Cybersecurity: A Growing Risk
The threat of Russian cyberattacks highlights vulnerabilities across industries.
Long before Russia's invasion of Ukraine, cybersecurity attacks have posed a serious threat to private industry from a growing roster of state actors, sub-state actors, and criminal enterprises, including Russia. Cyberattacks encompass not only data breaches but damaging strikes on physical, virtual, and cloud-based systems and applications. Now, the severe economic sanctions against Russia to force an end to its warfare in Ukraine have escalated concerns about retaliatory Russian cyberattacks on governments, central banks, and businesses.
At Fidelity, we believe cybersecurity is a fundamental consideration and material to all industries and sectors, and is a key component of the firm's proprietary sustainability research and environmental, social, and governance (ESG) ratings.
The geopolitics of cybersecurity
Cyberspace has emerged as the newest domain of international competition and conflict, where countries strive to secure advantage for themselves over their adversaries, then bend it to fulfillment of national objectives. Today, the roster of the world's major state cyber actors includes the United States, the UK, China, and Russia, as well as potentially surprising players such as Iran, North Korea, Pakistan, Romania, Ukraine, and Belarus.
Criminal groups and sub-state actors have also been drawn to cyberspace. This is the reality of a world where international codes of conduct are undefined and the barriers to entry and competition are very low. A lack of meaningful barriers has only accelerated this development as both criminal and sub-state actors have moved to capitalize on an absence of internationally accepted laws, agreements, or protocols governing cyberspace.
One significant development has been the blurring of lines that separate state-actor cyber operations and those of criminal groups. The number of incidents where state actors have provided targeting information to criminal cyber groups, facilitated their access to targets, and shared in the illicit gains has increased sharply. The enduring difficulty in establishing responsibility for cyberattacks is only encouraging this phenomenon.
In one recent case, Russia denied any involvement with the cyberattack on a US oil pipeline by a Russia-linked cybercrime group known as DarkSide. The attack shut down the pipeline which led to severe gas shortages along the eastern seaboard, and disrupted fuel supplies after the hackers stole a single password. The company paid the hackers a ransom, in a case that underscored the considerable vulnerability of US businesses, transportation networks, and industries.
Possible Russian response to sanctions
Russia over the years has built formidable offensive cyber capabilities, embedded in the security services of the Russian federation as well as in criminal hacking groups. We have seen repeated examples of significant overlap between these 2 groups, with both sides dividing the profits of the attacks.
Now, Russia's invasion of Ukraine has triggered harsh economic sanctions. Faced with punishment in the billions of dollars, Russia is unlikely to take such severe economic damage without striking back—in a potentially significant response.
For years, Russia has been mapping US public/private cyber infrastructure, part of which may entail "sleeper software" with the ability to fire up upon direction. In addition, Russian hackers are eyeing US satellites that enable GPS tracking. Efforts to damage or disrupt US GPS capabilities could have a significant effect on planes, trucks, and shipping traffic worldwide; it could hurt not only transportation but manufacturing and commodity production.
Weak cybersecurity can hurt fundamentals
Proper corporate vigilance is key to cybersafety. Companies should take a thoughtful and systematic approach to preventing cyberattack, across its infrastructure and the people who use it. Such measures must include investment in technology, but also deployment and management of that technology.
Companies should also take care to ensure good "cyberhygiene" to ensure their infrastructure is protected and that their employees and customers are educated and aware of the threats. The human element is often one of the most comment points of failure for cyberattacks.
Even a breach that may seem minor, such as the theft of inadvertently exposed, nonpersonal consumer data in the cloud, could lead to negative headlines and reputational risk. For example, one multinational tech company was hit with a malware attack that resulted in leaked content, and therefore lost revenue, and prompted embarrassing executive emails.
Hackers who target intellectual property can also damage a company's competitive advantage. In one recent case, US Justice Department indicted China sub-state hackers for trying to steal intellectual property related to the COVID vaccine. (1) The indictments followed another claim by the US and its allies that Russian hackers were trying to steal information on vaccine development. (2) In another recent case, hackers from North Korea accessed confidential data and unreleased movies from a US film studio. The hackers later issued a warning about possible movie theater terror attacks, all of which impacted revenue.
Cybersecurity is also relevant to capital allocation: Mergers and acquisitions can translate into security risk because as companies are acquired they can be prone to introducing vulnerabilities to their networks.
Why cybersecurity is material to all industries
At Fidelity, we view cybersecurity as a material consideration across its proprietary environmental, social, and governance (ESG) research and ratings.
For example, within the "E," cyberthreats are relevant to drinking water and wastewater systems that are infrastructure-intensive; in the "S," lax supply-chain management can hurt data security; and in the "G," cyberattacks can disrupt business operations, hurt share prices, and threaten management. We have found that cybersecurity is impacting every industry, in part due to accelerated trends in digitization and use of the cloud.
Utilities and energy companies have traditionally emphasized physical security of their assets over cybersecurity, but we expect the trend to shift for a number of reasons. First, critical infrastructure has increasingly been a target for cyber and ransomware attacks. Second, the increased connection of smart devices, coupled with legacy infrastructure that was not built to be connected to the internet, elevates potential vulnerabilities. Third, the Biden administration and Department of Energy recently issued a "100-Day Plan for Cybersecurity" for the electric power sector to identify and deploy new technology to identify and prevent such attacks. (3)
Next steps for cybersecurity
We have seen some positive signals recently that may indicate a greater focus on cybersecurity. For example, Microsoft recently identified malware in Ukraine that was targeting government ministries and financial institutions. (4) Microsoft was able to disable the malware before it caused any damage. In addition, the US Securities and Exchange Commission recently announced a proposed rule that publicly traded companies would be required to disclose data breaches and other significant cybersecurity incidents within 4 days. (5)
1. NPR, July 21, 2020. "DOJ Charges 2 Suspected Chinese Hackers Who Allegedly Targeted COVID-19 Research." https://www.npr.org/2020/07/21/893832580/doj-charges-2-suspected- chinese-hackers-who-allegedly-targeted-covid-19-research
2. NPR, July 16, 2020. "US Says Russian Hackers Are Trying to Steal Coronavirus Vaccine Research." https://www.npr.org/sections/coronavirus-live-updates/2020/07/16/891834251/u-s-says-russian-hackers-are-trying-to-steal-covid-19-vaccine- research
3. Department of Energy, "Biden Administration Takes Bold Action to Protect Electricity Operations from Increasing cyber Threats," April 20, 2021. https://www.energy.gov/articles/biden-administration-takes-bold-action-protect-electricity-operations-increasing-cyber-0
4. CNBC, Feb. 28, 2022. "Microsoft said it informed the Ukrainian Government of Cyberattacks." https://www.cnbc.com/2022/02/28/microsoft-says-it-informed-the-ukrainian-government-about- cyberattacks.html
5. Wall Street Journal, March 9, 2022. "SEC Proposes Requiring Firms to Report Cyber Attacks within Four days." https://www.wsj.com/ articles/sec-considers-rule-requiring-firms-to-report-cyber-attacks-within-four-days-11646838001