Digitalisation of energy through technologies such as the internet of things has led to a surge in incidence of data fraud and cyber-attacks. ESG and cyber-risk experts Troy Mortimer and Hani Banayoti explain how responsible investors can reduce their exposure
There is a reason that cyber-attacks, data fraud and theft has been repeatedly flagged by the World Economic forum’s Global Risk Outlook as a key risk. The recent cyber-attack on Elexon, which administers energy generation and transmission/distribution networks in the UK, and last month’s news of Portuguese wind operator EDP being held ransom for €10m, are stark reminders of an emerging material risk for renewable/ESG investors.
Whilst it is important to keep our ESG hat on, we also need to view ESG investment opportunities with a risk lens. The increasing focus of cyber-related risks stems from the interconnectedness of new enabling technologies such as smart-meters, renewable energy generation, and battery storage solutions. The Energy Futures Lab at Imperial College recently released a report on the digitalisation of energy for the UK, which highlighted both the benefits of innovation (AI, IoT, blockchain) and the need for flexibility in energy regulation.
The question becomes: to what extent does ESG due diligence cover a particular asset propensity to be exposed to cyber risks
At the same time, the data and communications interconnectedness stemming from linking to new energy sources (eg homes to grid, wind/solar to grid) and linking between grids (eg UK to mainland Europe) will expose us to cyber risks that weren’t commonplace in the old energy ecosystem.
Cyber ransomware attacks paralysing businesses and holding them to extortion have been escalating rapidly over the last few years, and more recently during Covid-19, as companies resort to more remote working patterns and changes to their standard operating procedures, which have left softer underbellies in their security defences.
Researching the cyber underworld is a scary experience. The level of sophistication that exists amongst organised cybercrime groups is flabbergasting: there are the malware/exploit “developers” who work with larger groups of “affiliates” that are measured on their ability and effectiveness to attack a minimum number of targets (i.e. corporations and individuals) every month with the aim of extracting as much money from them as possible. Those successful at meeting their ransom KPIs share the ransom proceeds with developers. Affiliates that do not meet their quota are kicked out and replaced with other eager affiliates waiting to take their place.
The question becomes: to what extent does ESG due diligence cover a particular asset propensity to be exposed to such risks. Fortunately, there are actions you can take to mitigate your exposure to cyber risk as you assess the ESG criteria of your investment pipeline/portfolio:
Review the scope of your ESG/responsible investment due diligence procedures to ensure they include procedures to assess the propensity of the target asset to cyber risks and downtime revenue exposure. For example, average daily loss from downtime of a 500MW wind farm can easily reach £360,000;
Ensure the companies you are invested in regularly test the efficacy of their cybersecurity and operational resilience plans. Operational resilience is becoming an important UK regulatory agenda item, and it is crucial to form a view on the adequacy of the basic strategy adopted for factoring in cybersecurity measures for a given project or entity. Typically, the more security is integrated early in the project lifecycle, such as the design stage (currently quite rare), the more assurance is attainable.
Ensure your ESG rating agencies have cyber risks included to a level that matches your appetite to accept this risk. ESG rating agencies focus heavily on publicly available information. However, this means that cyber risks are often reported as controversies, which can leave an investor exposed to an asset that is now having to manage the cyber incident rather than prevent it.
Challenge investee companies on how they would handle a cyber incident that may cause significant disruption. Existing organisational management structures are not always the right ones when it comes to handling a cyber incident/ransom situation. Ensure companies have cyber incident response plans drawn up and rehearsed through realistic scenario setting on regular basis.
Challenge your own organisation as an asset owner/asset manager as to your level of exposure and preparedness to fend off a cyber incident. Assess your ability to rely entirely on your internal capabilities to handle a cyber incident or involve external third party experts.
Assess the potential impacts and take action! Consider the impact of not accessing position data on your ability to trade, the release of unauthorised confidential information and how this could impact your operations and reputation. Once you understand the impacts, ensure that plans are in place to mitigate risks where possible.
Our role as responsible investors includes an obligation to understand and manage risks as best as we can. Whilst some risks cannot be eliminated from an invested portfolio, understanding the risk profile will help you assess whether the return is worth it. I am a firm believer in green technologies, but as is often quoted amongst due diligence professionals: trust, but verify.
Troy Mortimer is a sustainability and responsible investment professional with over 20 years of experience assisting companies and participants in the asset management industry to enhance their governance, risk and responsible investment practices.
Hani Banayoti is director and CEO of Cybersolace, a UK cybersecurity firm specialising in prevention and management of cyber-attacks and ransom situations. He has worked with both the private and public sectors throughout his 15-year career within IT and cybersecurity.
cybercrime Energy Futures Lab IoT AI Blockchain energy transition ESG investment