Skip to main content

Does investment in critical infrastructure appropriately price risk in the current environment?

Security and resilience considerations for critical infrastructure

If you’re involved in critical infrastructure, you’ve no doubt noted that the current environment has surfaced a range of complex new challenges, that Boards and ELTs are now required to anticipate and appropriately guide their organisations through. We are seeing increasing expectations from stakeholders regarding the availability of essential services, foreseeability of hazards and having appropriate mitigation strategies and plans in place. Failure to meet these expectations is now resulting in associated governance, reputational (personal and enterprise) and consequential liability risks.

International best practice is to apply an ‘all hazards’ lens to critical infrastructure security and resilience, with our close neighbour Australia being the first jurisdiction to codify this approach. The Australian Federal Government’s recent amendments to the Security of Critical Infrastructure Act 2018 has introduced a collection of risk management processes that relevant asset owners must now put in place.

The Australian Government’s intention is clear - critical infrastructure organisations must comply with a range of due diligence, risk mitigation and governance responsibilities that will directly impact their operations and expenditure.

In New Zealand, enhancing our approach to critical infrastructure security and resilience is a key feature of those recommendations within Te Waihanga, the New Zealand Infrastructure Commission’s 30-year Infrastructure Strategy fully endorsed by Government. As such, those parties involved with critical infrastructure ownership and/or operations, should be preparing for current enterprise level risk management practices evolving to incorporate an asset level all-hazards lens to achieving enhanced resilience.

These developments raise some interesting questions from an asset and business finance perspective:

  • How ready is the market to deal with these emerging developments and an increasingly complex and volatile environment driving change?
  • Do investors understand the implications and are they appropriately weighing and pricing risk?

Best practice requires hazards to be identified and assessed, and for material hazards to be managed appropriately. Directors will need to ensure security and resilience practices are appropriately prioritised and resourced, with expectations around due care and diligence shifting toward a more proactive and converged approach to risk. The challenge, from a financial perspective, is validating whether those efforts identify and reasonably contain anticipated compliance and operational downsides.

Given international developments, investors and financiers are well advised to start assessing the all-hazards risk management strategies across their critical infrastructure investments and developing a portfolio approach in safeguarding those. 

Hazards are becoming more complex with greater financial implications

It’s only a matter of time before emerging obligations and the threat environment impact how risk is factored into the cost of capital. Organisations not properly identifying and mitigating hazards may expose their stakeholders to the drawbacks of vulnerabilities materialising, including the increased likelihood of litigation involving larger pools of affected parties. Illustrative of this, in Australia, the Optus cyber attack that resulted in the disclosure of customer personal information, attracted federal government condemnation and public statements as to consequential liability. Class action lawsuits have subsequently emerged. Further afield, in the United Sates, President Biden was forced to declare a state of emergency when Colonial Pipeline suffered one of the most disruptive ransomware attacks in US history. Incapacitation of computerised equipment prevented millions of barrels of petrol, diesel and jet fuel from being delivered. On top of its direct losses, Colonial are defending at least two punitive class actions where the plaintiffs argue that the company failed to implement and maintain reasonable security measures, procedures and practices appropriate to the nature and scope of the defendants’ business operations.

Beyond compliance, embedding resilience into operations

While these examples are in different jurisdictions and cyber focused, it serves to highlight an evolution in incident litigation with interesting implications for corporates. The idea of approaching risk as just a compliance exercise may not sufficiently protect an organisation, or its Board, from legal exposure if identification of hazards and controls are not reasonable under legislation or at common law. How an organisation manages risk has always had the potential to impact investors and their anticipated rates of return, but it’s the evolution of hazards across cyber, supply chain, physical/natural and human vectors, with greater potential to harm, that represents a worrisome development. 

Direct and consequential losses from business disruptions and the prospect of asset impairment should be of concern to stakeholders in critical infrastructure – particularly for those with current investments and future projects that involve businesses where the risk profiles are unknown from an all-hazards perspective. While unchecked vulnerabilities can affect operational risk, there are also the concomitant financial risks to consider. The challenge is how markets should factor in the possible impacts from a broader range of more complex hazards, including targeted and persistent threats, combined with the additional resources required for regulatory compliance. This is especially so in highly geared organisations where returns can be materially affected by unplanned downtime, particularly in sectors where margins are constrained by aggressive asset performance and management arrangements or regulation.       

While the objective of a critical asset all-hazards approach is to lift security and resilience around the provision of essential services, it also provides the data and opportunity for owners and financiers to conduct more granular due diligence, identifying and pricing emerging risks by evaluating the “reasonableness” of an organisation’s risk management practices - noting its principles-based, holistic approach goes beyond cybersecurity. We may be reaching a new horizon where converged risk management, including business continuity and recovery, becomes a fundamental and ongoing part of asset financing with risk-return profiles adjusted to better account for a business’s capacity to deal with extended or permanent interruptions and regulatory compliance that both have significant cost implications.

Having a clear picture of an organisation’s true, all-hazards exposure allows appropriate methodologies for managing default risk to be implemented and controls to be tracked over time. Flight to safer investments may start to impact asset allocation and expectations around capital cost recovery. That could see the implied internal rate of return, comprising the risk-free rate plus the required return for technology and project specific risks, evolve to include a premium commensurate with an organisation’s capacity and maturity in managing the hazards outlined in its risk management program.

Directors would appreciate that a thorough risk management program not only better protects a business, it may also establish a competitive advantage compared to alternate investments taking a more ad hoc approach. The relevance of this could become more prominent as access to finance tightens or drives flight to safer investments on the back of increasing geopolitical uncertainty and falling demand. The prospect of that might not be so far away with persistent inflationary pressure; global energy pressures from problematic conflicts; and supply chain disruptions.

The escalating downsides from cyber-physical assets

While the prospect of significant direct and consequential losses from a disruption are daunting enough, the possibility of permanent asset impairment complicates operational and financial considerations enormously. Impairment in this context is not just about losing assets through environmental, subversive or accidental actions, it also potentially includes being compelled to remove equipment on the grounds of national security. While that seems like a drastic and overly alarmist scenario, it’s one that Australia and a number of other jurisdictions have already experienced.  

The rapidly changing geopolitical landscape has increased vendor risk especially in relation to nation states acting through global supply chains and dispersed technology stacks. Illustrative of this, Australia and the USA chose to ban Huawei and ZTE from 5G cellular networks due to national  security concerns.

The implications of foreign interference are profound. While stakeholders might have a comprehensive risk framework, an asset functioning as intended could nevertheless conflict with sovereign interests, requiring it to be islanded or completely uninstalled with major unplanned costs. A converged approach to security is intended to help organisations uncover and counteract these more complex, multi-faceted hazards. Organisations face the difficult prospect of having to weigh-up the likelihood of foreign interference with the availability and cost of substitutes. They also have to consider the chances and consequences of a vendor becoming a security risk over time as ownership or political circumstances change.

Building a defensible position - time for more granular, all-hazards due diligence and compliance

Hazards facing critical infrastructure go beyond cyber. Supply chain resilience has been tested by disruptions to world trade during the pandemic through factors such as workforce availability, intensifying trade disputes, aggressive competition in emerging technologies, energy shortages and fractured geopolitics. There is also an expectation that natural disasters will intensify with further climate change.

Global initiatives to uplift security and resilience are in response to a rapidly expanding collection of nuanced hazards materialising. Those that pose a risk to critical infrastructure also pose a risk to the owners and financiers of critical infrastructure. It’s time to stop and consider if organisations are doing enough to manage risk and protect their businesses. Do investors and financiers understand the threat landscape and have they appropriately weighed and priced risk? Are the costs in complying with uplift in security and resilience fully appreciated?

Getting granular and evaluating assets through a converged security and resilience lens is an essential step in limiting exposure to the significant downsides from hazards occurring all too frequently. As part of a global community with associated expectations, the smart money suggests activating that capability and gaining those insights sooner rather than later.

Explore more of our thought-leadership and insights here.