Skip to main content

Does critical infrastructure finance appropriately price risk in a connected world?

If you’re involved in critical infrastructure, you’ve no doubt been following the Federal Government’s Security Legislation Amendment (Critical Infrastructure) Bill 2020 (the Bill) on its journey to becoming law. Things haven’t necessarily been smooth sailing, with concerns aired by the business community and a number of challenges identified by both the Senate Standing Committee for the Scrutiny of Bills and the Parliamentary Joint Committee on Intelligence and Security. It appears we may have rounded a corner though, with the introduction of a new amendment splitting the Bill in two. This revised approach will see notification obligations and coercive powers prioritised in a first Bill, with the rest to follow in a second after further consultation and refinement. While there’s still a lot of questions and teething issues to resolve, the government’s commitment is clear - critical infrastructure organisations will shortly find themselves facing a range of significant due diligence, risk mitigation and governance obligations.

A combination of new legislation and preparedness raises some interesting considerations from an asset and business finance perspective. How ready are stakeholders to deal with the government’s intervention and the threat environment that prompted it? Obligations under the Bill make the identification and mitigation of hazards mandatory, creating expectations directors will exercise due care and diligence in complying. Boards will be accountable for adopting, reviewing and reporting on their risk management programs, ensuring sufficient resources are allocated toward uplifting security and resilience as intrinsic, core business practices. Given the considerable urgency and focus, it might be time for financiers to also start thinking about how they should evaluate an organisation’s converged, all-hazards approach in better informing investment decisions.

It’s only a matter of time before the obligations and hazards facing critical infrastructure organisations impact how risk is factored into the cost of capital. Businesses not acting proactively in identifying and mitigating hazards may expose their investors and owners to the financial downsides of a hazard materialising, including an increased likelihood of litigation that could, given the context of critical infrastructure, involve a very large pool of affected parties.

Other markets are already seeing this play out. Earlier this year, President Biden was forced to declare a state of emergency when Colonial Pipeline suffered one of the most disruptive ransomware attacks in US history. Incapacitation of computerised equipment prevented millions of barrels of petrol, diesel and jet fuel from being delivered. It was reported that a US$5 million ransom was paid.

On top of its direct losses, Colonial are now defending at least two punitive class actions. In the first, the plaintiffs argue the company "failed to implement and maintain reasonable security measures, procedures and practices appropriate to the nature and scope of the Defendants’ business operations." In the second, the plaintiffs similarly argue that Colonial "failed to implement and maintain reasonable security procedures and practices appropriate to operating the Pipeline".

While the US is a different jurisdiction, it highlights an evolution in incident litigation with interesting implications for corporate Australia, especially where a duty of care is owed to consumers. The idea of approaching risk as just a compliance exercise may not sufficiently protect an organisation, or its Board, from legal exposure if identification of hazards and implementation of controls is not reasonable under the legislation or at common law. How an organisation manages risk has always had the potential to impact financiers and their anticipated rates of returns, but it’s the evolution of hazards and threat vectors with greater potential to harm that represents a worrisome development.      

Direct and consequential losses from business disruptions and the prospect of asset impairment are all particularly concerning to stakeholders with current capital investments and future projects that involve technologies where the risk profiles are unknown from an all-hazards perspective. While unchecked vulnerabilities affect operational risk, there are also the concomitant financial risks to take into consideration. The challenge is how markets will factor in possible impacts from a hazard materialising, especially within highly geared organisations where returns can be affected by targeted and persistent threats.

While the objective of the new Bill is to lift security and resilience, it also arguably provides the data and opportunity for financiers to conduct more granular due diligence in pricing the escalating risk facing investors by evaluating the “reasonableness” of an organisation in its risk management practices. In many ways, the legislation provides a turnkey and levelised framework for that assessment given its principles-based, holistic approach goes beyond cybersecurity. We may be approaching a new horizon where converged risk management, including business continuity and recovery, become a fundamental and ongoing part of asset financing with risk-return profiles adjusted to better account for the potential of extended or permanent interruptions.

Having a clear picture of an organisation’s true, all-hazards exposure allows appropriate methodologies for managing default risk to be better implemented and controls to be tracked over time. Flight to safer investments may start to impact asset allocation and expectations around capital cost recovery. That would see the implied internal rate of return, comprising the risk-free rate plus the required return for technology and project specific risks, evolve to include a premium commensurate with an organisation’s capacity and maturity in managing the hazards outlined in its risk management program.

Organisations would appreciate that a thorough risk management program not only better protects their businesses, it may also establish a competitive advantage compared to alternate investments taking a more ad hoc approach to risk. The relevance of this could become more prominent if the world experiences a comparable liquidity shock to the 2008 financial crisis on the back of the pandemic. The prospect of that might be closer than expected with stagflation indicators on the rise and the possible contagion from Evergrande casting a large shadow over the Chinese economy.      

While the prospect of significant direct and consequential losses from a disruption are daunting enough, the possibility of permanent asset impairment complicates operational and financial considerations enormously. Impairment in this context is not just about losing assets through subversive actions, it also includes being compelled to remove equipment on the grounds of national security. While that seems like a drastic and overly alarmist scenario, it’s one that Australia and a number of other jurisdictions have already played out.

The rapidly changing geopolitical landscape has increased vendor risk especially in relation to nation states acting through increasingly global supply chains and dispersed technology stacks. This became starkly apparent when Australia and the USA chose to ban Huawei and ZTE from 5G cellular networks due to national security concerns. While the impact here has been relatively manageable, the Federal Communications Commission’s September 2020 estimates put US remediation costs at US$1.9 billion for small to medium network operators alone. The fact that the USA continues to add to its Entity List suggests a belief that the risk of foreign interference may be widespread, systemic and growing.

The Australian federal government relied on national security provisions within the telecommunications legislation to implement its 5G ban. The big question is whether the coercive powers in the new security Bill are broad enough to extend that type of power to all critical infrastructure? Could it be a beachhead for something that evolves into an equivalent of the United States Department of Commerce's Bureau of Industry and Security Entity List?

The implications of foreign interference on critical infrastructure are profound. While stakeholders might have a comprehensive risk framework, the posture of an asset functioning as intended could nevertheless conflict with sovereign interests, requiring it to be islanded or completely uninstalled with major unplanned costs. The Bill’s converged security approach is intended to help stakeholders uncover and counteract these more complex, multi-faceted hazards. That was no doubt a factor that helped shape the all-hazards framework. While the legislation aims to uplift resilience by compelling stakeholders to develop more comprehensive risk management programs, it’s the untested power of the Commonwealth to directly intervene and compel a relevant entity to do, or refrain from doing, an act or thing during a "serious cyber security incident" that complicates matters.

It’s clear the coercive powers could fundamentally impact ownership and the right to operate a critical infrastructure asset. Powers that help shore up relevant parties during an incident bring a lot of potential value, but they’re also somewhat opaque, making it difficult to determine their true breadth. Concerns exist around architectures and technologies that may already be in use, with hazards only now materialising based on current and rapidly evolving geopolitical circumstances. The Bill requires these to be identified in supply chains and technology stacks, but what if the risks found can only be remediated by removing particular assets entirely? The cost implications for stakeholders could be both significant and unavoidable if seriously prejudicing: the social or economic stability of Australia or its people; our defence; or national security. Those thresholds seem rather subjective and dangerously open to interpretation.

The ability for a nation state to access, influence or control assets presents a tremendous conundrum. Unlike other hazards, a significant risk can exist with a foreign vendor simply by virtue of its geography, supply chain and technologies. An attack vector could be exploited using existing data capabilities without having to necessarily sabotage a system. One of the most controversial aspects is that while a hazard can exist in theory, and could potentially be reduced to practice, there isn't necessarily any evidence it has, or will.

There’s no question a foreign power being able to reach out and disrupt critical infrastructure is unacceptable. Under the Bill, preliminary sector-specific rules require stakeholders to minimise and mitigate that potential by evaluating operational information pathways and high-risk vendors in accordance with the ACSC Supply Chain Risk Management Practitioners Guide (2019). That guide defines foreign interference as the exercise of: extrajudicial control over a vendor; extrajudicial influence over a vendor; or interference by a Foreign Intelligence Service in a supply chain.

Organisations face the difficult prospect of having to weigh-up the likelihood of foreign interference with the availability and cost of substitutes. They also have to consider the chances and consequences of a vendor becoming a security risk over time as geopolitical circumstances change. That’s quite a bit more onerous than it initially appears. Going with a global brand doesn’t necessarily defray that risk. The success of a manufacturer, its systems and global workforce can create the scale and opportunity to conduct larger and more coordinated operations, increasing the likelihood that they may be leveraged by a nation state. Additional complexity comes from those jurisdictions that follow a doctrine of "shared responsibility", where a state and industrials may be far more intertwined than Australia with its expectation of separation. Tight relationships between a state and a nation’s companies means there may be very few, if any, counterbalances to actioning directions even where those are extrajudicial and extend beyond the formal framework of laws.

Hazards facing critical infrastructure go beyond cyber. Supply chain resilience has been tested by disruptions to world trade during the pandemic through factors such as workforce availability, escalating trade disputes, aggressive competition in emerging technologies, energy shortages and fractured geopolitics. Fire, drought and flood continue to constantly challenge our nation. There’s an expectation natural disasters will intensify with further climate change. A rise in social engineering has also seen organisations around the globe struggle with evolving insider threats. Employees, contractors, vendors and third parties have acted in pursuit of personal advancement, and more recently vigilantism, using their knowledge and access to cause significant damage to brand, reputation, proprietary information, material, facilities and people.

The federal initiative to uplift security and resilience is in response to a rapidly expanding collection of nuanced hazards materialising at home and around the world. Those that pose a risk to critical infrastructure also pose a risk to those financing critical infrastructure. It’s time to stop and consider why the government has intervened. Are organisations doing enough to manage risk and protect their businesses? Do investors understand the threat landscape and have they appropriately weighed and priced those risks? Getting granular and evaluating critical infrastructure through a converged security and resilience lens is a sensible step in limiting exposure to the significant downsides from hazards occurring all too frequently. The smart money suggests activating that capability sooner rather than later.