Utility stocks and bonds, long a safe haven for income investors, are increasingly risky investments because of cyberwarfare threats, according to Moody's Investors Services.
The December attack on the electric department in Burlington, Vt., on Dec. 27 raised questions about the vulnerability of the nation's electrical grid to
cyberattack. As it happened, the hacked computer wasn't attached to the electrical grid. But, write analysts Lesley Ritter and Dan Aschenbach, the attack “is an example of the
utility sector's vulnerability and its attractiveness to those seeking to disrupt the national electrical grid.”
For investors, that means that credit risk wouldn't be limited to just the victim of a successful cyberattack: The whole industry's credit could be called into question. “We view cyber attacks as a form of event risk. As the number and sophistication of attacks grow, the probability of a successful cyber attack that would cause a material disruption to a utility is growing and the financial and reputational implications could be significant,” the authors write.
In one way, the effects of a cyberattack are somewhat like that of a hurricane, Ms. Riiter said. “It's event risk: Low probability, high impact.” One comparison would be the effect of Hurricane Sandy on New York, New Jersey and Connecticut utilities in 2012. The Dow Jones Utility Average fell 5% from Sept. 30 through Dec. 1, 2012. For Consolidated Edison (ED), the damage from Sandy was about $575 million, or just 3% of the company's rate base, Ms. Ritter said. From a financial point of view, the damage was minor.
But then there's hurricane Katrina's effect on Entergy New Orleans. The damage of $630 million from Katrina dwarfed the company's $400 million rate base, and it declared bankruptcy. Thanks to assistance from the government and other sources, however, the company's creditors were made whole.
Cyber security experts have become increasingly uneasy about the vulnerability of the electric power grid. In December 2015, hackers unplugged 225,000 people from the
Ukranian electric grid , the first confirmed takedown of an electrical grid. It took months for the utility to recover.
The North American Electric Reliability Corp. set new standards for cybersecurity that went into effect in July 2015. Those standards are nice to have, but whether or not they can keep up with the fast-moving developments in cybersecurity is problematic, Ms. Ritter said. “It's nice to have, but it's not a failsafe.”
The threat of cyber warfare is becoming an increasing concern for credit analysts across all sectors, not just utilities. "Cyber risk means different things for different sectors," said Jim Hempstead, Moody's associate managing director. "While we do not explicitly incorporate cyber risk as a principal credit factor today, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event could be the trigger for one of those stress scenarios."
Investment advisers should realize that the risk and fallout from cybersecurity in utilities is real and rising, Ms. Ritter said. And revelation of cyberattacks is voluntary. One way to ensure safety would be a large rate base and sound balance sheet, she noted. Another: Companies with a diverse geographic base. At least in theory, an attack on a company's grid in one portion of the country might not mean that it's operations in other parts of the grid would be affected.