The Downside of Digital Transformation for Utilities: Data Privacy and Cybersecurity Risks

Key Insights:

• According to Morningstar Sustainalytics research, in 2022, 38% of utilities in our coverage universe had weak management over their cybersecurity management programs, while 19% had adequate management. In 2023, companies with weak management dropped to 27% and companies with adequate management increased to 30%.

• Though utilities in Europe show varying levels of cybersecurity management, the region has the highest percentage of companies with very strong management programs (26%). Utilities in North America generally have adequate management of the issue (46%).

• Utilities in the rest of the world also have varying levels of cybersecurity management, where the highest percentage (27%) of utilities with no cybersecurity program are located outside North America and Europe.

Cybersecurity has become a major concern for utilities companies. The increasing digitalization and automated control over electricity, gas and water systems introduce a set of risks previously unfamiliar to the industry. A report published by the International Energy Agency (IEA)¹ shows that utilities companies were the target of over 1,100 cyberattacks per week, on average, in 2022. This includes attacks on critical gas and electricity infrastructure – an increase from an average of 750 and 500 attacks per week in 2021 and 2020, respectively. The report also points out the lack of detection and underreporting of cybersecurity incidents. These attacks are becoming more sophisticated, and those reported are potentially just the tip of the iceberg.

This article highlights the increasing materiality of data privacy and cybersecurity risks for utilities. It outlines the sector’s digital transformation and the ensuing cybersecurity vulnerabilities that have followed. It also shows how companies are responding to these risks and the changing regulatory landscape.

Utilities’ Digital Transformation

The adoption of digital technologies and processes can significantly benefit utilities by enhancing service and reliability. Additionally, it allows utilities to offer more products and services to their customers. In facilitating the energy transition, electric utilities are undergoing a transformation. They are changing from the conventional one-way flow of power from centralized generation to a two-way power flow model. This new model allows greater quantities of intermittent renewable generation to be integrated into the power grid from distributed energy resources.

Digital transformation is also reshaping the way water and gas utilities operate and manage resources. Technologies such as leak detection sensors and remote monitoring systems are improving operational efficiency. However, the development of more interconnected and digitalized systems introduces additional cybersecurity vulnerabilities to these companies’ operations. 

Electricity, gas and water networks are critical infrastructure essential to the economy and society, and are increasingly operated, monitored, and controlled using digital technologies. This includes operational technology (OT) that runs physical equipment, such as switchgears, valves and controllers, as well as information technology (IT) that enables data exchange, processing and analytics, in addition to planning, billing, customer services and other business activities. Utilities also collect and use a significant amount of customer data, which exposes them to them to related data privacy management risks.

The unique interdependencies of OT and IT in the industry expose utilities to an ever-evolving risk of cyberattacks affecting both physical and digital infrastructure. These attacks could lead to data breaches, improper use of customers’ data by third parties for financial gain, disruptions to operations that could result in a temporary or permanent loss of access to OT/IT systems, equipment failure, or even serious physical sabotage resulting from acts of terrorism or cyberwarfare, potentially causing water system contamination or prolonged blackouts. Such cybersecurity attacks, if successful, can disrupt a company’s operations and erode customers’ trust in the company.

Data Protection and Cybersecurity Vulnerabilities

Among the recorded incidents affecting the companies in the Morningstar Sustainalytics universe to date, the majority of data privacy and cybersecurity incidents in the utilities sector involved breaches that compromised thousands of customers’ personal information. Some incidents were related to regulatory non-compliance, such as violations of the EU’s General Data Protection Regulation (GDPR). Enel, one of the biggest players in the industry, was fined a total of EUR 85 million^2,3 in Feb. 2024 by authorities in Spain and Italy over allegations of multiple violations of the GDPR. 

Cyberattacks have also caused service disruptions. For example, Luma Energy (a joint venture company between ATCO Ltd. and Quanta Services), is a grid operator in charge of modernizing the power infrastructure in Puerto Rico. It suffered a cyberattack in 2021 that blocked users from accessing their customer portal accounts during outages.⁴ Similarly, Colombian utility, Empresas Públicas de Medellín, experienced a cyberattack in 2022 that caused disruptions to its office operations as well as to customers’ meter and bill payments.⁵ Hydro-Quebec, a major grid operator in Canada, suffered an attack in 2023 that caused its app and website for verifying outages to go offline.⁶

The average cost of a data breach in the energy sector was estimated at USD 4.78 million in 2023, while the average cost of a destructive cyberattack was estimated at USD 5.24 million.⁷ The cost has increased steadily over the past few years and is likely to continue to increase in the future.⁸ A major cyberattack causing prolonged disruptions to a company’s operations, such as the May 2021 ransomware attack on Colonial Pipeline, has the potential to lead to financial losses much larger than the average figure reported.⁹ Companies operating critical infrastructure are also at risk of incurring penalties from regulators for failing to restore service in a timely manner.

Utilities’ Data Privacy and Cybersecurity Management Trends

As part of the enhancements to our ESG Risk Ratings, Sustainalytics has strengthened the way we capture exposure to and management of cybersecurity risk for utilities. Previously evaluated under the product governance material ESG issue (MEI), utilities’ cybersecurity risk is now assessed under a standalone MEI for data privacy and cybersecurity. Under this MEI, new management indicators were introduced. These new indicators include critical infrastructure for cybersecurity and a data privacy policy and program to supplement the existing cybersecurity program indicator. The weighting for utilities’ exposure to data privacy and cybersecurity risk was also increased to reflect the rising materiality of the issue.

According to our research, in 2022, 38% of utilities in our coverage universe had weak management of the issue, while 19% had adequate management (Figure 1). In 2023, companies with weak management dropped to 27% and companies with adequate cybersecurity management increased to 30%.

Figure 1. Strength of Cybersecurity Management Programs in the Utilities Sector, 2022 vs 2023

^{Source: Morningstar Sustainalytics. For informational purposes only.
Note: Companies under the utilities industry are categorized as belonging to the comprehensive universe, with 445 companies included for 2022 and 479 in 2023.}

Overall awareness of data privacy and cybersecurity risks is increasing among utilities companies. However, there are variations in their management of the issue between regions, as shown in Figure 2. For example, while utilities in Europe show varying levels of cybersecurity management, the region has the highest percentage of companies with very strong management programs (26%), utilities in North America generally have adequate management of the issue (46%). Additionally, while utilities in the rest of the world (ROW) also have varying levels of cybersecurity management, the highest percentage (27%) of utilities with no cybersecurity program are located outside North America and Europe. The overall management of cybersecurity among utilities globally is still relatively weak.¹⁰

Figure 2. Strength of Cybersecurity Management Programs in the Utilities Sector by Region, 2023

^{Source: Morningstar Sustainalytics. For informational purposes only.
Note: Companies under the utilities industry are categorized as belonging to the comprehensive universe, with 445 companies included for 2022 and 479 in 2023.}

The Regulatory Landscape for Data Privacy and Cybersecurity

While utilities worldwide encounter similar cybersecurity challenges and threats, the varying regulatory environments are expected to continue driving improvements in companies’ disclosure and management of data privacy and cybersecurity issues. 

Regulators and investors are increasingly scrutinizing cybersecurity disclosures and demanding greater transparency. Investors have started to incorporate cybersecurity risk as part of their due diligence processes.¹¹ Meanwhile, regulators are expected to develop cybersecurity reporting standards¹² for companies in order to improve transparency to investors. In the U.S., the Securities and Exchange Commission (SEC) mandated¹³ that public companies report on material cybersecurity incidents, as well as cybersecurity risk management, governance and strategies as part of companies’ regular reporting requirements. Similarly, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA)¹⁴ requires immediate reporting of significant cybersecurity incidents by companies in critical infrastructure sectors.

The EU’s GDPR has forced companies to implement stricter data protection measures, as regulatory non-compliance puts companies at risk of incurring hefty financial penalties. Utilities operating critical infrastructure and providing essential services, such as supplying energy, water and wastewater treatment, are also required to comply with specific cybersecurity regulations, such as the EU’s Network and Information Security Directive (NIS2 Directive). Non-compliance with the NIS2 could lead to a maximum fine of EUR 10 million, or 2% of a company’s global annual revenue, whichever is greater.¹⁵

Placing Greater Emphasis on Cybersecurity as a Material ESG Issue

Our recent enhancement to the ESG Risk Rating includes expanded cybersecurity coverage, offering deeper insights into a company’s ability to safeguard customer privacy as well as prevent and respond to cyberattacks in critical infrastructure and operations. This enhancement aims to provide investors with a more detailed assessment of cybersecurity risks. Companies with strong cybersecurity measures and proactive data privacy practices may be better prepared to mitigate the growing risks of cyber breaches, along with associated operational, financial, and reputational risks.

References

1. Casanovas, M., & Ngheim, A. 2023. “Cybersecurity – is the power system lagging behind?” International Energy Agency. Aug. 1, 2023. https://www.iea.org/commentaries/cybersecurity-is-the-power-system-lagging-behind
2. Reuters. 2024. “Italy regulator fines Enel unit 79 million euros for telemarketing abuses.” Reuters. Feb. 29, 2024. https://www.reuters.com/business/energy/italy-regulator-fines-enel-unit-79-million-euros-telemarketing-abuses-2024-02-29/
3. OneTrust Data Guidance. 2024. “Spain: AEPD fines Endesa Energía €6.1M for data protection violations” Feb. 14, 2024. https://www.dataguidance.com/news/spain-aepd-fines-endesa-energ%C3%ADa-61m-data-protection
4. Al Jazeera. 2021. “Puerto Rico faces blackout after cyberattack, fire.” Al Jazeera. June 11, 2021.  https://www.aljazeera.com/news/2021/6/11/electric-company-reports-fire-cyber-attack-in-puerto-rico
5. Moss, L. 2022. “EPM Falls Victim To Ransomware Attack.” Finance Colombia. Dec. 14, 2022. https://www.financecolombia.com/epm-falls-victim-to-ransomware-attack/
6. Lapierre, M. 2023. “Pro-Russian group claims responsibility for cyberattack against Hydro-Québec.” CBC. Apr. 13, 2023. https://www.cbc.ca/news/canada/montreal/hydro-quebec-website-cyberattack-1.6808947
7. IBM. 2023. Cost of a Data Breach Report 2023. May 1, 2024. https://www.ibm.com/reports/data-breach
8. Morgan, S. 2023. Global Ransomware Damage Costs Predicted To Exceed $265 Billion By 2031.” Cybercrime Magazine. Jul. 7, 2023. https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/
9.  Jones, D. 2022. “Colonial Pipeline faces nearly $1M in penalties as federal regulator discloses violations.” Cybersecurity Dive. May 6, 2022. https://www.cybersecuritydive.com/news/colonial-pipeline-ransomware-fines/623335/
10. Specifically, overall management of cybersecurity among utilities globally is 57% as weak and adequate, compared to 30% in strong and very strong.
11. Bel-Bachir, I., Gai, S., Kauffman, D., et al. 2023. “Performance edge: Investors hone their strategies for a new era.” McKinsey & Company. Jul. 10, 2023. https://www.mckinsey.com/industries/private-capital/our-insights/performance-edge-investors-hone-their-strategies-for-a-new-era
12. Glover, C. 2023. “New SEC cybersecurity reporting rules may force the UK to follow suit.” Tech Monitor. Jul. 27, 2023. https://techmonitor.ai/technology/cybersecurity/sec-cybersecurity-reporting-rules
13. U.S. Securities and Exchange Commission. 2023. “SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies.” Jul. 26, 2023. https://www.sec.gov/news/press-release/2023-139
14. Cybersecurity & Infrastructure Security Agency. 2022. “Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).” May 1, 2024. https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia
15. NIS2 Directive. “NIS2 Fines .” 2024. The NIS2 Directive Explained. May 1, 2024. https://nis2directive.eu/nis2-fines/