Morningstar Sustainalytics’ recent analysis underscores a growing tension in the utilities sector: the rapid pace of digital transformation is outstripping many companies’ ability to manage the resulting cybersecurity and data privacy risks. In 2022, 38% of utilities in the firm’s coverage universe were found to have weak cybersecurity management programs, with only 19% rated as adequate. By 2023, the proportion of weak performers dropped to 27%, while those with adequate management rose to 30%. Despite this improvement, significant gaps remain.
Regional differences are pronounced. Europe leads with 26% of utilities demonstrating very strong cybersecurity management, while North America’s utilities tend toward adequacy, with 46% in that category. Outside these regions, 27% of utilities operate without any formal cybersecurity program, exposing critical infrastructure to heightened risk.
The International Energy Agency reported that utilities faced an average of over 1,100 cyberattacks per week in 2022, a sharp rise from 750 in 2021 and 500 in 2020. These attacks increasingly target operational technology—systems controlling switchgears, valves, and controllers—as well as information technology used for billing, analytics, and customer service. The convergence of OT and IT creates complex interdependencies, meaning that a breach can simultaneously disrupt physical operations and compromise sensitive customer data.
The sector’s digital transformation brings tangible benefits: improved service reliability, integration of distributed renewable energy, and enhanced resource management through technologies like leak detection sensors and remote monitoring. Yet these same advancements expand the attack surface. Utilities now manage vast amounts of customer data, making them vulnerable not only to operational disruption but also to privacy violations.
Several high-profile incidents illustrate the stakes. In February 2024, Enel was fined EUR 85 million by authorities in Spain and Italy for multiple violations of the EU’s General Data Protection Regulation. Luma Energy in Puerto Rico suffered a 2021 cyberattack that blocked customer portal access during outages. Empresas Públicas de Medellín in Colombia faced operational and billing disruptions in 2022 due to a breach. Hydro-Quebec’s outage verification app and website went offline in 2023 following an attack.
Financial impacts are substantial. In 2023, the average cost of a data breach in the energy sector was estimated at USD 4.78 million, while destructive cyberattacks averaged USD 5.24 million. These figures have trended upward for years. The 2021 ransomware attack on Colonial Pipeline demonstrated how prolonged service disruptions can escalate losses far beyond sector averages, with additional penalties possible for failing to restore service promptly.
Sustainalytics has responded by elevating data privacy and cybersecurity to a standalone material ESG issue, increasing its weighting to reflect rising importance. New management indicators now assess critical infrastructure protection, formal data privacy policies, and dedicated cybersecurity programs. This shift aims to give investors a clearer view of a utility’s preparedness to counter cyber threats.
Regulatory frameworks are tightening. In the United States, the Securities and Exchange Commission requires public companies to disclose material cybersecurity incidents and outline risk management strategies. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 mandates prompt reporting of significant breaches. In the European Union, GDPR compliance is essential to avoid substantial fines, while the NIS2 Directive imposes cybersecurity obligations on operators of essential services, with penalties reaching EUR 10 million or 2% of global annual revenue.
These regulatory pressures, coupled with investor scrutiny, are pushing utilities toward greater transparency and stronger defenses. For engineers and technologists, the sector’s challenges mirror those in other critical infrastructure domains: balancing innovation with resilience, integrating complex systems without creating exploitable vulnerabilities, and embedding security into every layer of operation. The interplay of OT and IT, once a technical integration problem, is now a frontline in the battle to protect essential services from increasingly sophisticated cyber threats.