To Be Sustainable, Businesses Need Cybersecurity
Companies must build resilience against ongoing cybersecurity threats.
Key Takeaways
As businesses and the global economy become more interconnected, cybersecurity risks grow, and our reliance on technology at work and home increases.
Addressing these risks is crucial because cyber breaches can be costly. While technology plays a role, low-tech training to spot cyberattacks also helps.
A governance framework that prioritizes cybersecurity improves overall risk management. Insurance policies covering cyberattacks are becoming more common.
When making investment decisions, investors ask themselves, "Is this business sustainable?" At its core, sustainability or resilience refers to a company’s ability to survive and thrive over the long term, given its financial health, the competitive landscape and other factors contributing to its business and the overall economy.
One crucial factor to consider is the significant threat that hacking poses to critical systems and sensitive data. A sustainability analysis should evaluate how well a company is prepared to handle potential cybersecurity threats that could affect its ability to conduct day-to-day business.
Technological advancement is a vital characteristic of a thriving, sustainable economy. While technology improves lives and creates innumerable opportunities, it also opens the door to cybersecurity attacks that could seriously harm an individual business, economy and society. Therefore, we view cybersecurity as a critical component of investing with a sustainability mindset and see the quality of a company’s governance as essential to managing cybersecurity risks.
The U.S. Securities and Exchange Commission (SEC) recognizes the link between good governance and cybersecurity. In November 2024, the SEC finalized new rules to enhance and standardize public companies' disclosures about cybersecurity risk management, strategy, governance and incidents.1 This includes policies and procedures for cybersecurity, highlighting management’s and the board’s roles and expertise in assessing and managing these risks.
Business Sustainability at Risk from Cybersecurity Breaches
Companies confront a growing barrage of malicious activities targeting their data, computer networks and other technology tools. These attacks threaten a company’s operations, reputation, customer privacy and brand image. They are costly and require constant vigilance to detect.
The average ransom paid by companies in 2024 was $2.73 million, nearly $1 million more than in 2023. Additionally, the average cost of a data breach reached a record $4.9 million.2 U.S. firms are targeted more frequently than firms in other countries.3 Unsurprisingly, generative AI now plays a pivotal role in sophisticated cyberattacks.
Cyberattacks are increasingly sophisticated and varied. Estimates say there are over 1 billion malware programs, and roughly 560,000 new malware are detected daily.4 Dealing with these breaches comes at a substantial financial cost. IBM’s latest “Cost of Data Breach Report” says the average total cost of a data breach reached an all-time high of $4.35 million in 2022, climbing almost 13% from 2020.5 And that doesn’t include the cost of damaging a company’s reputation.
Impact of the “Salt Typhoon” Cyber Espionage Campaign
At least eight telecommunications and infrastructure firms in the U.S. were affected by the “Salt Typhoon” cyber espionage campaign in October 2024. The Federal Communications Commission estimated the cost of removing the insecure equipment to be roughly $5 billion.
Impact of the UnitedHealth Group Cyberattack
In February 2024, cybercriminals obtained sensitive data and deployed ransomware that hindered the operations of UnitedHealth Group subsidiary ChangeHealthcare, a major processor of U.S. medical claims. Electronic payments for medical services and claims processing were halted, forcing patients to pay out-of-pocket for medications and services. UnitedHealth Group estimates the cost of responding was roughly $2.87 billion, in addition to over $6 billion in assistance the company provided to affected health care providers and a $22 million ransom payment.6
Some good news: The U.S. is cracking down on cryptocurrency platforms that facilitate ransomware payments. Coordinated action between Germany and Finland recently disrupted and took down the infrastructure used to operate a cryptocurrency exchange allegedly used by transnational criminal and terrorist organizations to help with money laundering.7
Consumers are becoming increasingly aware of their potential cyber vulnerabilities. Who hasn’t received a letter stating, “Your personal information may have been involved …” and wished companies would be more vigilant in protecting the personal data they collect from us?
Cybersecurity breaches involving the theft of sensitive data from credit card purchases, apps on our phones, location tracking devices, etc., could result in a serious misuse of information with real-world consequences, including:
Identity Theft
Individuals affected by corporate data breaches can become victims of identity theft, with ongoing battles to regain their financial lives. Companies that have been hacked often pay a non-trivial cost to cover identity theft monitoring for anyone who could have been impacted.
Negligence Lawsuits
When hacked, companies without adequate cybersecurity processes are likely to defend themselves against expensive lawsuits. The first of many lawsuits against UnitedHealth Group was filed less than one month after the ChangeHealthCare cyberattack.
Reputational Damage
Hacking incidents and other breaches harm a company’s reputation, diminish customer trust and loyalty, and hurt a brand’s image.
Harassment, Discrimination and Blackmail
Data hacks can disclose personal and potentially embarrassing information. Some companies collect data that could be used to harass or financially damage their customers. For example, medical claims and other information could show patients visited a substance abuse center or have conditions that could affect insurance coverage. Credit card data might show purchase patterns, causing a potential employer to reject a job applicant, etc. These outcomes would likely lead to more lawsuits against the company whose data was hacked.
Cyber Risk Can Threaten Physical Assets
Cybersecurity affects resilience — for a company and an entire economy — in ways that extend beyond data hacks to actual physical assets. While not exactly like sci-fi movies where cyborgs go rogue and destroy the planet, it’s possible to imagine real-world robots wreaking havoc in factories and warehouses because the software that controls them was hacked. Critical infrastructure, such as pipelines and water systems, is vulnerable to cyberattacks. Self-driving vehicles that rely on internet connectivity will soon be commonplace — this isn't science fiction.
In May 2021, the Colonial Pipeline had to shut down its operations because of a ransomware attack that exploited a single compromised password and caused fuel shortages across the eastern U.S. Colonial paid the hackers, who were affiliated with a Russia-linked cybercrime group, $4.4 million in ransom. This incident shows that the risks to infrastructure, such as power plants, banking networks and the systems that control self-driving cars, aren’t fictional, futuristic scenarios.
Not all cybercriminals are motivated by financial rewards. Geopolitical tensions can lead to cyber warfare, in which state-sponsored bad actors target critical infrastructure to cause widespread disruption. If hospitals and emergency response systems were attacked, this malicious activity could create panic and threaten lives.
Corporate executives and boards are increasingly aware of these risks. In KPMG’s 2024 U.S. CEO Outlook survey, participants identified cybersecurity as one of the top three threats to company growth.8 In a recent quarterly survey by the National Association of Corporate Directors, 50% of board members included “cybersecurity threats” as a top-five business issue, up from 46% the previous quarter.9
Cyber Risks Rise with Intangible Asset Growth
Over the past 50 years, the factors that drive shareholder value for most U.S. corporations have shifted dramatically, as shown by a massive increase in intangible assets compared to “hard” assets such as factories and equipment. Physical assets are still essential, but intangibles have become more dominant; investment in intangibles grew three times as fast as tangible investments between 2008 and 2023.10 Estimates vary, but sources show intangibles accounted for as much as 80% to 90% of the S&P 500® Index’s total asset value at the end of 2020.11
This shift reflects the outsized effects of the technology revolution. The rise of e-commerce, new electronic communication methods, the Internet of Things, artificial intelligence and digitalization in almost every business has elevated the importance of non-physical assets such as data, software and intellectual property. This inherently increases cybersecurity risks because technology is essential to business operations 24/7.
New technologies allow businesses to expand globally more efficiently and build a remote workforce. Digitalization makes business processes faster and easier, anytime, everywhere. This all offers incredible opportunities; however, this increasing reliance on technology and data makes businesses vulnerable. The claim that “today, every company is a tech company” is valid because every business relies on data and technology. Still, it doesn’t mean every business understands its vulnerabilities or how to protect itself from cybercrime.
Addressing Key Cybersecurity Issues
Given all the implications cybersecurity has for the economy and shareholder value, we believe companies should pay more attention to the following:
Attracting and Retaining Cybersecurity Talent
The International Information System Security Certification Consortium estimates a workforce gap of roughly 4.8 million professionals worldwide. As of 2024, organizations believed they would need to increase their cybersecurity staff by 87% to secure themselves properly. This gap is by far the largest in the Asia-Pacific region, although the U.S. would need to increase cybersecurity staffing by over one-third to be “fully covered.”12 Given the potential harm cyber threats represent, cutting cybersecurity jobs to reduce expenses in the near term could have expensive long-term costs.
The Importance of Cyber Resilience
According to the World Economic Forum’s 2025 Global Cybersecurity Outlook, large corporations say supply chain challenges are the most significant barrier to achieving cyber resilience due to increasing complexity and a lack of visibility into suppliers’ security, including software vulnerabilities, which has emerged as the leading cybersecurity risk for organizations.
As the saying goes, a chain is only as strong as its weakest link. Geopolitical turmoil also affects CEO risk perceptions. One-third of the surveyed individuals indicated that their primary concern is cyber espionage and the theft of sensitive information or intellectual property. Additionally, 45% of cybersecurity leaders expressed worry about the potential disruption of operations and business processes.13
Ensuring Data Privacy Protection
Using mobile devices and apps creates a treasure trove of data collected and resold by data brokers. A recent study shows a growing number of people in the U.S. who suffer from mental health issues use health-tracking applications (many of which aren’t protected by the U.S.’s Health Insurance Portability and Accountability Act), putting sensitive mental health data at risk.
According to the study, several data brokers advertise highly sensitive mental health data on people with depression, anxiety, attention-deficit/hyperactivity disorder, insomnia and bipolar disorder, as well as their ethnicity, age, gender, zip code, religion, number of children in the home, marital status, net worth, credit score, and date of birth.14 Companies that collect this data, brokers who resell it, and entities that buy it could be sued if individuals whose data is sold are identified by stitching together the data from the apps with public records. The growth of sophisticated AI tools makes this increasingly likely.
Preventing Cyber Hacks Through Employee Training
Some sources suggest that a significant percentage of cybersecurity incidents — from 74% to as much as 95% — involve human error. Employee actions, such as clicking on phishing emails, sharing login credentials, or using public Wi-Fi networks, are often the cause. Data hacks and other attacks on a company’s systems can occur due to carelessness, apathy, or lack of awareness.
Most organizations train their employees to spot cyberattacks by sending fake phishing emails from time to time, showing how easy it is to be lured into clicking on something, especially when it looks legitimate (such as a meeting invitation or request from what looks like another department in the organization) and sounds important or urgent.
This kind of training has become the norm – a company that doesn’t have a regular cybersecurity awareness program for its employees would be considered lax if not negligent. However, employees should be treated as partners in crimefighting, not as the source of the problem.
Enhancing Resilience with Cybersecurity
Although the threat of cyberattacks poses a significant risk, it also provides opportunities for companies that embrace cyber resilience. For example, Apple emphasizes security as a differentiator, protecting its products from malware and staunchly defending customers’ privacy rights. Innovation in this arena can benefit shareholders of companies that provide cybersecurity products and those that use them. Research firm Forrester estimates that spending on cybersecurity software alone will reach 1.7% of global GDP by 2029, nearly doubling since 2016.15
Developments in this field include the Zero Trust Network Access framework, which seeks to mitigate the risks of a widespread breach by applying verification steps at every access point. This prohibits movement elsewhere in a network, decreasing the area within a network that might otherwise be vulnerable to malicious activity.
Cybersecurity insurance can provide protection in another way. The National Association of Insurance Commissioners reports the U.S. cyber insurance market accounted for 59% of the $16.66 billion in premiums paid for cyber coverage globally in 2023, with the number of policies in force increasing by 11.7%. The number of claims has also risen, indicating cyber incidents are increasing.16 Insurers adjust the premiums they charge for this coverage based on the quality of a company’s oversight in this area — a company may not be able to obtain insurance if its cybersecurity processes are lacking.
Cybersecurity’s Role in Sustainable Investing
With cybersecurity so crucial to today’s economy, a company’s governance framework must prioritize cybersecurity oversight and management. As previously noted, the SEC has finalized rules to enhance and standardize disclosures about material cybersecurity incidents.17 While this should incentivize companies to assess their cybersecurity governance practices, disclosures could reveal potentially sensitive information.
In our analyses, or when engaging with companies, we may consider the following:
- Does the company have a chief information security officer (or equivalent position), and does this role report directly to the board of directors?
- How frequently does the board communicate on cybersecurity topics?
- Does the board include directors with cybersecurity expertise, and how is cybersecurity integrated into board committees?
- What is the company’s incident response plan, and how are breaches and other cybersecurity risks disclosed?
- Are the company’s cybersecurity controls subject to external audits, and how frequently are audits or other process reviews conducted?
- Does the company maintain any external information security certifications (e.g., ISO 27001)?
- Where is data stored, how is it encrypted or permitted for use, and how is it backed up?
- How much capital is allocated to security improvements, such as automation, multifactor authentication, patch management, cloud migration, and managed and endpoint detection and response?
- How does investment allocation support human capital, including talent pipeline management and training?
Why Cybersecurity Is Crucial for Business Operations
The various ways cybersecurity issues can impact shareholder value are an essential reminder that sustainability can be assessed only by going beyond balance sheets and income statements. New technologies can help companies become more efficient, reach more customers and gather more data across supply chains. Smart devices increase physical infrastructure efficiency in ways we may take for granted, from home security systems to the entire electrical grid.
But who monitors all the potential threats this creates? Is managing cybersecurity risk an integral part of how a company functions day today, or is it an afterthought?
At American Century Investments®, we see cybersecurity as a core sustainability issue that affects every enterprise. We view good governance in the cybersecurity arena as a critical part of risk management. When we engage with companies, this is one area we consider in evaluating their ability to generate long-term, risk-adjusted returns for our clients.
Case Study: Palo Alto Networks’ Zero Trust Framework
Who?
Palo Alto Networks (PANW) is a global cybersecurity provider. Its cybersecurity platforms and services help secure enterprise users, networks, clouds, and endpoints by delivering comprehensive cybersecurity backed by industry-leading artificial intelligence and automation. The company’s solutions include Network Security, Secure Access Service Edge, Cloud Security, Security Operations, and Threat Intelligence and Security Consulting.
What?
Prisma Access is a cloud-delivered security offering that helps organizations deliver consistent security to remote networks and mobile users. Located in more than 100 locations around the world, Prisma Access consistently inspects all traffic on a network, including branch-to-branch and branch-to-headquarters traffic.
Opportunity?
Prisma Access is PANW’s next-generation Zero Trust Network Access platform that provides secure network access for all employees with unified policy management and continuous threat inspection. The platform delivers what is known as least-privileged access, continuous trust verification and security inspection to protect security for all applications and data across the enterprise infrastructure. This zero-trust architecture enhances the security process for end users, contributing to a more robust security environment.
Source: Palo Alto Networks’ 2024 10-K annual filing.
Authors
Sustainable Research Analyst
Sustainability: It’s in Our Genes®
Sustainability isn't just something we practice; it is part of who we are as a company and as global citizens.
Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. U.S. Securities & Exchange Commission, November 19, 2024.
IBM Report: “Escalating Data Breach Disruption Pushes Costs to New Highs,”, July 30, 2024.
Varonis: Ransomware Statistics, Data, Trends, and Facts [updated 2024], November 13, 2024.
Nivedita James Palatty, “30+ Malware Statistics You Need to Know In 2025”, Astra, January 9, 2025.
IBM, “Cost of a Data Breach Report 2022,” July 27, 2022.
Cyber Management Alliance, “Top 10 Biggest Cyber Attacks of 2024-25 and Other Attacks to Know About,” January 20, 2025.
U.S. Dept. of Justice, Office of Public Affairs, “Garantex Cryptocurrency Exchange Disrupted in International Operation,” March 7, 2025.
KPMG, “2024 KPMG U.S. CEO Outlook Pulse Survey,” 2024.
NACD Quarterly Survey, “Cybersecurity Threats Top Board Agendas,” Q2 2024.
World Intangible Investment Highlights, WIPO, June 25, 2024.
Ocean Tomo, “Intangible Asset Market Value Study,” accessed March 31, 2025.
“2024 ISC2 Cybersecurity Workforce Study,” ICS2, October 31, 2024.
World Economic Forum, “Global Cybersecurity Outlook 2022,” January 2022.
Joanne Kim, “Data Brokers and the Sale of Americans’ Mental Health Data,” Sanford School of Public Policy, Duke University, February 2023.
Matt High, “How Cybersecurity Is Fueling Global IT and Tech Spend,” Cyber Magazine, February 13, 2025.
National Association of Insurance Commissioners, “Report on the Cyber Insurance Market,“ October 15, 2024.
U.S. Securities and Exchange Commission, “SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies” Press Release, March 9, 2022.
References to specific securities are for illustrative purposes only and are not intended as recommendations to purchase or sell securities. Opinions and estimates offered constitute our judgment and, along with other portfolio data, are subject to change without notice.
The opinions expressed are those of American Century Investments (or the portfolio manager) and are no guarantee of the future performance of any American Century Investments' portfolio. This material has been prepared for educational purposes only. It is not intended to provide, and should not be relied upon for, investment, accounting, legal or tax advice.
The portfolio managers use a variety of analytical research tools and techniques to help them make decisions about buying or holding issuers that meet their investment criteria and selling issuers that do not. In addition to fundamental financial metrics, the portfolio managers may also consider environmental, social, and/or governance (ESG) data to evaluate an issuer’s sustainability characteristics. However, the portfolio managers may not consider ESG data with respect to every investment decision and, even when such data is considered, they may conclude that other attributes of an investment outweigh sustainability-related considerations when making decisions. Sustainability-related characteristics may or may not impact the performance of an issuer or the strategy, and the strategy may perform differently if it did not consider ESG data. Issuers with strong sustainability-related characteristics may or may not outperform issuers with weak sustainability-related characteristics. ESG data used by the portfolio managers often lacks standardization, consistency, and transparency, and may not be available, complete, or accurate. Not all American Century investment strategies incorporate ESG data into the process.