Cybercrime has become an increasingly harmful threat to businesses over the past few decades, and the frequency and scale of attacks rose significantly during the pandemic. But many people think only of the technological disruption, or economic cost a cyberattack could cause their investments, failing to appreciate wider ESG implications.
From an ESG perspective, the social dimension of cybercrime is becoming ever more evident; never more so than when cyberattacks are weaponised and used as a tactic of warfare.
In the run up to Russia’s invasion of Ukraine, security teams were already reporting an increase in cyber probes, while the US Cybersecurity and Infrastructure Security Agency and the European Central Bank both issued warnings of expected attacks.
Then, in the first two weeks of March, unrelated cybercrime was said to have risen significantly, as other hackers took advantage of attention being squarely on the threat from Russia.
George Kurtz, CEO of CrowdStrike, one of the biggest cybersecurity firms in the US, reported on CNBC that “e-crime actors” were looking at the Russia-Ukraine conflict “as a distraction and ramping up their activities, stealing more money as the days go on”. But while high alert was triggered by concerns of retaliatory hacks from Russia following the West’s condemnation of its actions and the imposition of sanctions, cyberattacks were already of major concern at the start of 2022.
Cyberattacks top companies’ list of fears
According to the latest Allianz Risk Barometer, issued in January, the threat of ransomware attacks, data breaches or major IT outages trumped any other business concern, including supply chain disruption, natural disasters and the Covid-19 pandemic.
In total, 44% of respondents to the Allianz Risk Barometer cited cyberattacks as their primary concern for 2022 – only the second year the threat has topped the table in the 11 years the survey has been running. Yet in some ways this is hardly surprising, given businesses were reported to have suffered 50% more cyberattack attempts in 2021, with attempts reaching an all-time high in the fourth quarter of the year.[2]
At their most basic level, cyberattacks are seen as technological and reputational concerns. When a company suffers a breach, its share price often dips significantly, and can take time to recover. Research from the Harvard Business Review cites the example of Capital One, which publicly reported a hack in July 2019: “The company’s stock price dropped nearly 6% immediately in after-hours trading, losing a total of 13.89% over two weeks.”
Another high-profile attack on Equifax in September 2017 had even longer-term consequences, according to the research: “The company saw a similar negative reaction from the stock market with its stock price plunging from $142.72 to $92.98 in just one week. What is worse, its market share dropped significantly in 2017 and has struggled to recover ever since.”
The relevance of ESG to cyber crime
Besides the commercial impact, however, investors interested in applying an ESG lens to their investments increasingly consider cybercrime a social risk. This is partly due to regulation. The introduction of General Data Protection Regulation in Europe in 2018, and the passing of the California Consumer Privacy Act in the same year, showed the direction of travel regarding the protection of personal information for both clients and employees. The potential for financial losses if sufficient attention is not paid to security by businesses is very real, while disruption of core services can also impact society.
The malicious targeting of Vodafone Portugal in February this year is one such example. While no “confidential customer data was compromised”, according to the firm, the impact was felt by individuals, businesses and public services such as hospitals and fire departments. This was due to the breadth of coverage Vodafone Portugal provides in the country, along both fixed and mobile lines, with no back up available for some essential services.
Big investors in cybersecurity
While there is no way to mitigate the threat of cyberattacks completely, companies hoping to get on the front foot against these criminals are ploughing more and more capital into the area. Global spending on cybersecurity is forecast to skyrocket between 2021 and 2025, reaching $1.75trn, compared to just $3.5m in 2004.
Unsurprisingly, big tech firms are leading the charge. Microsoft has declared it is quadrupling its cybersecurity investment to $20bn over the next five years, while Alphabet (Google) is adding an additional $10bn to its spending over the same time period.
Why the ESG view matters
From an ESG perspective, pointed analysis are key in helping investors assess a company’s ability to handle the risks. From the customer point of view, a data breach will hinder trust, while on the governance side, it is likely to require considerable investment from top-level management to restore said trust and reinforce security.
As the influence of ESG investing grows, assessing cybersecurity as a component of social and governance analysis should encourage further investment from companies looking to attract investors’ capital.
Perhaps more significantly, those business that do not pay sufficient heed to the threat, and subsequently score poorly in this area, are likely to see greater reticence from global investors, which could have a marked impact on their plans for growth in the future.