WannaCry: A Cybersecurity Wake Up Call

Posted on June 2, 2017

Syed Moinuddin
Syed Moinuddin
Associate, Technology Media & Telecommunications Research

The recent Wanna, also called WannaCry, ransomware attack once again highlighted the importance of cybersecurity and protecting online data and systems. In our 10 for 2017 report, we argue that such attacks are likely to increase in frequency and intensity making it prudent for investors to integrate cybersecurity risk management into their investment decision making processes. Understanding these risks is crucial since most companies provide poor visibility into their ability to proactively manage such threats.

While the ransomware primarily targeted a vulnerability within Windows, which Microsoft addressed earlier in the year through a software update, more than 200,000 computers in at least 150 countries were said to be affected, according to Europol. The Wanna malware used an exploit stolen from the U.S. National Security Agency (NSA) to encrypt user hard drives and demand ransom in exchange for access to their own systems. It affected the U.K.’s National Health Service (NHS), Germany’s Deutsche Bahn rail system, automakers Nissan Motor Co. and Renault SA, PetroChina, FedEx Corp., targeting virtually every sector. In the case of the NHS in the UK, patients were relocated along with causing scheduled operations and treatments to be delayed.

One theme that emerges following this latest incident is that while this ransomware attack was relatively low in the number of systems affected, it targeted critical infrastructure sites such as hospitals and transportation agencies. According to the U.K.’s National Cyber Security Centre, it is also possible for networks that have been compromised to go undetected and eventually spread the ransomware to other systems later. Given the growing focus on interconnecting systems through web based networks for improved operational efficiency, the impact and risks from such attacks are likely to increase for every sector.

This brings up the question, are companies prepared to deal with the unpredictable yet inevitable nature of cyberattacks? Our assessment of technology, media and telecommunications companies, which tend to have high exposure to cyberattacks and related risks, shows that most do not provide adequate guidance on how they are managing data privacy and security risks (see graph below). While there is no foolproof way to protect data, implementing best practices can often make a significant difference in mitigating impact. In some cases, it can be as simple as implementing regular enterprise software security updates, which was the case in the Wanna attack.

Assessment of Technology, Media and Telecommunications Companies' Data Privacy Policies in Percentages (n=713)

Source: Sustainalytics research

Sustainalytics’ privacy policy indicator measures how companies process and secure customer data. The graph above shows the proportion of technology, media and telecommunications companies researched by Sustainalytics with strong, adequate, or weak policies, or no data privacy policy at all.

Effective data security requires policies that prioritize user privacy as well as information security management systems that have executive oversight. The stakes are even higher moving forward as regulations such as the European Union’s General Data Protection Regulation (GDPR), which imposes fines (up to 4% of global turnover) on companies that fail to secure user data, come into force. Considering these factors, companies and investors alike may find it prudent to prioritize data privacy and security issues as part of their ongoing risk assessment processes.

Feel free to get in touch to learn more about Sustainalytics’ ESG Research & Ratings.

Recent Content

automotive production in Ukraine

ESG Implications of Russia’s Invasion of Ukraine on the Automotive Industry

The Russia-Ukraine conflict has put more pressure on a sector that was already constrained by the disrupted supply chains, brought about by pandemic-induced congestions and shortages. Additionally, the surge in fuel price is already affecting customers, although it may accelerate the adoption of electric vehicles (EVs) as a side effect. However, the scarcity of minerals, which are necessary for semiconductor manufacturing, may further exacerbate the chip shortage that has afflicted the automotive industry since 2020.

diverse patients waiting

Addressing ESG Risk in a Shifting Landscape for Clinical Trial Diversity

Low diversity in clinical trials increases the risk of unforeseen side effects, only discovered after the drug hits the market, exposing patients to harm and companies to litigation.

Russia-Ukraine Crisis Could Spell Unforeseen ESG Risks for Insurers

Russia-Ukraine Crisis Could Spell Unforeseen ESG Risks for Insurers

The Russia-Ukraine conflict and the subsequent sanctions on Russian entities have led to material and wide-ranging impacts on diversified sectors and international firms. However, company disclosures and other sources suggest that the conflict’s primary impact on the global insurance industry is limited for two main reasons

aviation in Ukraine ESG

ESG Implications of Russia’s Invasion of Ukraine on the Aviation and Defense Sectors

The aviation industry is feeling the impact of rising fuel costs as an immediate repercussion of the conflict in Ukraine. In particular, the airline sector is still facing significant challenges in mounting a steady recovery from the COVID-19 crisis. On the other hand, the defense industry may be presented with opportunities in light of increased government spending in the aftermath of the invasion.