The World Economic Forum published its Global Risks Report for 2024 and cyber-attack was ranked the fifth “most likely to present a material crisis on a global scale in 2024”. For private sector stakeholders and governments, it ranked third.
The cost of cyber-attacks is rising. The global cost of cybercrime damage is expected to hit $10.5trn annually by 2025, up from $3trn in 2015. Lloyd’s of London estimate that a major global cyber-attack has the potential to trigger $53bn of economic losses, equivalent to a natural disaster the scale of superstorm Sandy.
The frequency is also increasing. Research by Check Point, a major US cybersecurity company, showed that ransomware attacks reached an all-time high in 2023 with 10% of organisations worldwide targeted, a 33% increase on 2022.
It’s clear that companies need to be considering cybersecurity as part of their ESG procedures. Intangible value, including digital assets like software and customer data, now represents 90% of the asset value of organisations. That demonstrates that cyber-attacks present a material threat to the value of a company.
But should we go further and consider it as part of impact?
Cybersecurity and the environment
We define impact here as products or services providing solutions to key sustainability challenges. To qualify, we would need to establish that cybersecurity is addressing an aspect of sustainability.
Looking first at the UN Sustainable Development Goals, there isn’t a goal that deals explicitly with cybersecurity. However, considering some of the definitions there are reasons to believe that cybersecurity could be a contributing factor to achieving a number of goals:
Goal 6: ensure availability and sustainable management of water and sanitation for all.
Goal 7: ensure access to affordable, reliable, sustainable and modern energy for all.
Goal 9: build resilient infrastructure, promote inclusive and sustainable industrialisation and foster innovation.
Goal 11: make cities and human settlements inclusive, safe, resilient and sustainable.
The increasing use of digital and connectivity tools in each of these areas creates significant cybersecurity risks. There are numerous examples of energy infrastructure being targeted. Hackers have also targeted water treatment facilities in the US and Australia.
The energy transition relies heavily on digital technologies and interconnectedness. Modernisation of the grid is critical for managing the increasing contribution of renewable energy and greater electrification. Attackers are increasingly targeting these operational technologies and in 2021 a survey of cybersecurity experts identified the energy sector as the most likely to suffer attacks on control systems.
In his recent cybersecurity strategy paper, US President Biden included a specific objective, “secure our clean energy future”. This feels like a clear demonstration of the importance of the issue to sustainability outcomes.
Cybersecurity and health
Digital technologies also increase vulnerability in other areas of sustainability, such as health. In 2017, the US Food and Drug Administration recalled 500,000 pacemakers due to the risk of hackers altering the patient’s heartbeat. In 2020 a hospital in Germany was forced to close its emergency department after a ransomware attack.
The attacks are growing in scale. In February this year, a division of UnitedHealth Group in the US was the subject of a cyber-attack that left healthcare providers unable to fill prescriptions or get reimbursement for insurers. A survey by the America Hospital Association found that 95% of hospitals experienced disruptions from the attack and 74% reported impacts to direct patient care.
Technology adoption in healthcare is increasing rapidly, whether through wearable devices, hospital equipment or patient data records. That data is being used more widely too. Artificial Intelligence (AI) is a growing topic within healthcare, and high-profile artificial intelligence (AI) companies like Nvidia are investing significant amounts in the industry.
Cybersecurity and AI
The relationship between AI and sustainability is complex. What is clear is that AI is likely to increase the volume and heighten the impact of cyber-attacks. One emerging area is the spread of disinformation, which creates risks to elections and social cohesion.
Elections are vulnerable to a range of technological threats, including hacking, data breaches and more sophisticated forms of manipulation such as deepfakes and AI-generated disinformation.
There will be over 40 national elections this year covering over 50% of global GDP, including the US and UK. In the US the government’s cybersecurity agency has published a Cybersecurity Toolkit to Protect Elections. One of the recommendations is the implementation of advanced technologies to detect and mitigate potential threats.
Cybersecurity and impact
We think there is a case for categorising cybersecurity as a sustainability challenge and the cost of ignoring the challenge is increasing, affecting more companies and more individuals every year.
So what are the solutions? By looking at cybersecurity providers through the lens of our impact engine analytical framework, we are focusing on two areas where we think companies can have positive impact.
First are companies providing products or services that have a differentiated outcome relative to the existing standards. Second are companies focused specifically on protecting the safety of individuals, for example through identity management software, widening the definition in our existing Safety theme beyond physical safety.
The world was slow to identify and act on existing environmental and social challenges. The consequences of that are now being felt. We hope cybersecurity will be different. And we think that impact investors have a role to play in opening up the conversation on cybersecurity and starting to look more closely at solutions.
