Category: insight
4 Min read | October 14, 2025

The growing risk of cybersecurity for critical infrastructure

  • Responsible Investing
The growing risk of cybersecurity for critical infrastructure

Summary:

Cyberattacks have surged over the past decade, impacting critical infrastructure and essential services. We explore the heightened risks associated with these attacks and the implications for investors.

An unprecedented risk environment

Critical infrastructure refers to the essential systems and assets that support the functioning of society and the economy. This includes sectors like energy, water, transportation, healthcare, telecommunications—and increasingly, financial services. These infrastructures are considered "critical" because their disruption can have widespread consequences for public safety, economic stability, and national security.

 

Cyberattacks targeting critical infrastructure have surged and significantly evolved over the past decade. From utilities to government, cyberattacks are becoming more frequent, complex, and costly. For investors thinking long-term, understanding these risks is essential to assessing the resilience of these industries.

 

Although such risks have long existed, the current environment poses unique challenges. The modernization of infrastructure driven by technology intersects with advancements in AI, emerging technologies, and heightened geopolitical tensions.

 

While the connectivity of critical infrastructure systems has unlocked immense efficiencies, such as better data collection and use, real-time monitoring and response, and automation and remote operations, it has also introduced significant vulnerabilities. A single breach can cascade across organizations, disrupting supply chains, essential services and causing substantial financial losses. We are now in an era of increasingly automated and complex attacks, forcing infrastructure operators to quickly adapt.

 

Geopolitical factors further intensify this issue. Critical infrastructure has become a leverage point in global conflicts, as demonstrated by the Russia-Ukraine war, where cyberattacks on power grids, telecommunications, and other networks were used to cripple operational capacities. For regions reliant on integrated systems—such as energy grids, water utilities, telecommunications, and healthcare—the risks are particularly severe. A single breach can trigger widespread outages, economic disruption, and even threaten lives.

 

Case studies

One striking example of such an attack occurred last year at American Water Works, a major U.S. utility providing drinking water and wastewater services to more than 14 million people. A breach caused significant operational downtime and the shutdown of customer online portals and billing systems. The day the company announced the breach, its shares fell almost 4%.1 The implications of disrupted essential services underscore the societal risks tied to cybersecurity failures especially considering the different communities and businesses served. Critical customers such as hospitals and emergency services are especially impacted, as they depend on access to water and wastewater services. Beyond critical services, breaches like this can also have broader financial market implications, with various sectors reliant on the provision of water for their sanitation and cooling processes.

 

Another example was the cyberattack on Emera and its subsidiary Nova Scotia Power that was discovered in April 2025. Emera is a major Canadian energy services provider, which owns and operates regulated electric and natural gas utilities serving over 2.6 million customers in Canada, the U.S., and the Caribbean. The cyberattack impacted parts of Emera’s Canadian IT systems and business application servers.2 Although the attack is not expected to materially impact the company's financial performance, investigations revealed that the attackers accessed and stole personal data belonging to both current and former customers.3 To mitigate potential misuse of stolen personal information, Nova Scotia Power arranged, with the consumer reporting agency TransUnion, to provide affected individuals with a company-funded, five-year subscription to a comprehensive credit monitoring service.

 

Halliburton, one of the world's leading providers of products and services to the energy industry, reported $35 million in expenses stemming from a cybersecurity breach last year.5 While the company deemed the cost “not material” in relation to its free cash flow, the attack still represented a cautionary tale for investors on cyber risk.

 

In the National Cyber Threat Assessment 2025-2026, the Canadian Centre for Cyber Security highlights that attempts to disrupt critical services like utilities and energy systems are intensifying, with attackers aiming to exploit interdependencies for maximum disruption.4

 

Financial and governance implications

The financial impact of cyberattacks is significant and growing.

 

A 2024 study by Centre for Economic Policy Research found that firms with high cybersecurity exposure underperformed peers with lower exposure by 0.42% per month in excess returns.6 This underperformance compounds to approximately 5% annually relative to more secure companies, representing a significant drag on shareholder value.

 

Beyond direct financial losses, breaches can also inflate costs indirectly through emergency cybersecurity support costs, higher insurance premiums, and more. This gap in coverage leaves entities exposed to potentially growing liabilities.

 

Insurers and governments are increasingly stepping into the conversation. Initiatives from the Canadian government, for example, now mandate enhanced reporting requirements for companies affected by cyberattacks, a move aimed at building transparency and accountability.7

 

How is NEI thinking about this risk?

NEI believes a proactive approach is critical in mitigating cyber risk, as it can significantly affect business performance and society as a whole. However, as attacks grow in sophistication, boards and risk committees often find themselves playing catch-up—this needs to change. Our team is dedicating time to researching this topic in order to manage our investment exposure.

 

 

1 FactSet, October 4–7, 2024

2 Emera Incorporated - Emera and Nova Scotia Power Responding to Cybersecurity Incident

3 Cyber | Nova Scotia Power

4 National cyber threat assessment 2025–2026

5 HAL 3Q24 Earnings Release

6 Cybersecurity vulnerabilities and their financial impact | CEPR

7 Bill C-26: New Cybersecurity Requirements in Critical Infrastructure | Knowledge | Fasken

We also recommend reading:

4 Min read | Oct 14, 2025

The growing risk of cybersecurity for critical infrastructure
  • Responsible Investing
Read more

4 Min read | Aug 25, 2025

Corporate engagement progress report: AbbVie
  • Commentary
Read more

2 Min read | Oct 05, 2025

Market Monitor September 2025
  • Commentary
  • Market Monitor
Read more

Commissions, trailing commissions, management fees and expenses all may be associated with mutual fund investments. Please read the prospectus and/or Fund Facts before investing. Mutual funds are not guaranteed, their values change frequently and past performance may not be repeated.

 

NEI’s exposure to the securities mentioned in this article may be long or short, or both. Long positions aim to profit from an increase in the price of a security, and short positions aim to profit from a decrease in the price of a security.

 

This material is for informational and educational purposes, and it is not intended to provide specific advice including, without limitation, investment, financial, tax or similar matters. The views expressed herein are subject to change without notice as markets change over time. Information herein is believed to be reliable, but NEI does not warrant its completeness or accuracy. Views expressed regarding a particular security, industry or market sector should not be considered an indication of trading intent of any funds managed by NEI Investments. Forward-looking statements are not guaranteed of future performance and risks and uncertainties often cause actual results to differ materially from forward-looking information or expectations. Do not place undue reliance on forward-looking information.

 

Individual circumstances and current events are critical to sound investment planning; therefore, anyone wishing to act on this material should consult with their qualified advisor to obtain professional advice relevant to their specific situation.

 

NEI Investments is a registered trademark of Northwest & Ethical Investments L.P. (“NEI LP”). Northwest & Ethical Investments Inc. is the general partner of NEI LP and a wholly-owned subsidiary of Aviso Wealth Inc. (“Aviso”). Aviso is the sole limited partner of the NEI LP. Aviso is a wholly-owned subsidiary of Aviso Wealth LP, which in turn is owned 50% by Desjardins Financial Holding Inc. and 50% by a limited partnership owned by the five Provincial Credit Union Centrals and The CUMIS Group Limited.