New environment: Cybersecurity and heightened regulatory scrutiny became two of the major concerns for energy and utilities companies in 2024, as noted in our Executive Perspectives on Top Risks Survey. This is a significant change in perspective from 2023.
Why it matters: Energy and utilities organizations have begun to accept broader changes happening in their industry — most notably, the shift to renewables — and are prioritizing more immediate threats.
Bottom line: The outcome of the presidential election this year could bring substantial changes to programs incentivizing the energy transition. Consequently, organizations would be wise to remain nimble and thoughtful when making major investment decisions.
___ ____ ___
Ten years ago, the National Security Agency warned Congress that a handful of countries either had or could develop the capability to hack the U.S. power grid, which at the time was undergoing rapid digitization. News of such attacks and threats from big and small actors alike on infrastructure worldwide have emerged over the ensuing years, and recently MIT warned that hackers could exploit artificial intelligence (AI) to cause physical damage to the grid.
Considering the continuing automation and technological interconnections of the grid, along with a sweeping renewable energy transition, it should not be a surprise that energy and utilities leaders ranked cyber threats as the No. 1 risk in 2024 (see top five ranking below) in our latest Executive Perspectives on Top Risks Survey. This is the 12th year that we’ve partnered with NC State University’s ERM initiative on the survey report, which takes the pulse of executives and officials worldwide across several industries and government.
In addition to the top five concerns of energy and utilities executives in 2024 shown above, survey respondents also identified all but one of those as top five risks when looking ahead to 2034 — supply chain worries were replaced by risks associated with the growing focus on climate change and disclosure expectations among regulators and key stakeholders.
Growing Threat
Arguably, the identification of cybersecurity as the top risk opened the most eyes. Even though it has been a well-discussed topic in energy and utilities boardrooms and executive suites over the past several years, it jumped to the No. 1 spot from No. 17 in our previous report. (It ranked as the third-highest risk in 2024 across all industries surveyed.)
As discussed in a recent webinar, we believe a few reasons are behind such a dramatic move. For one, AI has the ability to create more sophisticated phishing scams to establish a foothold in digital environments and a stage for a ransomware assault. Phishing scams could also target a utility company’s customers for payments or private information.
Additionally, although they have since moderated, cybersecurity insurance premiums skyrocketed in recent months. In some cases, even if a company manages to recover from an attack, it will pay the ransom out of fear that the hacker will still publicize its own sensitive data, or that of its customers or vendors.
These threats require energy and utilities companies to maintain sound cybersecurity policies, training and surveillance, which may mean an investment in new technologies. The good news is that although criminals are leveraging AI to hack into systems, organizations too can leverage the emerging tool to identify and prevent attackers.
Rule Expansion
Energy and utilities executives also significantly boosted heightened regulatory changes to No. 2 in 2024 from a ranking well outside of the top 10 risks in 2023. Over the past few years in particular, governments around the world have begun to demand more evidence that companies are making progress in efforts to become more sustainable, a challenging order for power companies traditionally rooted in fossil fuels.
The concerns about regulatory change and scrutiny dovetails with the seventh highest-rated risk in 2024 — the growing focus on climate change and the consequent rise in disclosure regulations as well as stakeholder expectations. After two years of anticipation and several comment period extensions, for example, the SEC recently adopted new rules that require most publicly traded companies to disclose climate-related risks in registration statements and annual reports.
Meanwhile, the European Commission adopted the European Sustainability Reporting Standards last year in an effort to align its sustainability reporting regimen with other disclosure platforms, including the International Sustainability Standards Board (ISSB) and Global Reporting Initiative (GRI).
Some energy and utilities organizations have found it difficult to take advantage of new opportunities offered by the transition to renewables. While the Inflation Reduction Act (IRA) of 2022 is directing $370 billion toward fighting climate change in the U.S., largely by incentivizing renewable energy adoption through tax credits and loan guarantees, companies spent a good part of 2023 determining how to work within the law’s framework and were often forced to wait for the Internal Revenue Service (IRS) to firm up guidance and compliance rules.
Cost Pressures Slowing Down Investment Decisions
Economic conditions and inflationary pressures — the eighth-ranked risk in the report — also hampered investment decisions. To a large degree, the spike in interest rates and rising operating and construction expenses placed new cost pressures on projects and acquisitions.
The fact that it’s an election year has done little to improve the situation. The chance that a new administration and Congress could ultimately change incentives for renewable expansion continues to delay decision-making, especially on projects that will have a decades-long impact. In such an unstable environment, it’s important that energy and utilities companies remain nimble and savvy when approaching otherwise promising expansion projects and acquisitions.
Accepting Change
One of the more encouraging insights from our report suggests that energy and utilities companies have become more comfortable with change. Resistance to change has ranked among the top 10 risks for the past several years. However, the threat dropped out of the top-10 in 2024 and plunged to No. 22 in 2034.
We believe that these downward moves reflect a recognition that energy and utilities companies need to adapt to be more operationally efficient and sustainable. It’s obvious that many organizations were pushed to change during the pandemic and have embraced digitization and automation transformations in order to enhance efficiency and remain competitive.
Future Unknown
As Protiviti and NC State University’s ERM initiative prepare to launch the 13th annual survey later this year, we can’t predict how energy and utilities companies might rearrange risks heading into 2025 — or a decade out. Yet we remain confident that the findings will continue to help guide companies as they pursue opportunities amid shifting economic realities, regulations and threats.