The Sustainalytics Podcast | Cybersecurity and Data Privacy in Focus: Cyberattacks and ESG

Curtis File: In December 2021, a group of cybercriminals sent panic across the United States. United Kronos Group, a payroll and HR software company, was targeted by a ransomware attack. The attack took out its Kronos Private Cloud platform, and this left major retailers and state governments scrambling to pay employees as the holidays approached.

But worse, a number of hospitals were affected.

Kronos was a mission critical provider of administrative services for hospitals across the United States. From small, remote hospitals to urban medical systems, the attack interrupted services and, in many cases resulted, in delayed health care delivery. So why was this able to happen?

John Riggi: In response to the pandemic, hospitals rapidly deployed and expanded network-connected and internet-connected technologies to accommodate a surge of COVID patients and a remote administrative workforce. So, what this did is create many more opportunities for bad guys to penetrate our networks. It's what we call an expanded attack surface.¹

CF: That was a clip of John Riggi, Senior Adviser for cybersecurity and risk for the American Hospital Association. At the time of the Kronos attack, he spoke openly to media about his concern for the cybersecurity threats the health care industry is facing. He told NPR:

“As we always do, hospitals and health systems will get it done and care for patients, but under additional stress and burden they don't need right now.”

The incident highlighted the real impact of cybersecurity breaches when corporations and government systems are attacked, our coworkers, friends and family are the collateral damage.

I'm Curtis File, Editorial manager with Sustainalytics and your host for today as we look at cyberattacks and what they mean for ESG risk management.

Cybersecurity and data privacy have become hot button issues, particularly in the last two years. Consumers have become more informed about data privacy issues, demanding companies take accountability for how they process user data. At the same time, there's been a significant increase in the number and severity of cyberattacks against businesses. To better understand the concrete business impact of cyberattacks, Sustainalytics’ experts set out to create a report based on our own research and data, asking, “does a major cybersecurity incident have a meaningful impact on stock price returns?” And it turns out...

Melissa Hudson: The answer is yes.

CF: That's Melissa Hudson, Associate Director, Research Products and one of the authors of the report. You'll be hearing more from her today, along with another Sustainalytics expert, Liam Zerter, Associate Director, Quantitative Research Manager. We'll be taking a closer look at the results of the report to get a better understanding of cybersecurity and data privacy. But before we get into the data in numbers, let's take a broader look at cybersecurity as an ESG risk. Melissa Hudson explains.

MH: If I could sum up what we're seeing, it's that both data and digitization have become a double-edged sword. They are key drivers of value and efficiency, but they also create a significant new target commodity and increased corporate vulnerability. We see five recent global events as key.

First, COVID 19 and the unprecedented disruption and movement to remote work that came with it. Second, the 2020 SolarWinds attack, a game changer that Microsoft CEO called the largest and most sophisticated attack the world has ever seen. Then came the 2021 Colonial Pipeline hack that showed the U.S. public the real-life, real-time impact of a cyberattack on critical infrastructure.  Fourth, the Russian invasion of the Ukraine earlier this year, which led many to fear the possibility of cyber warfare. Finally, over the course of this time-period, we've seen the emergence of ransomware and in particular its productized form known as “ransomware as a service.”

So, on the one side, disruption, sophisticated technologies, supply chains and critical infrastructure attacks are placing an increased focus on how vulnerable our integrated cyber ecosystem has become. While, on the other, ransomware is leveling the playing field in terms of risk. Companies and industries once considered immune are having to deal with business interruption and extortion as ransomware is made available to less sophisticated actors. In short, we're reckoning with a significant realignment in global cyber security risk. And the pace of corporate investment in cybersecurity has not kept up.

CF: That underinvestment in cybersecurity is a critical issue. The frequency of cyberattacks only continues to climb, and so does the severity of losses. As a result, stakeholders are being taken off guard as they're suddenly confronted with significant transition risks. And the public costs of underinvestment in cybersecurity are increasingly being viewed as market failures in much the same way as environmental issues. These costs are driving increased regulation, stronger enforcement, and pressure from the insurance industry.

MH: Marsh and McLennan see an inflection point in the market comparable to that faced by property insurers 30 years ago following Hurricane Andrew in Florida. Following Andrew, almost a million policyholders lost coverage after their insurance companies went bankrupt. In today's context, we are seeing a cyber-insurance market with increasing premiums, more exclusions, and, in a signal that mirrors our own analysis, coverage availability tightly linked to implementing industry standard cybersecurity safeguards.

CF: With regulators and insurers increasingly scrutinizing companies’ cybersecurity practices. Sustainalytics researchers wanted to know: Are cybersecurity incidents really increasing in number and severity? Do cyberattacks impact share price? And if so, how? And do strong privacy and security practices pay off? Let's start with the first question. Liam Zerter has the answers.

Liam Zerter: Let's take a look at the data privacy and security incidents that Sustainalytics tracks. If we take a look at 2013, moving to 2021, data privacy and security has been growing at a cumulative aggregate growth rate of 37%. If you compare this to the total incident growth rate, which is influenced by a coverage, that's been growing at 24%.

We have a pretty clear double-digit growth that's occurring. But the more interesting story is when you look down at the risk level from before 2018 and post 2018. So, from 2013 to 2017, those high-risk business incidents have been going for about an average of, you know, five per year. But in 2019 to 2021, now you're averaging 26. So, you're looking at what might be a 5x increase and those big write tail events occurring.

CF: To get a better understanding of what that fivefold increase in incidents means, Sustainalytics researchers put together an event study to look at the price reaction to news of a major cyberattack. They compared a portfolio of companies that had been involved in a high-risk cybersecurity incident against the S&P 500 and a global sector benchmark.

LZ: From day zero going forward, in the first four days, you have a -2.3% drop in the first four days and a partial rebound. Some companies start getting some confidence back in the market, but this is short lived. The absolute bottom that occurs is 60 trading days in. This is particularly interesting because some analysts and news anchors on BNN Bloomberg for example, will actually reference that, if a big controversy happens to a company, you know, wait three months and sometimes the market forgets about that controversy, even occurring. That's very interesting to see that this also aligns to that type of saying.

CF: But that's not the end of the story. The real surprise for researchers came when looking at the long-term impact. One year later.

LZ: The incident portfolio is actually still negative in absolute terms returns. But it's even worse off when compared to the S&P 500 and the sector benchmark. Now we have a scenario where, you know, it's clearly showing that there is a drag being placed on these companies for a longer-term period. Some studies may, that are out there, may actually say it could take up to two years for some companies that have been severely cyber attacked to start acting normal again.

CF: The reports are bleak. Malicious actors don't just deal from corporations, they damage the relationship between companies and their stakeholders. So, what can companies do to protect themselves? Liam says having robust security and data privacy policies can buffer the negative impact.

LZ: When we looked at data privacy and security policy management scores, those companies that had really strong scores, 75 to 100, 1 year after the incident actually traded pretty close in line with their relative benchmark. They actually weren't affected all too much in most cases. But those companies that had a score of zero or no score available at all because the industry that they participate in, they were down nearly -5%. So, there's a significant gap difference.

CF: Beyond providing a boost to recovery, the regulatory landscape is changing. Taking a casual approach to cybersecurity and data privacy is no longer an option. New and stricter data privacy regulations are on the horizon, with many nations looking to the EU GDPR as an example. On the cybersecurity front, laws, design requirements and reporting standards are continually evolving. Melissa says organizations must pay close attention to both data privacy and cybersecurity regulations to ensure they maintain compliance.

MH: In general, we're seeing a broad convergence towards GDPR-like regulatory regimes, at least in the developed world. California's New privacy laws have set a high bar for the U.S. and the majority of states now have their own. Canada, for example, is in the process of amending the breadth and depth of its privacy law to meet or closely aligned with GDPR standards.

While Australia has just greatly increased the fines for privacy breaches in light of at least two major incidents. On the cyber security front, we have also begun to see significant developments related to freestanding cybersecurity law, technology design requirements, and increasing attention to critical infrastructure standards and reporting. A trend that has only accelerated with the SolarWinds and Colonial Pipeline attacks.

CF: Those attacks have highlighted that as a society, we have greatly underestimated cybersecurity risk. While digitization has made it easier for businesses to scale and operate more efficiently. It's also made it easier for malicious actors to exploit vulnerabilities—as demonstrated by the Kronos attack.

Going forward, organizations are going to be facing increased pressure and scrutiny from government regulations, the insurance industry and stakeholders conducting due diligence on cybersecurity risks. As a result, companies are going to have to both increase their investment in cybersecurity, and increase their level of disclosure around risk mitigation, with particular attention to controls related to privacy and security management. Companies that failed to do so may ultimately face operational and remediation costs, financial penalties, reputational damage and lost business.

That's it for this episode of the Sustainalytics podcast. If you'd like more information about data privacy and cybersecurity threats companies are facing around the world, and how your company can better manage these risks, head over to the resource center at www.sustainalytics.com and read our e-book Data Privacy, Cybersecurity and ESG: Managing Risks in a Changing Business Environment. We'll put the link in the show notes. Alternatively, you can check out the full report, The Impact of Cyberattacks on Stock Prices authored by Melissa Hudson and Liam Zerter.

Or watch their in-depth webinar Cyber Attacks, Corporate Exposure and Material ESG Risk. If you have any questions, or suggestions for topics you'd like to learn more about, email us at [email protected]. Thanks again to Melissa and Liam for providing their insight. And thank you for listening.