ESG in Action: Cyber Hacks, AI, and the Digital Divide


This amorphous term ESG encompasses a wide spectrum of information and considerations but is so often assumed to mean something it does not. To paint a better picture of what the term ESG actually means, each month we will be outlining examples of what ESG integration looks like in practice across a variety of sectors, through the lenses of risk, opportunity, and impact.

This month

  • Sector: Communication Services
  • Industry: Telecommunications (integrated and wireless)
  • ESG Issue: Privacy, Security and Access

Risk: The cost of privacy

This month, Meta received a record-breaking fine of $1.3 billion from the European Union (EU) for mishandling personal data in violation of EU privacy laws. Management of personal data is an important factor not only for the Interactive Media industry, but across the communication service sector broadly. For companies in the telecommunications industry, which own and operate the critical infrastructure across which wired and wireless communications travel, proper oversight of data and cyber security risk mitigation are just as critical to maintain investor confidence and maximize shareholder value. Like Meta, these companies collect, process, and store massive amounts of personally identifiable information and other forms of private data like call logs, text messages, and personal media. Poor oversight and management of this data could make a company susceptible to cyberattacks like malware and phishing attacks, exposing the company to legal and regulatory action like the $1.3 billion fine, lowering consumer trust, and raising reputational risk.

Did you know?

According to a Verizon report on data breaches, the number of ransomware attacks increased in 2021 by 13%, which equals the combined year-over-year increases over to the last five years.1 The average cost of a single data breach hit an all-time high in 2022 at $4.35 million. In the U.S., the average cost of a data breach was $9.44 million which was the highest of any country.

While strong data privacy policies and risk management programs work to mitigate these risks within a company, exposure to cyberattacks for telecommunications companies can occur throughout the data supply chain. AT&T and Verizon experienced cyber-attacks as recently as March of this year through attacks on their third-party vendors, highlighting the need for robust oversight of third-party supplier management systems.1

The telecommunications industry is also highly regulated in developed markets, including by the Federal Trade Commission (FTC) in the U.S. With heightened consumer concern and regulatory scrutiny around data privacy, California passed the California Consumer Privacy Act (CCPA) in 2018, providing new privacy rights to consumers in the state.2 As more consumer protection laws, like the CCPA, are adopted, companies that don’t increase their corporate security spending – on things like infrastructure protection and network security equipment – may face increases in fines for poor security practices and misconduct.

Opportunity: Eliminating human error

While companies with strong cybersecurity programs and transparent data handling practices may mitigate exposure to vulnerabilities in their infrastructures, cyber security breaches are driven largely by human error.3 Thus it is imperative that organizations educate their employees to improve human habits that will make them less vulnerable to attacks. Strong leadership and board expertise can greatly improve outcomes. There are also new threat detection solutions that use artificial intelligence and automation can help mitigate risks from human error. These technologies use machine learning to analyze network traffic across telecommunication infrastructure, identify irregularities, and detect potential security breaches in real-time. Companies that invest in deploying these technologies have been found to save $3.05 million, or 65%, on average on costs associated with data breaches.4 Having fully deployed security AI and automation technology also led to a shorter average time to identify and contain breaches of 74 days compared with companies without any such technology.

Did you know?

Estimates suggest that the market for AI-cybersecurity tools will grow from just $4 billion in 2017 to nearly $35 billion net worth by 2025..

Impact: Digital inclusion

According to the World Economic Forum, 2.7 billion people, or 34% of the global population, do not have access to internet services.5 Most of those without access live in poor economic conditions and remote areas, where improved access would inevitably result in economic development. As the world becomes increasingly connected, communities without access will continue to fall behind – an impact that has become particularly apparent since the COVID-19 pandemic.

While wired broadband technologies, like DSL and fiber-optic, provide the fastest, most reliable internet access, wireless technologies can increase access to remote areas where wired technology infrastructure is logistically or financially less feasible to build. For example, fixed wireless access (FWA) provides fixed broadband services to households using base stations and wireless technologies while satellite technologies use dish antennas to communicate with satellites in space to establish an internet connection.

Beyond longer-term economic development, SpaceX’s Starlink network of low earth orbit (LEO) satellites have had an immediate impact on geopolitical outcomes. In April 2022, Elon Musk’s company donated over 3,600 terminals to Ukraine allowing the country and their military to utilize the satellite network as a vital source of communication to aid in the war with Russia. While new technologies like the Starlink network are expensive (Musk has said his network could require up to $30 billion of investment), there are several revenue streams to consider when valuing a company that’s building these technologies, like contracts with governmental defense agencies. Amazon has also announced it will team up with Verizon and roll out their own LEO satellite network, Project Kuiper, with other Verizon services.

Telecommunications companies are uniquely positioned to provide access to digital networks and services to underserved populations to reduce the digital divide and help mitigate the effects of the pandemic on health, education, and economic development.

Questions an analyst might ask

  • Is there a governance structure in place for cybersecurity management, along with operational measures to monitor and respond to data breaches and cyberattacks?
  • Does the company have a risk management system certified to ISO 27001 standards?
  • Does the company have regular internal and external security audits of the company’s systems that affect user data? preparedness, and what are the protocols for communicating with external stakeholders?
  • Does the company have a strong data privacy and security policy, with firm commitments that apply to 100% of the operations? Are there clear terms involving the collection, use, sharing and retention of user data including data transferred to third parties?
  • How is the company using artificial intelligence to improve cyber security risk management?
  • What is the company doing to advance digital inclusion and reduce the digital divide?

The bottom line

Beyond regulatory actions and fines, telecommunications companies with weaker cybersecurity practices may face higher borrowing costs and increased financial risk. In 2018, Moody’s announced that it would evaluate companies’ cybersecurity practices when assigning credit ratings, noting that critical infrastructure sectors including telecommunications have the highest cyber risk exposures. In fact, Moody’s reduced Equifax’s credit rating in 2019 following Equifax’s 2017 data breach.6

Companies with strong cybersecurity programs in place – ones with a proactive strategy aligned with regulatory standards that increase their capital expenditures to expand their AI technology solutions – may experience benefits to their longer-term cash flows. Not only does regulatory compliance lower the probability of future disruptions and fines, but investments in emerging technologies may improve the ability to respond to new forms of cyber-attacks and be more prepared than industry peers who are slower to make those same investments today.

Learn more

To learn more about supporting your clients with sustainable investing solutions, reach out to our team at or visit


The information, analysis and opinions expressed herein are for informational purposes only and do not necessarily reflect the views of Envestnet. These views reflect the judgment of the author as of the date of writing and are subject to change at any time without notice. Nothing contained in this piece is intended to constitute legal, tax, accounting, securities, or investment advice, nor an opinion regarding the appropriateness of any investment, nor a solicitation of any type.

FOR INVESTMENT PROFESSIONAL USE ONLY ©2023 Envestnet. All rights reserved.