This article was co-authored with our colleague Troy Mortimer (specialist in responsible investment) May-2020 in an effort to outline the interrelationship between two different but somewhat converging disciplines – ESG and Cybersecurity. An abridged version of the article was also published in the Ethical Corporation publication.
There is a reason that cyber-attacks, data fraud and theft has been repeatedly flagged by the World Economic forum’s Global Risk Outlook as a key risk.
Last week’s cyber-attack on Elexon, which sits between energy generation and transmission/distribution networks in the UK and last month’s news of a Portuguese wind farm held ransom for €10m are stark reminders of an emerging material risk for renewable/ESG investors. Whilst WBCSD’s latest publications and renewable energy’s growth prospects remind us of the compelling returns of an ESG portfolio, these articles in the energy space remind us that ESG done poorly can also lead to severe impacts/unintended consequences.
Balancing ESG risks with opportunity
Whilst Troy is firmly committed to and proud of the ‘ESG’ hat he wears, he can’t help but also put on his ‘Risk’ hat to be reminded of the importance of ensuring robust risk identification, assessment and management processes are in place when assessing renewable infrastructure and broader ESG opportunities in real, listed or unlisted assets. The increasing focus of cyber related risks stemming from the interconnectedness of new enabling technologies and digitalisation initiatives has heightened. Examples of such enabling technologies include smart meters, renewable energy generation sources such as wind farms, solar, tidal, and battery storage solutions which are all underpinned by some form of Industrial Internet of Things remote sensing and control systems. We need to embrace innovation in the energy and broader landscape whilst managing the emerging risks that come along with it. The Energy Futures Lab at Imperial College recently released an interesting report on the digitalisation of energy for the UK, which highlighted the benefits for energy from innovation (e.g. AI, IoT, blockchain) and the need for flexibility in regulation. At the same time, the data and communications interconnectedness stemming from linking to new energy sources (e.g. homes to grid, wind/solar to grid) and linking between grids (e.g. UK to mainland Europe) will expose us to cyber risks which weren’t common place in the old energy ecosystem.
The underworld of ransomware
Cyber ransomware attacks on businesses of all sizes and sectors have been escalating rapidly over the last few years where critical business assets and functions are paralysed and held to extortion. Organisations have witnessed even a bigger spike in cyber ransomware attacks during this Covid-19 period as companies resort to more remote working patterns and changes to their standard operating procedures which have left softer under bellies in their security defences. Researching this underworld, I am awestruck as to the level of sophistication that exists amongst organised cybercrime groups: there are the malware/exploit “developers” (often only a handful) who then work with a much larger group of “affiliates” who are measured on their ability and effectiveness to attack a minimum number of targets (i.e. corporations and individuals) every month with the aim of extracting as much money from them as possible. Those successful at meeting their ransom KPIs share a 70/30 or 60/40 split with the developers and they continue until a new “product” i.e. the next exploit is ready to be launched. Affiliates that do not meet their quota are kicked out and replaced with other voraciously eager affiliates who take their place.
If this seems surreal, it is! Yet, this is not new news! Check out a thought provoking presentation from Blackhat in 2017, which sets out in detail “how” a cybercrime group might ransom a windfarm.
What can an asset owner / asset manager do?
The question becomes: to what extent does your ESG due diligence cover a particular asset propensity to be exposed to such risks during the design, build, operate and maintain phases? Of course, this is not just about real assets or an attack on renewables (although we need to be mindful of the growing dependency on renewables will ultimately open a new level of exposure and potential for cross-national attacks on companies and nations as a result). We have seen just a few days ago cyber criminals hit Norfund (Norway’s state owned private equity fund) for $10M and Interserve outsourcing and defence contractor giant – stealing 100,000 personnel records. In other examples in recent times cyber criminals had compromised hotel chains, large aluminium manufacturer Norsk Hydro, and international IT outsourcing giants such as Cognizant and Wipro amongst numerous others across the globe.
So….as a responsible investor, ESG analyst, Chief Investment Officer, or Chief Risk Officer, what can YOU do:
1.Review the scope of your ESG/responsible investment due diligence procedures to ensure they include procedures to assess the propensity of the target asset to cyber risks. Any investment that relies on communicating data to a central / alternate source is at risk! Imagine:
- wind farm turbines stop turning when atmospheric conditions were optimal. Average daily loss from downtime of a 500MW wind farm is estimated at £360,000;
- an impact investment project is hit when a payments to a marginalised farming community are redirected; or
- the reputational risk associated with your customer’s become unknowingly exposed to cyber risk by installing solar panels and connecting into the grid.
2. Ensure the companies you are invested in regularly test the efficacy of their cybersecurity and operational resilience plans. Here in the UK, operational resilience is becoming an important regulatory agenda item with the FCA stepping up its consultation on future operational resiliency. Equally important, it is crucial to form a view on the adequacy of the basic strategy adopted for factoring in cybersecurity measures for a given project or entity. Typically, the more security is integrated in the design stages (currently quite rare) the more assurance is attainable. The more it is pushed to later stages of the lifecycle, the less assurance one can assume and the greater the degree of technical cybersecurity debt that will be inherent.
3. Ensure your ESG rating agencies have cyber risks included to a level that matches your appetite to accept this risk. ESG rating agencies focus heavily on publicly available information. However, this means that cyber risks are often reported as controversies, which can leave an investor exposed to an asset that is now having to manage the cyber incident rather than preventing it.
4. Challenge investee companies on how they would handle a cyber incident that may cause significant disruption. Existing organisational management structures are not always the right ones when it comes to handling a cyber incident / ransom situation. Have cyber incident response plans been drawn up and rehearsed through realistic scenario setting on regular basis? Who should be in the war room calling the shots if a disruption occurs?
5. Challenge your own organisation as an asset owner/asset manager as to your level of exposure and preparedness to fend off a cyber incident. Will you be able to rely entirely on your internal capabilities to handle a cyber incident or will you need to source external 3rd party experts? And what would be the optimal blend between internal and external skills needed to shore up a cyber incident response?
6. Assess the potential impacts and take action! How comfortable are you that the organisation could continue to operate if trade or position data was no longer accessible, from your order management system or that of your administrator/custodian? What material non-public information (MNPI) could be potentially accessed and used to negotiate against you? Are middle/back office systems and networks holding bank account data, electronic signatory lists, etc. susceptible to unauthorised access and/or misuse? Once you understand the impacts, ensure that plans are in place whether in your company or your investee companies to mitigate risks where possible.
Let’s move forward..equipped
Our role of responsible investors includes an obligation to understand and manage risks as best as we can. Whilst some risks cannot be completely eliminated from an invested portfolio, we can understand the exposure, assess and ensure mitigants such as cyber insurance is in place and seek to continually educate and challenge the risk adjusted returns of our portfolios. Understanding the risk profile will help you assess whether the return is worth it. When it comes to green technologies, I am a firm believer that it is, but as it often quoted amongst due diligence professionals: TRUST BUT VERIFY!
——————————
About the authors:
Troy is a Sustainability and Responsible Investment professional with over 20 years of experience assisting companies and participants in the Asset Management industry to enhance their governance, risk and responsible investment practices.
Hani is Director and CEO of Cybersolace, a UK cybersecurity firm specialising in prevention and management of cyber-attacks and ransom situations. He has worked with both the private and public sectors throughout his 15-year career within IT and cybersecurity.
——————————
Useful Links/References:
https://www.weforum.org/reports/the-global-risks-report-2020
https://cybersolace.co.uk/gb-smart-metering/
https://fca.org.uk/publication/consultation/cp19-32.pdf
http://www.hotelnewsnow.com/Articles/50937/Timeline-The-growing-number-of-hotel-data-breaches
https://www.bankinfosecurity.com/investment-firm-hit-by-bec-scam-a-14287
https://www.insurancejournal.com/news/international/2019/07/24/533763.htm
