Episode Summary
Host:

• Curtis File, Editorial Manager, ESG and Sustainable Finance

Featuring:

• Melissa Hudson, Associate Director, Research Products


• Liam Zerter, Associate Director, Quantitative Research Manager

In this episode of the Sustainalytics Podcast, Curtis explores cybersecurity and data privacy issues, with commentary from Melissa Hudson and Liam Zerter about the real impact of cyberattacks on businesses. You’ll learn about the 2021 United Kronos Group ransomware attack, cybersecurity trends that organizations should monitor, how cyberattacks affect the bottom line, and why companies should invest in developing robust cybersecurity and data privacy policies.

The Current Cybersecurity and Data Privacy Trends Companies Should Monitor

Within the last two years in particular, both the frequency and severity of cyberattacks against businesses have continued to climb. As companies have modernized and expanded their digital infrastructure to remain competitive, they have also increased their vulnerability. High-profile data breaches have led to increased pressure from regulators, consumers, and the insurance industry, who increasingly view such incidents as market failures.

Why Having a Strong Cybersecurity Policy is Important

Perhaps most importantly for a company’s bottom line, Morningstar Sustainalytics’ researchers found that companies that had robust data privacy and cybersecurity policies were able to recover faster from a cyberattack compared to peers with poor or weak policies. Beyond providing a boost to recovery, companies must also invest in their cybersecurity infrastructure in order to keep up with the rapidly changing regulatory landscape. Those that don’t take immediate action will be left behind.

Read Our eBook, Data Privacy, Cybersecurity and ESG: Managing Risks in a Changing Business Environment

Download the ebook to learn about the types of data privacy and cyber threats companies are facing, the potential ESG risks for companies that do not properly address data privacy and security, and how organizations can manage and mitigate data privacy and security risks.

Key Moments

 

00:00
United Kronos Group Ransomware Attack
01:54
Introduction to the Cybersecurity and Data Privacy Landscape
03:35
Five Global Events Driving Cybersecurity and Data Privacy Trends
05:18
Consequences of Under-Investment in Cybersecurity
06:40
The Increasing Frequency and Severity of Cyberattacks
08:00
How Cyberattacks Impact Stock Price
09:45
The Importance of Strong Data Privacy and Cybersecurity Policy
10:34
A Developing Regulatory Landscape
12:09
Looking Forward
Transcript

00:02

Curtis File: In December 2021, a group of cybercriminals sent panic across the United States. United Kronos Group, a payroll and HR software company, was targeted by a ransomware attack. The attack took out its Kronos Private Cloud platform, and this left major retailers and state governments scrambling to pay employees as the holidays approached.

But worse, a number of hospitals were affected.

Kronos was a mission critical provider of administrative services for hospitals across the United States. From small, remote hospitals to urban medical systems, the attack interrupted services and, in many cases resulted, in delayed health care delivery. So why was this able to happen?

00:46

John Riggi: In response to the pandemic, hospitals rapidly deployed and expanded network-connected and internet-connected technologies to accommodate a surge of COVID patients and a remote administrative workforce. So, what this did is create many more opportunities for bad guys to penetrate our networks. It's what we call an expanded attack surface.1

01:18

CF: That was a clip of John Riggi, Senior Adviser for cybersecurity and risk for the American Hospital Association. At the time of the Kronos attack, he spoke openly to media about his concern for the cybersecurity threats the health care industry is facing. He told NPR:

“As we always do, hospitals and health systems will get it done and care for patients, but under additional stress and burden they don't need right now.”

The incident highlighted the real impact of cybersecurity breaches when corporations and government systems are attacked, our coworkers, friends and family are the collateral damage.

I'm Curtis File, Editorial manager with Sustainalytics and your host for today as we look at cyberattacks and what they mean for ESG risk management.

Cybersecurity and data privacy have become hot button issues, particularly in the last two years. Consumers have become more informed about data privacy issues, demanding companies take accountability for how they process user data. At the same time, there's been a significant increase in the number and severity of cyberattacks against businesses. To better understand the concrete business impact of cyberattacks, Sustainalytics’ experts set out to create a report based on our own research and data, asking, “does a major cybersecurity incident have a meaningful impact on stock price returns?” And it turns out...

02:45

Melissa Hudson: The answer is yes.

02:47

CF: That's Melissa Hudson, Associate Director, Research Products and one of the authors of the report. You'll be hearing more from her today, along with another Sustainalytics expert, Liam Zerter, Associate Director, Quantitative Research Manager. We'll be taking a closer look at the results of the report to get a better understanding of cybersecurity and data privacy. But before we get into the data in numbers, let's take a broader look at cybersecurity as an ESG risk. Melissa Hudson explains.

03:15

MH: If I could sum up what we're seeing, it's that both data and digitization have become a double-edged sword. They are key drivers of value and efficiency, but they also create a significant new target commodity and increased corporate vulnerability. We see five recent global events as key.

First, COVID 19 and the unprecedented disruption and movement to remote work that came with it.

Second, the 2020 SolarWinds attack, a game changer that Microsoft CEO called the largest and most sophisticated attack the world has ever seen.

Then came the 2021 Colonial Pipeline hack that showed the U.S. public the real-life, real-time impact of a cyberattack on critical infrastructure.  Fourth, the Russian invasion of the Ukraine earlier this year, which led many to fear the possibility of cyber warfare.

Finally, over the course of this time-period, we've seen the emergence of ransomware and in particular its productized form known as “ransomware as a service”.

So, on the one side, disruption, sophisticated technologies, supply chains and critical infrastructure attacks are placing an increased focus on how vulnerable our integrated cyber ecosystem has become. While, on the other, ransomware is leveling the playing field in terms of risk. Companies and industries once considered immune are having to deal with business interruption and extortion as ransomware is made available to less sophisticated actors. In short, we're reckoning with a significant realignment in global cyber security risk. And the pace of corporate investment in cybersecurity has not kept up.

05:29

CF: That underinvestment in cybersecurity is a critical issue. The frequency of cyberattacks only continues to climb, and so does the severity of losses. As a result, stakeholders are being taken off guard as they're suddenly confronted with significant transition risks. And the public costs of underinvestment in cybersecurity are increasingly being viewed as market failures in much the same way as environmental issues. These costs are driving increased regulation, stronger enforcement, and pressure from the insurance industry.

05:59

MH: Marsh and McLennan see an inflection point in the market comparable to that faced by property insurers 30 years ago following Hurricane Andrew in Florida. Following Andrew, almost a million policyholders lost coverage after their insurance companies went bankrupt. In today's context, we are seeing a cyber-insurance market with increasing premiums, more exclusions, and, in a signal that mirrors our own analysis, coverage availability tightly linked to implementing industry standard cybersecurity safeguards.

06:40

CF: With regulators and insurers increasingly scrutinizing companies’ cybersecurity practices. Sustainalytics researchers wanted to know: Are cybersecurity incidents really increasing in number and severity? Do cyberattacks impact share price? And if so, how? And do strong privacy and security practices pay off? Let's start with the first question. Liam Zerter has the answers.

07:03

Liam Zerter: Let's take a look at the data privacy and security incidents that Sustainalytics tracks. If we take a look at 2013, moving to 2021, data privacy and security has been growing at a cumulative aggregate growth rate of 37%. If you compare this to the total incident growth rate, which is influenced by a coverage, that's been growing at 24%.

We have a pretty clear double-digit growth that's occurring. But the more interesting story is when you look down at the risk level from before 2018 and post 2018. So, from 2013 to 2017, those high-ri