Cyberattacks disproportionately affect vulnerable communities. Is this an opportunity for impact investors?

By Kelsey Jarrett and Elizabeth Roberts

When we think about cyberattacks, we tend to think about big targets and big ransoms. With costly incidents on the rise, private equity and venture investments have followed.

Yet the impact of cybercrime isn’t just on large institutions. Over the past few years, a raft of research has shown that cyberattacks disproportionately impact marginalized communities, small enterprises, and critical institutions.

• Small businesses are more than twice as likely than the largest organizations to not have the necessary cybersecurity to meet critical operational resilience requirements.
• According to research from Malwarebytes, “Black people, Indigenous people, and People of Colour (BIPOC) experience hacked social media accounts (45% compared to 40%) and instances of identity theft (more) than White people (21% compared to 15%).”
• Incidents are rising among key institutions. Attacks on hospitals and health organizations doubled in 2023, and K-12 schools are a rising top target for ransomware attacks. Local governmentsare also seeing a rise in malware, ransomware, and other attacks, with malware attacks increasing as much as 148% in the first eight months of 2023 compared to the year before.
• Geography plays a key role. A 2024 article from the World Economic Forum reports that organizations in South America and Africa are more likely than their counterparts in North America and Europe to report insufficient cyber resilience.

For impact investors like SJF Ventures, the outsized impact of cybercrime on vulnerable populations raises an interesting question: should cybersecurity startups be the target of impact capital?

At SJF, one of our impact themes is Government and Civil Society. Strengthening our institutions, promoting safety online and in public spaces, and enhancing the leverage of government services reduces inequity broadly. This work has cross-sector outcomes across our other themes, like education, health, and energy. As a firm, we have recently begun discussing the need for cyber resilience in these key areas and how it relates to our impact objectives.

The question we have been asking is under what circumstances does an investment in cybersecurity meet the bar for an impact investor, and when does it not?

Cybersecurity’s impact opportunity

Cyberattacks exacerbate the inequities in our society. Cybersecurity vendors that make resilience accessible to core public services — healthcare, education, local governments, the energy grid — would undoubtedly deliver outsized, lasting impact.

Health care systems have faced increased cyberattacks in recent years, in part because hospitals are a “basically a one-stop shop for an adversary,” said Chris Callahan, chief of cybersecurity for the Northwest region of the federal Cybersecurity and Infrastructure Security Agency (CISA). Hospitals possess droves of sensitive patient data, including medical records and financial information.

Rural health systems are especially vulnerable to cyberattacks. In 2024, the National Rural Hospital Association (NRHA) published a policy brief, explaining: “Cyberattacks are not new to health care, but over the last decade, security breaches have become more common in rural areas. Cyber thieves are targeting rural organizations more frequently as larger urban centers are more prepared to prevent attacks.” Rebounding from cyber attacks proves harder for rural hospitals. “Losing access to hijacked medical records can jeopardize the care of patients and become a regional disaster for the rural hospital’s service area,” the NRHA notes. While large healthcare systems are better protected than smaller or more rural systems, they are still underserved in comparison to other industries. Large health systems are interconnected with a web of smaller providers; when a large system is attacked, smaller centers are impacted as well. This magnifies the threat of cybercrime on small and rural healthcare systems — not only are they at risk from direct attack, but they also lose staff time and revenue when larger systems go down. The consequences can be devastating: one of the largest nursing home operators in the United States filed for bankruptcy earlier this year following a string of cyberattacks.

K-12 school districts have also faced increased disruptions from cyberattacks: an August CBS News report chronicled a ransomware attack that shut down the Tucson Unified School District for two weeks in 2023. “Young students are especially desirable targets because their credit records are unmonitored and can be exploited for years,” explained Doug Levin, national director of K12 SIX, a nonprofit working to reduce the occurrence of cyber attacks in schools. It cost over one million dollars to rebuild TUSD’s systems, and the expenses were only partially covered by insurance.

Energy is another domain where cyber attacks pose massive risks with unequally distributed consequences. In April 2024, the North American Electric Reliability Corporation reported that the number of susceptible points in electrical networks increases by about 60 per day, and geopolitical conflicts around the world have “dramatically” increased the number of cyber threats to U.S. power grids. A grid outage is likely to be more prolonged and more damaging for low-income communities across the U.S., who have comparatively fewer resources to get through blackout periods.

Finally, government agencies, particularly local and municipal governments, have been hit by rising cyberattacks, which can erode public trust and restrict the provision of public services. In 2022 and 2023, hackers used Electronic Benefits Transfer cards in Maryland to steal over $2 million in public funds. On Election Day in 2022, Mississippi state websites containing voter information were rendered inaccessible after hackers launched a distributed denial-of-service attack. Hackers have proven effective in blocking state agencies from delivering critical services to constituents. These incidents are only increasing, with malware attacks rising as much as 148%in the first eight months of 2023 compared to the year prior.

Within these critical institutions — hospitals, schools, energy, and governments — cyber inequality is driven by resource limitation, skills gaps, connectivity, regulatory blind spots, and a lack of prioritization. Disparities we see in our physical lives are echoed in our digital ones — this capacity limitation is called “cyber poverty.” High costs and a shortage of technical skills make sophisticated cyber programs difficult for small businesses and rural institutions to implement. This gap in digital resilience is widening between the largest institutions and the rest; companies working to close that gap could have a significant impact.

Cybersecurity is also an important consideration for individuals, not just businesses and institutions. Among individuals, social and financial inequities are exacerbated by cybercrime. Women are more likely to report feeling unsafe online than men, and people of color and the elderly are more likely to experience cybercrime. Immigrant communities, people recovering from natural disasters, and veterans all experience worse effects from cybercrime. Low digital literacy and financial vulnerabilities are exploited by cybercriminals through phishing attacks and identity theft attempts. Solutions that promote online safety, security hygiene, and overall digital literacy could also be considered by impact investors.

Meeting the impact threshold

But clearly not all cybersecurity investments are impact investments, as not all cyber companies aim to address the disparate impacts of cyberattacks.

If a technology provider supports the operations of a company within one of our focus areas, are they automatically worthy of our investment? What percent of its sales need to address K-12 or healthcare to qualify? Theoretically any cybersecurity vendor can increase the resilience of a hospital or university against ransomware attacks. However, a solution that could be used to deliver impact and address societal inequities shouldn’t be considered by default to be worthy of funding from impact investors. A vendor that aims primarily to serve large enterprises and happens to support some civic institutions along the way is not an impact investment.

Nevertheless, there is data demonstrating the negative impacts these attacks are having on our communities, and particularly on vulnerable populations. While impact investors should keep the high bar we have for the intentionality and additionality of our investments, we should not shy away from new, critical sectors and themes.

At SJF, we have always aimed to find companies that have the potential to create lasting impact, even if their management teams have not intentionally measured or managed that impact before. SJF’s own impact, or investor contribution, requires proactively identifying and accelerating impact-generating opportunities during the holding period. Perhaps impact investors should begin to consider companies bolstering cyber resilience, and work with portfolio company management teams to actively find ways to mitigate cyber inequities.

Investments in cyber-adjacent areas can help overcome the systematic drivers of cybersecurity inequality: resources, digital literacy, skills and staffing shortages. Companies that solve these challenges could meet the high bar for impact investments. In addition to B2B cyber solutions, there is meaningful opportunity for cyber tools which directly protect highly vulnerable individuals.

SJF Ventures is beginning to evaluate whether cybersecurity startups might merit impact capital. If you are a founder in this space and you want to get in touch, please email Elizabeth Roberts at eroberts@sjfventures.com.

And if you’re part of the impact investing community, we’d be interested to hear your thoughts — should cybersecurity become a focus area for more  impact funds?