Infrastructure investment funds can help offset the risks for CFOs

Chief Financial Officers are facing increasing financial pressure due to IT security issues, such as the recent major collapse of online systems due to a CrowdStrike software update that shut down networks around the world. CFOs should know by now that the Internet infrastructure is built on a fragile foundation of interconnections and dependencies, meaning unexpected problems can quickly spiral out of control. Such cascading global failures will continue to cause widespread financial damage and business losses due to disgruntled travelers stranded at airports, e-commerce systems shut down, or online service providers unable to maintain connectivity.

These are all glaring problems for CFOs responsible for protecting their investments in the organization. Over the past decade, critical elements of America’s infrastructure—including internet, energy, transportation, finance, agriculture, healthcare, and utilities systems—have all suffered cyberattacks from both foreign adversaries and homegrown terrorists. The attacker groups range from criminal ransomware gangs to rival nation states seeking to disrupt vital US operations.

Such cyber threats pose tangible dangers to a wide range of physical infrastructure facilities. The multi-dimensional risks to critical infrastructure include operational, financial and human losses, as well as damage to brand reputation. To help offset these risks, more and more CFOs are tapping into the power of infrastructure investment funds (IIFs). Such funds could be used to finance cyber risk quantification and management (CRQM) solutions as part of an overarching national strategy to strengthen infrastructure security.

Cyber ​​attacks on critical infrastructure have increased by 70% in recent years, according to former NASA CISO Jeanette Hanna-Ruiz, who spoke at an event hosted by the Financial Times. The list of attacks in this country is long and terrifying. In 2017, Russian spies tried to hack the Wolf Creek nuclear power plant in Kansas. The Justice Department said the Russian hackers planted malware on more than 17,000 devices to carry out their joint attacks.

The infamous Colonial Pipeline ransomware attack in 2021 brought a major US gas pipeline to a standstill. At the time, that event was the largest publicly disclosed cyberattack against critical infrastructure in U.S. history, affecting consumers and airlines along the East Coast. Also, in 2021, China breached the Metropolitan Transit Authority’s networks to oversee New York City’s subway system. A month later, Russian criminals were suspected of hacking into the servers of JBS USA, the world’s largest meat supplier.

Most recently, in May 2024, Microsoft reported that Volt Typhoon, a Chinese state-sponsored espionage group, had engaged in malicious activity aimed at accessing credentials and discovering network systems at organizations with critical infrastructure. Microsoft reported that Volt Typhoon was likely attempting to disrupt critical communications infrastructure between the US and Asia in times of future crises.

Application of the financial power of infrastructure investment funds

Building and managing our shared operational technology (OT) infrastructure has long been the responsibility of utilities, energy producers, manufacturers, and government agencies. But the private sector has become more active in recent years through infrastructure investment funds. These IIFs are largely private equity funds that invest only in infrastructure, similar to venture capital funds that invest only in technology.

For example, the JP Morgan IIF is a $24 billion private investment vehicle focused on investing in critical infrastructure assets. The JP Morgan IIF acts as a long-term owner of companies that provide essential services such as water, electricity, renewable energy and transport infrastructure.

At the same time, many municipal and regional governments have set up their own IIFs to address local infrastructure problems. For example, the City of Dallas operates an IIF as a new source of capital for areas without infrastructure, or areas with outdated or inadequate infrastructure. Such high infrastructure costs have held back new economic activity in underserved areas, especially south Dallas. The Dallas IIF leverages the city’s Tax Increment Financing (TIF) program to generate additional equity, allowing the city to contribute earmarked funds from the TIF district to the IIF for infrastructure improvements.

Dallas has used its IIF funds to cover design and engineering costs for projects such as water and sewer connections for stormwater management; public parks and green spaces; transit improvements for electric vehicle infrastructure; and telecommunications infrastructure for internet connectivity and broadband access.

Quantifying cyber risks improves the resilience of the IIF portfolio

Infrastructure investments can provide a fundamental long-term allocation for CFOs seeking diversification, income and consistent returns. A core infrastructure investment based on key assets with monopolistic positions, such as regulated utilities, can provide a stable, diversified, long-term allocation in a client’s portfolio.

To increase cyber resilience across the portfolio, infrastructure funds should conduct comprehensive cyber risk assessments for their portfolio companies. By understanding both individual risk and aggregate systemic risk within their portfolios, funds can optimize effective risk mitigation strategies, achieve targeted risk-adjusted returns, and meet the mandates of their investors.

Prioritization and standardization of cyber risk mitigation practices ensure consistency and increase the overall resilience of portfolio companies – and broader society – against cyber attacks. Neglecting CRQM can have far-reaching consequences, impacting individual investments and wider social and economic consequences due to the size of some funds.

Likewise, incorporating cyber risk assessment into the due diligence process for new investments is critical for CFOs to achieve targeted risk-adjusted returns. Understanding cyber risk factors in addition to traditional financial metrics can give CFOs a more robust assessment of the viability and sustainability of the investment.

In this increasingly digitalized world, CRQM is essential for protecting infrastructure investments from cyber-attacks, and infrastructure funds have a responsibility to effectively identify and manage these risks. By integrating CRQM best practices into their portfolio companies and leveraging analytics to access more appropriate cyber insurance solutions, these funds can improve their value proposition for CFOs and investors by contributing to a more resilient infrastructure ecosystem.

Jose Seara

Jose M. Seara is the founder and CEO of DeNexus, a leader in cyber risk quantification and management for operational technology (OT) and industrial control systems (ICS). Jose was previously the president and CEO of NaturEner USA (now BHE Montana) and NaturEner Canada. Before his time at NaturEner, Seara was a founding member and member of the board of directors of DeWind Co. Jose was also a founding director of PROYDECO Ingenieria y Servicios SL, and a partner and director of Proyectos de Cogeneración SL. He holds an Executive Program degree from Singularity University in the field of Exponential Technologies, as well as a Masters of Science in Naval & Marine Engineering from the Universidad Politécnica de Madrid.