Cyberattacks are becoming more frequent and more damaging. To prevent negative ESG impact and credit deterioration from such attacks, companies need to keep up with rapid technological developments.
Industry-level considerations can indicate which sectors are most at risk of cyberattacks. But company-level analysis is crucial, and that’s more nuanced work. Best practice for companies includes thorough cyber-hygiene, strong governance, and board-level expertise.
With the right analysis, investors can gauge which firms apply basic, better, or best practice. Such an assessment can put cybersecurity on the corporate agenda and protect clients’ assets.
An Ever More Connected World Is Increasingly Vulnerable to Cyberattacks
Digitalization, cloud computing, artificial intelligence (AI), and billions of connected devices are increasingly leaving companies vulnerable to cybercrime.
In 2019, the Internet of Things consisted of 8.6 billion connected devices worldwide, versus almost none a decade earlier. In the four years since 2019, that number has almost doubled, to 15.14 billion, nearly twice the global population. And the number of IoT-connected devices is expected to almost double again, to 29.4 billion, by 2030 (see Figure 1).1
Number of Internet-connected devices worldwide (billions)
The rising volume of connected devices has led to an exponential surge in cybercrime, but preparedness remains low. In a 2022 IBM survey, 83% of companies had experienced more than one cyberattack in the past year.2 However, a 2020 survey by McAfee and CICS showed that only 44% of respondents had plans in place to prevent and respond to IT security incidents.3
Most Cyberattacks Are Financially Material
Not all companies understand how quickly cybercrime is growing. And many firms underappreciate the strategic risk it presents, or the strategic opportunities that strong cybersecurity may bring, e.g., as a competitive advantage.
This lack of understanding of and investment in cybersecurity can be financially material. In our view, cybersecurity considerations are important in analyzing both ESG risk and ESG impact. (More information in Figure 3 below, and at ESG Investing at PGIM Fixed Income.)
Well-known financial implications of cyber-incidents include direct costs such as breach response, litigation, regulatory compliance, and cybersecurity improvements. But in most cases, the financial impact of a data breach ranges much wider. It can include operational disruption, devaluation of trade name, loss of customers, credit deterioration, and, ultimately, increased capital markets costs.
These wider impacts are often less public, less quantifiable, and longer-term. But often, they make up a large (sometimes: the largest) part of total losses incurred.
For example, multinational consumer credit agency Equifax was subject to a data breach in 2017, which compromised private records of more than 160 million users. Prior to the breach, the company issued 10-year U.S.-dollar denominated debt at 150 basis points (bps) over U.S. Treasury yields. In 2019, credit rating agency S&P downgraded Equifax's rating from BBB+ to BBB, stating "we expect Equifax's leverage will remain elevated over the next 18 months, kept aloft by substantial investments in network, data, and application security architecture; in modernizing technology and business platforms; in new product development; and in remedying the reputational damage from the breach."4 In 2020, the company issues 10-year U.S.-dollar debt at 250 bps over U.S. Treasuries.
Good Governance Includes Strong Cybersecurity
From an ESG impact perspective, companies have a responsibility to maintain strong cybersecurity. Not only is sensitive customer data at risk, but a compromised IT system can also endanger critical equipment. Both threats can cause significant social and environmental damage, including the exposure of sensitive personal data, identity theft, catastrophic spills, shutdowns of critical infrastructure, and manipulation of social media.
The NotPetya ransomware attack in 2017 was one of the largest cyberattacks in history. It shut down Ukraine’s electrical grid and resulted in financial losses estimated at $10 billion.
Even smaller cyber incidents, however, can bring about severe consequences. In February 2021, a hacker gained access to a water treatment plant in Florida. In a matter of minutes, the hacker increased the level of sodium hydroxide 100 times. This attack could have poisoned the local population, had the plant’s operator not detected and immediately remedied it.
Other cyberattacks have proved fatal. A 2020 ransomware attack forced a hospital in Germany to close its emergency department. A patient due to undergo treatment was rerouted to another hospital but died en route, the first death directly attributed to ransomware. A 2021 study by Californian cybersecurity firm Proofpoint and the Ponemon Institute in Michigan surveyed more than 600 healthcare facilities. Their study found that ransomware attacks increased mortality rates at a quarter of the facilities surveyed.5
Which Industries Are Most Vulnerable?
Today, all companies are inevitably exposed to cyber risk. But the extent of that risk depends on several circumstances. In our view, sector characteristics and cyber-preparedness are key investor considerations.
Industries such as manufacturing, finance and insurance, as well as professional, business and consumer services, are the most heavily targeted, according to IBM.6 Manufacturing firms have low tolerance to disruption, especially since the supply chain pressures after the pandemic. In financial firms, compromised systems can put world trade on hold, and the industry holds sensitive information on its clients. Professional, business, and consumer services firms hold sensitive personal data as well. All three sectors are targets because they have the capacity to comply with financial demands.
Share of cyberattacks by industry
IBM X-Force Threat Intelligence Index 2023
In other published data, government, financial, business, and professional companies, and the healthcare sector feature as the most targeted industries. Where the motivation is ransom, manufacturing and retail/wholesale also feature prominently.
All in all, a hacker’s perspective is arguably influenced by:
- the impact that a cyberattack can have in terms of business disruption, internal and external to the company targeted. For example, critical infrastructure—including manufacturing, utilities, healthcare, and banks—is highly attractive. Companies in this industry generally don’t tolerate downtime, because it is costly and because any disruption can severely impact stakeholders;
- the extent and sensitivity of data that the company holds. Sensitive information can be wide-ranging, from corporate to personal data. Industries where sensitive personal information is particularly prevalent include government agencies, financial firms, and healthcare institutions; and/or
- a company’s ability to comply with financial demands in a ransomware attack.
A 2021 ransomware attack on Colonial Pipeline, a major U.S. fuel pipeline operator, is a good example of an attack on critical infrastructure that had major impacts outside of the company. Hackers entered Colonial’s IT systems, infecting it with ransomware and stealing data. To prevent the ransomware from spreading, Colonial shut down its pipeline for days. The pipeline carried 45% of the gas, diesel, and jet fuel supplied to the U.S. East Coast, so its shutdown led to widespread fuel shortages and prompted an "All-of-Government" response.7
The 2017 Equifax hack mentioned earlier is a good example of a cyberattack that exposed sensitive personal information. More recently, in 2021, mobile telecoms operator T-Mobile suffered a 2021 cyberattack that compromised the personal information of roughly 76 million people. According to a class action lawsuit that followed, the compromised information included combinations of consumers' names, addresses, phone numbers, dates of birth, Social Security or tax identification numbers, other government ID numbers, account information, mobile phone identifier numbers, PINs, and personal unlock codes.8
T-Mobile settled with the claimants for $350 million and committed to invest $150 million in data security and cybersecurity technology. But in November 2022, the company suffered another cyberattack involving data theft, including addresses, phone numbers, and dates of birth of 37 million customers.
How Can Investors Assess An Individual Company’s Cyber-Preparedness?
Industry characteristics are a good first step to assess how attractive a company is to hackers. But the more nuanced, and more important, part of that assessment is looking at individual companies themselves. That assessment can be difficult, given companies’ sensitivities around disclosing information on cyber-precautions.
Gaining an understanding of a company’s cyber-preparedness by analyzing company information provides is a good starting point. An assessment of cyber-preparedness should not only include which security software that has been installed, but should also include considerations around governance, management of cyber risk, the structure around cybersecurity, incident responses, and processes for defense and containment. Figure 3 shows how we think about cybersecurity at the issuer level.
Evaluating a bond issuers' cybersecurity
PGIM Fixed Income
Engaging with companies on the topic is likely to give investors an even better view of what management knows and its level of involvement. Are they able to elaborate on cybersecurity and what it means for their company? Are reporting lines and incident plans in place? What is the level of historical incidents, how were past incidents handled and what did the company learn from the experience?
All these and more questions to management can offer a more nuanced understanding of a company’s preparedness.
For information on PGIM Fixed Income's general approach to ESG Engagements, visit the ESG Engagement page.
Cyber security is ever evolving, so companies and investors are wise to constantly consider new developments.
Customers have increased their focus on privacy and data security, and regulators are taking notice. On 26 July 2023 the U.S. Securities and Exchange Commission (SEC) announced new rules that will come into force in December 2023. These rules require publicly listed firms to disclose serious incidents within four days and to annually disclose material information regarding their cyber risk management, strategy, and governance.9 Across the pond, the EU is strengthening its EU Cybersecurity Act.
In Ireland, Meta was fined €1.2 billion in May 2023 for transferring user data between Europe and the U.S. No actual breach occurred, but Ireland’s Data Protection Commission considered that Meta had violated the EU’s General Data Protection Regulation (GDPR). In the U.S., attention to consumer privacy has increased as well. In July 2023, the Biden administration announced a cybersecurity labeling program for smart devices to protect American consumers.10
Cyber insurance is another sector that continues to evolve. The cost of cyber insurance has doubled, on average, in each of the past three years. And some insurance companies no longer provide cover against state-backed cyberattacks.11 Such exclusions are likely to worry all industries, particularly utilities and banks, which are prime targets.
Finally, AI and quantum computing are likely to dramatically change cybersecurity. Both can strengthen cybersecurity through more robust encryption algorithms, but attackers are also likely to use them. AI cybercrime tools already enhance and automate phishing attacks and generate malicious codes. Quantum computing would have the capacity to nullify much of today’s encryption technologies and comprise the data they protect. Indeed, cybercriminals are already harvesting encrypted data that they currently cannot access, waiting to get their hands on quantum computing to decrypt it.
In a rapidly expanding digital world, cyberattacks are becoming more frequent and more harmful. Their implications, in terms of ESG impact and credit quality, can be significant and material: cyberattacks can result in acute, short-term financial costs as well as long-term impacts on companies and their stakeholders.
For the above reasons, companies need to stay abreast of rapid technological developments. Best practice includes thorough cyber-hygiene, strong governance, and board-level expertise. With the right analysis, investors like us can help protect clients’ assets and put cybersecurity on the corporate agenda. That goal should form part of every investor’s credit and ESG assessment.
Want to learn more about this topic? Tune in to Fixed on ESG Podcast for an episode on Cyber-savviness with Birgit Lundem Jakobsen, Senior ESG Analyst featuring special guest, Limor Kessem, Principal Consultant with IBM X-Force Cyber Crisis Management.
1 Transforma Insights. "Number of Internet of Things (IoT) connected devices worldwide from 2019 to 2023, with forecasts from 2022 to 2030." July 2023.
2 “Cost of a Data Breach Report 2023. IBM.
3 Gann, Tom. "The Hidden Costs of Cybercrime on Government." McAfee, Dec 21, 2020.
4 "Equifax Inc. Downgraded To ‘BBB’ On Rising Leverage." S&P Global Ratings, 15 Mar 2020.
5 Miller, Maggie. "The mounting death toll of hospital cyberattacks." Politico, 12/28/2022.
6 "X-Force Threat Intelligence Index 2023." IBM Security. The report provides essential findings based on threat data and responses to incidents with which IBM has been involved.
7 "FACT SHEET: The Biden-Harris Administration Has Launched an All-of-Government Effort to Address Colonial Pipeline Incident." The White House, May 11, 2021.
8 "T-Mobile Shares Updated Information Regarding Ongoing Investigation into Cyberattack." August 17, 2021.
9 "SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance and Incident Disclosure by Public Companies." U.S. Securities and Exchange Commission, July 26, 2023.
10 "Biden-Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers." The White House, July 18, 2023.
11 Patten, Sally. "Cyber insurance premiums soar 80pc as claims surge." Financial Review, Sep 12, 2022.