Cyberattacks have surged over the past decade, impacting critical infrastructure and essential services. We explore the heightened risks associated with these attacks and the implications for investors.
Summary:
An unprecedented risk environment
Critical infrastructure refers to the essential systems and assets that support the functioning of society and the economy. This includes sectors like energy, water, transportation, healthcare, telecommunications—and increasingly, financial services. These infrastructures are considered "critical" because their disruption can have widespread consequences for public safety, economic stability, and national security.
Cyberattacks targeting critical infrastructure have surged and significantly evolved over the past decade. From utilities to government, cyberattacks are becoming more frequent, complex, and costly. For investors thinking long-term, understanding these risks is essential to assessing the resilience of these industries.
Although such risks have long existed, the current environment poses unique challenges. The modernization of infrastructure driven by technology intersects with advancements in AI, emerging technologies, and heightened geopolitical tensions.
While the connectivity of critical infrastructure systems has unlocked immense efficiencies, such as better data collection and use, real-time monitoring and response, and automation and remote operations, it has also introduced significant vulnerabilities. A single breach can cascade across organizations, disrupting supply chains, essential services and causing substantial financial losses. We are now in an era of increasingly automated and complex attacks, forcing infrastructure operators to quickly adapt.
Geopolitical factors further intensify this issue. Critical infrastructure has become a leverage point in global conflicts, as demonstrated by the Russia-Ukraine war, where cyberattacks on power grids, telecommunications, and other networks were used to cripple operational capacities. For regions reliant on integrated systems—such as energy grids, water utilities, telecommunications, and healthcare—the risks are particularly severe. A single breach can trigger widespread outages, economic disruption, and even threaten lives.
Case studies
One striking example of such an attack occurred last year at American Water Works, a major U.S. utility providing drinking water and wastewater services to more than 14 million people. A breach caused significant operational downtime and the shutdown of customer online portals and billing systems. The day the company announced the breach, its shares fell almost 4%.1 The implications of disrupted essential services underscore the societal risks tied to cybersecurity failures especially considering the different communities and businesses served. Critical customers such as hospitals and emergency services are especially impacted, as they depend on access to water and wastewater services. Beyond critical services, breaches like this can also have broader financial market implications, with various sectors reliant on the provision of water for their sanitation and cooling processes.
Another example was the cyberattack on Emera and its subsidiary Nova Scotia Power that was discovered in April 2025. Emera is a major Canadian energy services provider, which owns and operates regulated electric and natural gas utilities serving over 2.6 million customers in Canada, the U.S., and the Caribbean. The cyberattack impacted parts of Emera’s Canadian IT systems and business application servers.2 Although the attack is not expected to materially impact the company's financial performance, investigations revealed that the attackers accessed and stole personal data belonging to both current and former customers.3 To mitigate potential misuse of stolen personal information, Nova Scotia Power arranged, with the consumer reporting agency TransUnion, to provide affected individuals with a company-funded, five-year subscription to a comprehensive credit monitoring service.
Halliburton, one of the world's leading providers of products and services to the energy industry, reported $35 million in expenses stemming from a cybersecurity breach last year.5 While the company deemed the cost “not material” in relation to its free cash flow, the attack still represented a cautionary tale for investors on cyber risk.
In the National Cyber Threat Assessment 2025-2026, the Canadian Centre for Cyber Security highlights that attempts to disrupt critical services like utilities and energy systems are intensifying, with attackers aiming to exploit interdependencies for maximum disruption.4
Financial and governance implications
The financial impact of cyberattacks is significant and growing.
A 2024 study by Centre for Economic Policy Research found that firms with high cybersecurity exposure underperformed peers with lower exposure by 0.42% per month in excess returns.6 This underperformance compounds to approximately 5% annually relative to more secure companies, representing a significant drag on shareholder value.
Beyond direct financial losses, breaches can also inflate costs indirectly through emergency cybersecurity support costs, higher insurance premiums, and more. This gap in coverage leaves entities exposed to potentially growing liabilities.
Insurers and governments are increasingly stepping into the conversation. Initiatives from the Canadian government, for example, now mandate enhanced reporting requirements for companies affected by cyberattacks, a move aimed at building transparency and accountability.7
How is NEI thinking about this risk?
NEI believes a proactive approach is critical in mitigating cyber risk, as it can significantly affect business performance and society as a whole. However, as attacks grow in sophistication, boards and risk committees often find themselves playing catch-up—this needs to change. Our team is dedicating time to researching this topic in order to manage our investment exposure.
1 FactSet, October 4–7, 2024
2 Emera Incorporated - Emera and Nova Scotia Power Responding to Cybersecurity Incident
4 National cyber threat assessment 2025–2026
6 Cybersecurity vulnerabilities and their financial impact | CEPR
7 Bill C-26: New Cybersecurity Requirements in Critical Infrastructure | Knowledge | Fasken