Large-scale infrastructure may offer predictable returns for investors, but it’s vulnerable to hackers. Gavin Lillywhite explains how asset managers and pension trustees can reduce their exposure
We’re all aware of the ever-increasing cyber risk in both our personal lives, workplace and wider society. As consumers we hand over ever-increasing volumes of valuable personal data in the expectation that organisations will invest in robust cyber security to protect it and keep it secure. Legislation also exists to drive standards through UK General Data Protection Regulation (GDPR) with the potential for up to a 4 per cent fine on global turnover for companies failing to adhere.
But what about our investments and pensions, are they as safe and is it time investible assets carried a cyber risk assessment grading? Should potential investment losses be better mitigated now, and should investment managers be more transparent and subject to similar fines?
Private investment in large-scale infrastructure is commonplace, asset managers and infrastructure funds invest in stable revenue-generating assets including renewable energy, utilities and transportation. Consequently, our pensions are invested in said assets either directly or via investment funds for ‘predictable returns’. And demand is growing, the Association of British Insurers’ Investment Delivery Forum cites the UK requires more than £1.3 trillion investment in energy, transport and housing by 2030.
But what if those assumed returns fall due to damage from a malevolent cyber-attack? What if investors are unknowingly exposed to a potential yield reduction? Do we know the level of exposure and increased risk, and could this be mitigated?
Most modern infrastructure is managed through some form of operational technology (OT), whilst OT systems in the past were largely isolated and self-contained increasingly, they are connected to IT systems including for remote monitoring which in turn creates a potential threat vector for malicious cyber threat actors to hack the network.
There are numerous examples of physical assets being hacked, damaged or destroyed, from high visibility cases like the Predatory Sparrow Iranian Steel Mill attack in 2022 to DP World Australia Ports attack in 2023 to manufacturing and production machinery; such attacks can interrupt production, incur extensive costs, reduce earnings and investment yield.
And in the last month, Moody’s warned of the elevated cyber risk and fragility of the UK Water industry to deal with and absorb the cost of cyber attacks as it awaits permission from Ofwat to ramp up spending on digital security.
Why should private and institutional investors, asset managers, pension fund trustees and banks be concerned? Surely these assets are insured, and the investment is protected? In short, probably not.
In 2017 the UK Prudential Regulatory Authority instructed property and casualty insurers to actively manage non-affirmative cyber risk exposures through a combination of adjusted insurance risk pricing, exclusion of risk and/or sub-limiting cover. Consequently, the majority of asset policies now exclude losses emanating from malicious cyber physical damage and resultant business interruption leaving assets, investors and lenders exposed.
This risk can be reduced through organizational comprehensive cyber enterprise risk management (CERM) and specialist ‘buy-back’ insurance policies available through Lloyd’s of London which Axio is supporting with its newly developed assessment tool crafted in the Lloyd’s Lab, coupled with comprehensive fiduciary cyber due diligence by the investment manager.
Easy identification of inherent cyber risk to an asset and/or an investment portfolio including [buy-back] insurance indemnities has to be the solution to drive transparency and help investors determine the level of [cyber] risk they are prepared to accept within their investment portfolio vis a vis returns. Perhaps elevated cyber exposure and excluded insurance risk might reduce investor demand as returns are more exposed and potentially more volatile. This in turn will likely drive greater adoption of robust CERM and insurance protection. And as we consider the liquidity benefits of asset tokenization through NFT’s this will become even more critical.
The man on the Clapham Omnibus would consider it reasonable for investors to know the residual cyber risk within their investment portfolio and for financial regulators and government to be comfortable that they have done their utmost to protect investors and avoid unwanted tabloid headlines.
We can always draw lessons from Greek tragedy, perhaps this will be our anagnorisis moment, migration from ignorance to knowledge as Aristotle defined it, or will it continue to be our hubris, our fatal flaw and carry on as we have previously.
Gavin Lillywhite is head of insurance distribution and client Management at Axio