Chief Financial Officers face growing financial pressures from IT security failures, such as the recent major collapse of online systems due to a CrowdStrike software update that took down networks worldwide. By now, CFOs should know that the internet infrastructure is built upon a fragile foundation of interconnections and dependencies, meaning that unexpected problems can quickly spiral out of control. Such cascading global failures will continue to wreak widespread financial damages and business losses stemming from disgruntled travelers stranded at airports, e-commerce systems that get taken down, or online service providers who cannot maintain connectivity.
These are all glaring problems for CFOs responsible for protecting their organizational investments. Over the past decade, critical elements of the U.S. infrastructure – including systems for the internet, energy, transportation, finance, agriculture, health care, and utilities – have all sustained cyberattacks from foreign adversaries and homegrown terrorists alike. The attacker groups have ranged from criminal ransomware gangs to rival nation-states who seek to disrupt vital U.S. operations.
Such cyber threats pose tangible dangers to a broad range of physical infrastructure assets. The multidimensional risks for critical infrastructure encompass operational, financial, and human losses, as well as harm to brand reputations. To help offset these risks, more CFOs are tapping the power of infrastructure investment funds (IIFs). Such funds can be used to finance cyber risk quantification and management (CRQM) solutions as part of an overarching national strategy to strengthen infrastructure security.
Cyberattacks on critical infrastructure have risen 70% in recent years, according to former NASA CISO Jeanette Hanna-Ruiz, speaking at an event hosted by the Financial Times. The list of attacks in this country is long and frightening. In 2017, Russian spies tried to hack into the Wolf Creek nuclear power plant in Kansas. The Justice Department said the Russian hackers planted malware on more than 17,000 devices to launch their concerted attacks.
The infamous Colonial Pipeline ransomware attack in 2021 brought a major American gas pipeline to a standstill. At the time, that event marked the largest publicly disclosed cyberattack against critical infrastructure in U.S. history, affecting consumers and airlines up and down the East Coast. Also, in 2021, China breached the networks of the Metropolitan Transit Authority to surveil the New York City subway system. One month later, Russian criminals were suspected of hacking into the servers of JBS USA, the world’s largest meat supplier.
Just recently in May 2024, Microsoft reported that Volt Typhoon, a Chinese state-sponsored espionage group, had engaged in malicious activities targeting credential access and network system discovery at critical infrastructure organizations. Microsoft reported that Volt Typhoon was likely seeking to disrupt critical communications infrastructure between the U.S. and Asia during times of future crises.
Applying the Financial Power of Infrastructure Investment Funds
Building and managing our shared infrastructure for operational technology (OT) has long been the responsibility of utilities, energy producers, manufacturers, and government agencies. But the private sector has become more active in recent years through infrastructure investment funds. These IIFs are largely private equity funds that only invest in infrastructure, similar to venture capital funds that only invest in technology.
For instance, the JP Morgan IIF is a $24 billion private investment vehicle that’s focused on investing in essential infrastructure assets. The JP Morgan IIF serves as the long-term owner of companies that provide essential services such as water, electric utilities, renewable energy, and transportation infrastructure.Â
At the same time, many municipal governments and regional authorities have set up their own IIFs to address local infrastructure concerns. For example, the City of Dallas operates an IIF as a new source of capital for areas that lack infrastructure, or those with outdated or inadequate infrastructure. Such major infrastructure costs have held back new economic activity in underserved areas, especially in southern Dallas. The Dallas IIF leverages the city’s Tax Increment Financing (TIF) program to generate greater equity, allowing the city to contribute earmarked funds from the TIF district into the IIF for infrastructure improvements.
Dallas has applied its IIF funds to cover the design and engineering costs for projects such as water and sewer connections for stormwater management; public parks and greenspaces; transit enhancements for electric vehicle infrastructure; and telecommunications infrastructure for internet connectivity and broadband access.
Cyber Risk Quantification Improves IIF Portfolio Resilience
Infrastructure investments can provide a long-term foundational allocation for CFOs who are seeking diversification, income, and consistent returns. A core infrastructure investment that’s based on essential assets with monopolistic positions, such as with regulated utilities, can provide a stable, long-term, diversifying allocation in a client’s portfolio.
To elevate portfolio-wide cyber resilience, infrastructure funds should conduct comprehensive cyber risk assessments across their portfolio companies. By understanding both individual risk and the aggregation of systemic risk within their portfolios, funds can optimize effective risk mitigation strategies, achieve target risk-adjusted returns, and comply with their investors’ mandates.
Prioritization and standardization of cyber risk mitigation practices ensures consistency and enhances overall resilience of the portfolio companies – and broader society – to cyberattacks. Neglecting CRQM can have far-reaching consequences, with impacts on individual investments and broader societal and economic effects due to the size of some funds.
Similarly, incorporating cyber risk assessment into the due diligence process for new investments is central for CFOs to achieve the target risk-adjusted returns. Understanding cyber risk factors alongside traditional financial metrics can give CFOs a more robust assessment of the investment’s viability and long-term sustainability.
In this increasingly digitized world, CRQM is essential for safeguarding infrastructure investments against cyberattacks, and infrastructure funds have a responsibility to acknowledge and manage these risks effectively. By integrating CRQM best practices across their portfolio companies and leveraging analytics to access more suitable cyber insurance solutions, these funds can enhance their value proposition for CFOs and investors by contributing to a more resilient infrastructure ecosystem.