Cybersecurity risks continue to proliferate due to the global economy’s dependence on data and technology.
These risks present opportunities for businesses that view cybersecurity as a sustainability issue but may negatively affect employees who are “watched” by technology.
A governance framework that prioritizes cybersecurity can enhance risk management. Insurance policies that cover cyberattacks are becoming more common.
When making investment decisions, investors around the world either explicitly or implicitly consider the question, “Is this business sustainable”? However, they may forget to ask about investments’ core cybersecurity strategy — which has a surprising impact on sustainability.
At its core, sustainability refers to a company’s ability to survive and thrive over the long term, given the various environmental, social and governance (ESG) issues that are material to its business and the overall economy.
In our view, technological advancement is one of the key themes of a thriving, sustainable world. Technology improves lives and creates opportunities in so many ways that it would be impossible to count them. It also opens the door to dangers that could seriously harm businesses and society. Therefore, we see cybersecurity as a critical component of sustainable investing and view the quality of a company’s governance pillar as critical to its cybersecurity practices.
The U.S. Securities and Exchange Commission (SEC) recognizes the link between good governance and cybersecurity risk. In March 2022, the federal agency proposed rules that would require companies to report material new cybersecurity incidents and provide updates on previously reported cases.
The new rules would also require companies to periodically report on their cybersecurity risk policies and procedures, including management’s role and expertise in assessing and managing cybersecurity risk and the board’s oversight role on the issue.
Cybersecurity Breaches Threaten Business Sustainability
Companies are confronting growing incidents of malicious activity involving their data and technology. These incidents are financially costly, require constant vigilance to detect, and threaten a company’s reputation and brand image. A study from Deep Instinct reveals that in 2020 malware incidents increased by 358%, and ransomware increased by 435% compared to 2019. (Some good news, though: The U.S. is cracking down on cryptocurrency platforms that facilitate ransomware payments).1 Accenture’s State of Cybersecurity surveys found that companies experienced an average of 270 attacks during 2021, a 31% increase compared to 2020.2
Cyberattacks are becoming increasingly sophisticated and varied. In other words, it’s hard to keep up. Virus Total’s 2021 Ransomware Activity Report noted that at least 130 different ransomware families have been active since 2020.3 Separately, Verizon’s 2022 Data Breach Investigations Report finds that the use of stolen credentials and phishing represent two of the top four actions in breaches.4 T-Mobile recently announced a hack that affected 37 million customers — their names, billing addresses, email addresses, phone numbers, birth dates, and T-Mobile account numbers.
Needless to say, dealing with these breaches comes at a substantial financial cost. IBM’s latest Cost of Data Breach Report states that the average total cost of a data breach reached an all-time high of $4.35 million in 2022, climbing almost 13% from 2020.5 And that doesn’t include the cost of the damage to a company’s reputation.
Consumers are becoming increasingly aware of their potential cyber vulnerabilities. Who hasn’t received one of those letters stating, “Your personal information may have been involved …” and wished companies would be more forthcoming about how they protect the personal data they collect?
Cybersecurity breaches involving the theft of sensitive data from credit card purchases, apps on our phones, location trackers, and so on could result in a serious misuse of information in ways that have real-world consequences. For example:
Consumers could become victims of identity theft, resulting in ongoing battles to put their financial lives back together. Companies that have been hacked often pay for identity theft monitoring for anyone that could have been impacted at a non-trivial cost.
Companies without adequate cybersecurity processes are likely to find themselves defending against expensive negligence lawsuits when they are hacked if their data security processes are lax.
Hacking incidents and other cybercrimes harm a company’s reputation, causing customers to lose trust and damaging loyalty and brand image. That’s in addition to the hit to profits from having to pay millions of dollars in ransomware to recover stolen data (which may still find its way onto the dark web).
Data hacks can disclose information that is deeply personal, potentially embarrassing or even dangerous. The data some companies collect could be used to harass or harm people (e.g., medical claims and other sensitive information that could show patients visited a reproductive health clinic or substance abuse center, and other medical information that could affect insurance coverage, credit card data showing purchase patterns that might cause a potential employer to question whether to hire an individual and so on).
How Cyber Risk Impacts Global Sustainability
Cybersecurity affects sustainability in ways that extend beyond data hacks to actual physical assets. It’s not exactly like sci-fi movies that show cyborgs going rogue and destroying a planet, but it isn’t outside the realm of possibility to imagine robots wreaking havoc in real-world factories and warehouses if the software that controls their operations got hacked. Critical infrastructure is vulnerable to cyberattacks today — it’s not science fiction.
In May 2021, the Colonial Pipeline had to shut down its operations because of a ransomware attack that exploited a single compromised password. The shutdown caused fuel shortages across the eastern U.S., and Colonial paid the hackers, who were affiliated with a Russia-linked cybercrime group, $4.4 million in ransom. This incident shows that the risks to infrastructure, such as power plants, banking networks and systems that will someday control self-driving cars, aren’t fictional, futuristic scenarios.
Not all cybercriminals are motivated by financial rewards. Geopolitical tensions can lead to cyberwarfare in which state-sponsored bad actors target critical infrastructure with the goal of causing widespread disruption. This type of malicious activity could even threaten lives if hospitals and emergency response systems came under attack.
Corporate executives and boards are increasingly aware of these risks. In PwC’s 2022 Global Risks Survey, CEOs identified cyber and information management as the third-highest risk to revenue growth.6 Separately, in a recent survey by the National Association of Corporate Directors, 42% of participants said that recruiting a cybersecurity-savvy director would benefit their board, compared to 36% in 2021.7
Key Cybersecurity Concerns
Cybersecurity relies on people and commitment. We believe companies need to pay more attention to the following:
Attracting and retaining talent. According to a 2022 study from the International Information System Security Certification Consortium or (ISC), roughly 3.4 million cybersecurity jobs worldwide are unfilled, a 26% increase from 2021.8 Given the potential harm that cyberthreats represent, companies need to attract and retain qualified cybersecurity experts and provide them with ongoing training.
Prioritizing cyber resilience. According to the World Economic Forum’s Global Risks Perception Survey, 41% of business executives believe that cyber resilience is an established business priority (which seems low to us), but only 13% of executives who focus on security (such as chief information security officers, or CISOs), agreed.9 As companies bolster their cybersecurity efforts, buy-in across the organization is critical. The old saying that a chain is only as strong as its weakest link definitely applies here.
Protecting data privacy. Our use of mobile devices and apps has created a treasure trove of data that brokers are collecting and reselling. A recent study of data brokers and data on U.S. individuals’ mental health conditions shows that a growing number of depressed and anxious individuals are using health-tracking applications (many of which are not protected by the Health Insurance Portability and Accountability Act), putting sensitive mental health data at risk. According to the study, a number of data brokers advertised highly sensitive mental health data on people with depression, insomnia, anxiety, attention-deficit/hyperactivity disorder and bipolar disorder, as well as data on ethnicity, age, gender, zip code, religion, children in the home, marital status, net worth, credit score, date of birth and single-parent status.10
Technology Trends Are Increasing Cyber Risk Threats to Sustainability
Over the past 50 years, the value drivers for most U.S. corporations have been transformed, as shown by the massive increase in intangible assets compared to “hard” assets such as factories and equipment. It’s not that physical assets are no longer important but that intangibles have become so much more dominant.
In 1975, the value of intangible assets on the balance sheets of S&P 500® companies totaled about $122 billion, or about 17% of total asset value.11 Intangibles have since grown at an average of 13% annually, reaching over $21 trillion in 2018, and now account for about 90% of the S&P 500’s total assets.12
This shift reflects the outsized effects of the technology revolution. The rise of e-commerce, new methods of electronic communication, the Internet of Things, artificial intelligence and digitalization in just about every business has elevated the importance of non-physical assets such as data, software and intellectual property. It has also increased cybersecurity risks as technology is essential to businesses, and we are all connected all the time.
New technologies allow businesses to expand globally more easily than ever before and to build a workforce using remote employees. Digitalization makes business processes faster and easier, anytime, everywhere. This all offers incredible opportunities if managed well. But this increasing reliance on technology and data makes businesses vulnerable. The claim that “today, every company is a tech company” is true in the sense that every business relies on data and technology, but it doesn’t mean that every business understands its vulnerabilities or how to protect itself from cybercrimes.
Is Somebody (or Something) Watching You?
Employees are being affected by cyber risks in new ways as technologies enable employers to collect more data about their workforce. While the motivation may be justifiable (such as measuring productivity or work quality), it can be an invasion of privacy, increase workplace stress and have unintended consequences. Many employees have devices on their company-issued computers that track when their eyes aren’t on the screen or detect that their mouse hasn’t moved in a while.
Offices aren’t the only place where technology is “watching” workers. Truck drivers in the U.S. must use an electronic logging device that monitors how many hours their trucks are in use each day.13 The purpose is to ensure that a driver isn’t behind the wheel for longer than the legal limit of 14 hours in a 24-hour period. Of course, once the device is installed, other features can be added to the software. Biophysical data (heart rate, for example) is now being collected by some devices.
This type of monitoring can seem invasive, making drivers uncomfortable. As for unintended consequences, if the 14-hour limit is reached when the drive is half a mile from the warehouse, does the delivery have to wait? Seasoned truck drivers may decide they don’t like this type of monitoring and could look for other types of work, contributing to a shortage of drivers and increasing the percentage of inexperienced drivers on our highways.
Opportunities to Improve Sustainability in the Cybersecurity Arena
Although the threat of cyberattacks poses a significant risk, it also provides opportunities for companies that truly embrace cyber resilience. For example, Apple emphasizes protecting its products from malware and preventing misuse of customer data as a differentiator. Innovation in this arena can benefit shareholders of companies that provide cybersecurity products and those that use them. Cybersecurity Ventures estimates that global cybersecurity spending will increase at an annualized rate of 15% between 2021 and 2025, amounting to $1.75 trillion in spending.14
Developments in this field include the Zero Trust Network Access framework that seeks to mitigate the risks of a widespread breach by applying verification steps at every access point, which prohibits movement elsewhere in a network.15 This decreases the area within a network that might otherwise be vulnerable to malicious activity.
Cybersecurity insurance can provide protection in another way. This is a new, rapidly growing area. In 2021, direct written premiums collected by the largest U.S. carriers increased by 92% year over year.16 The underwriting process encourages companies to improve their oversight processes — a company may not be able to get insured if it doesn’t have robust cybersecurity processes in place.
Cybersecurity Aligns with an Integrated Approach to Sustainable Investing
With cybersecurity so crucial to today’s economy, companies need a robust governance framework that promotes effective cybersecurity oversight and execution. As noted above, the SEC has proposed rules to enhance and standardize disclosures regarding cybersecurity risk management and disclosures.17 This should incentivize companies to assess their cybersecurity governance practices.
Does the company have a chief information security officer (or equivalent position), and does this role report directly to the board of directors?
How frequently does the board communicate on cybersecurity topics?
Does the board include directors with cybersecurity expertise, and how is cybersecurity integrated into board committees?
What is the company’s incident response plan, and how are breaches and other cybersecurity risks disclosed?
Are the company’s cybersecurity controls subject to external audits, and how frequently are audits or other process reviews conducted?
Does the company maintain any external information security certifications (e.g., ISO 27001)?
Where is data stored, how is it encrypted or permitted for use, and how is it backed up?
How much capital is allocated to security improvements, such as automation, multifactor authentication, patch management, cloud migration, and managed and endpoint detection and response?
How does investment allocation support human capital, including talent pipeline management and training?
Sustainability Requires Cybersecurity
It all comes back to the issue of sustainability — companies can easily become enamored of new technologies that allow them to improve efficiency, reach more customers and gather more data across supply chains and through expanding networks of relationships. “Smart” devices are integrating more activities with our physical infrastructure in ways we may take for granted (home security systems are just one example).
But who is monitoring all the potential threats this creates? Is cybersecurity risk management a part of every new business initiative, or is it an afterthought?
At American Century Investments, we see cybersecurity as a core sustainability issue that affects every enterprise, and we view good governance in the cybersecurity arena as a critical part of risk management. When we engage with companies, this is one of the areas we consider in evaluating a company’s ability to generate long-term, risk-adjusted returns for our clients.
Palo Alto Networks’ Zero Trust Framework
Who? Palo Alto Networks (PANW) is a global cybersecurity provider. Its cybersecurity platforms and services help secure enterprise users, networks, clouds, and endpoints by delivering comprehensive cybersecurity backed by industry-leading artificial intelligence and automation. The company’s solutions include Network Security, Secure Access Service Edge, Cloud Security, Security Operations, and Threat Intelligence and Security Consulting.
What? Prisma Access is a cloud-delivered security offering that helps organizations deliver consistent security to remote networks and mobile users. Located in more than 100 locations around the world, Prisma Access consistently inspects all traffic on a network, including branch-to-branch and branch-to-headquarters traffic.
Opportunity? Prisma Access is PANW’s next-generation Zero Trust Network Access platform that provides secure network access for all employees with unified policy management and continuous threat inspection. The platform delivers what is known as least-privileged access, continuous trust verification and security inspection to protect security for all applications and data across the enterprise infrastructure. This zero-trust architecture enhances the security process for end users, contributing to a more robust security environment.
Source: Palo Alto Networks’ 2021 10-K annual filing.
Help Net Security, “Malware increased by 358% in 2020,” February 17, 2021.
Accenture, “The State of Cybersecurity Resilience 2021,” November 3, 2021.
Vicente Díaz, “Ransomware in a global context,” VirusTotal. October 4, 2021.
Verizon, Data Breach Investigations Report, 2022.
IBM, Cost of a Data Breach Report 2022, July 27, 2022.
PwC Research, “2022 Global Risk Survey,” 2022.
PR Newswire, “National Association of Corporate Directors’ Annual Public Company Survey Reveals Key Boardroom Trends for 2022,” June 21, 2022.
Catherine Stupp, “Corporate Cybersecurity Teams Struggle to Fill Jobs,” Wall Street Journal, October 20, 2022.
World Economic Forum, “Global Cybersecurity Outlook 2022,” January 2022.
Joanne Kim, “Data Brokers and the Sale of Americans’ Mental Health Data,” Sanford School of Public Policy, Duke University, February 2023.
Aran Ali, “The Soaring Value of Intangible Assets in the S&P 500,” Visual Capitalist, November 12, 2020.
Ali, “Intangible Assets in the S&P 500.”
Joe Weisenthal and Tracy Alloway, “Transcript: Karen Levy on Truck Driver Surveillance,” Bloomberg, January 10, 2023.
David Braue, “Global Security Spending to exceed $1.75 Trillion from 2021-2025,” Cybercrime Magazine, September 10, 2021.
Gartner Glossary, “Zero Trust Network Access (ZTNA),” accessed February 10, 2023.
James Rundle and David Uberti, “Cyber Insurers Raise Rates Amid a Surge in Costly Hacks,” Wall Street Journal, May 18, 2022.
U.S. Securities and Exchange Commission, “SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies” Press Release, March 9, 2022.
References to specific securities are for illustrative purposes only, and are not intended as recommendations to purchase or sell securities. Opinions and estimates offered constitute our judgment and, along with other portfolio data, are subject to change without notice.
The opinions expressed are those of American Century Investments (or the portfolio manager) and are no guarantee of the future performance of any American Century Investments' portfolio. This material has been prepared for educational purposes only. It is not intended to provide, and should not be relied upon for, investment, accounting, legal or tax advice.
Many of American Century's investment strategies incorporate the consideration of environmental, social, and/or governance (ESG) factors into their investment processes in addition to traditional financial analysis. However, when doing so, the portfolio managers may not consider ESG factors with respect to every investment decision and, even when such factors are considered, they may conclude that other attributes of an investment outweigh ESG considerations when making decisions for the portfolio. The consideration of ESG factors may limit the investment opportunities available to a portfolio, and the portfolio may perform differently than those that do not incorporate ESG considerations. ESG data used by the portfolio managers often lacks standardization, consistency, and transparency, and for certain companies such data may not be available, complete, or accurate.
ESG Integrated: An investment strategy that integrates ESG factors aims to make investment decisions through the analysis of ESG factors alongside other financial variables in an effort to deliver superior, long-term, risk-adjusted returns. Therefore, ESG factors may limit the investment opportunities available, and the portfolio may perform differently than those that do not incorporate ESG factors. Portfolio managers have ultimate discretion in how ESG issues may impact a portfolio's holdings, and depending on their analysis, investment decisions may not be affected by ESG factors.
ESG Focused: An investment strategy that focuses on ESG factors seeks to invest, under normal market conditions, in securities that meet certain ESG criteria or standards in an effort to promote sustainable characteristics, in addition to seeking superior, long-term, risk-adjusted returns. This investment focus may limit the investment opportunities available to a portfolio. Therefore, the portfolio may underperform or perform differently than other portfolios that do not have an ESG investment focus. ESG-focused investment strategies include but are not limited to impact, best-in-class, positive screening, exclusionary, and thematic approaches.