to cybersecurity incidents is USD 3.92 million (Figure 1) and is highest within the healthcare sector (USD 6.45 million).[ii] The same report also notes that it took companies 279 days on average to detect and identify a data breach.[iii] This is not surprising when you look at the details of the major breaches in recent years. The breaches or system vulnerabilities at Equifax, Capital One, Google, Yahoo and Facebook were only identified months after the fact and in some cases, were not treated with the level of urgency required. According to a 2019 cyber risk perception survey, while prioritization of cyber risk has been elevated by companies since 2017, confidence in their ability to manage this risk has declined.[iv]

Figure 1: Total Average Cost of Breach (USD Millions)

FY 2019 data reflects data collected between July 2018 and April 2019 according to the IBM Cost of Data Breach Study 2019

A complex risk equation

Data privacy and security governance remain tricky, especially for companies with expansive data supply chains, a perspective we sharedin a previous article. As data supply chains become increasingly complex, detection and mitigation are expected to be even more challenging from an enterprise risk management point of view. Since company systems do not operate in isolation, there are multiple channels for malicious actors to exploit from employees to vendors to other third-party relationships that depend on a digital connection.

This new reality also means that breaches and associated costs are only one aspect of the risk equation. For example, annual losses as a result of cybercrimes were pegged at USD 500 billion in 2017 and have likely increased since.[v] This amount includes financial impacts from intellectual property (IP) theft, operational disruption and associated opportunity cost as well as legal liability from customers.

However, this is but one estimate, the risk and the losses could be much greater. Between 1975 and 2015 the proportion of enterprise value allocated to intangible assets among S&P 500 companies grew from 17% to 85%.[vi] Much of this intangible value is tied to IP as well as a company’s proprietary data assets. In the event a company is unable to identify a security vulnerability in its systems in a timely manner, blueprints on competitive strategies, intellectual property as well as confidential customer data could be extracted unbeknownst to the company.

Under the Radar

For investors, considering cybersecurity alongside traditional fundamental factors is key to developing a holistic understanding of company risks. In many cases, cyber risk may fly under the radar until there is a systemic failure, at which point it may already be too late to effectively mitigate the aftermath. In such scenarios, a company is likely to undergo significant market and regulatory scrutiny before it can even take steps to restore its credibility.

Sustainalytics has been examining how significantly data privacy and security can impact a company’s enterprise value. As part of our ESG Risk Ratings framework, when assessing the potential vulnerability of a company’s enterprise value to associated cyber risks, we consider factors such as the nature of a company’s data assets and its operating context (i.e., applicable regulations). For example, subindustries with companies that have sensitive data assets are deemed to have medium to high exposure to experiencing financially material impacts driven by the issue (Figure 2).[vii] This exposure is further refined at the company level using its specific operating context.

Data Privacy and Security Material ESG Issue: Subindustry Exposure Score (Select Subindustries)

Subindustry Exposure




Building Cyber Resilience

The regulatory and market scrutiny associated with issues such as data privacy and cybersecurity are expected to increase, driven by the proliferation of ransomware, malware, phishing and new types of malicious attacks. For companies, such attacks can drastically impact productivity, bring down critical systems and result in residual damage that can take years to mitigate.

Cyberattacks are now part of the daily operating context and companies should plan accordingly. The key is establishing enterprisewide cyber resilience to proactively manage gaps that could be exploited by malicious actors. It is important to remember that technology is only part of the answer. Even the most cutting edge enterpriselevel cybersecurity solutions will not be able address deficiencies in employee training and functional oversight. At the end of the day, cybersecurity-related spending needs to be viewed as a long-term investment in business resilience as opposed to just another operating cost.






Forbes 2

End Notes

[i] AIG (2019) “Cyber Claims: GDPR and business email compromise drive greater frequencies,” accessed at:

[ii] Refer to Engagement Theme on Cybersecurity in Healthcare:

[iii] Solomon, H., IT World Canada, 23 July 2019, “Average cost of a data breach is nearly $4 million, says study,” accessed at: also see:

[iv] Marsh, Microsoft (2019), “2019 Global Cyber Risk Perception Survey,” accessed at:

[v] KPMG, MatchiBiz (2018), “Cyber Insurance – How Insuretechs can unlock Opportunity,”

[vi] Ibid.

[vii] For additional information on Sustainalytics ESG Risk Ratings, please visit

Recent Content

Incentivizing Change: How ESG-Linked Compensation Can Advance Sustainability Initiatives

Discover how implementing quantifiable ESG targets for compensation incentives can help companies and their investors achieve their sustainability goals.

Navigating the EU Regulation on Deforestation-Free Products (EUDR): 5 Key Questions Answered About Company Readiness and Investor Risk

Navigating the EU Regulation on Deforestation-Free Products: 5 Key EUDR Questions Answered About Company Readiness and Investor Risk

The EUDR comes into effect in December 2024, marking an important step in tackling deforestation. In this article, we answer five key questions who the EUDR applies to, how companies are meeting the requirements, and the risks non-compliance poses to both companies and investors

Child Labor in Cocoa Supply Chains | Morningstar Sustainalytics

Child Labor in Cocoa Supply Chains: Unveiling the Layers of Human Rights Challenges

Child labor remains a persistent issue in the cocoa supply chain. So can major food brands do to stop it? Discover the steps companies can take to address the issue and ways investors can engage with companies to mitigate it.

Beyond 1.5 LCTR Managing Climate Risk | Morningstar Sustainalytics

Beyond 1.5 Degrees: What the LCTR Tells Us About Companies Managing Their Climate Risk

The LCTR rating of over 8,000 companies shows that global temperatures will rise 3.1 degrees Celsius over pre-industrial averages. This article looks at the overall performance of these companies and the industries that are leading on climate.