Integrating Cyber Security into the ESG Narrative

Executive Summary

Cyber Security has traditionally been perceived as a technological issue, however it’s now imperative that organisations recognise cyber security as an Environmental, Social, and Governance (ESG) concern due to its immediate and financially material sustainability risk for organisations. With corporate cyber-attacks escalating in frequency, severity, and sophistication, the estimated global cybercrime losses reached a staggering $6 trillion in 2021 and are predicted to rise further (Nomura, n/a); underpinning the urgency for addressing this risk.

This is particularly true due to cyber security’s alignment to financial and investment risk, and increased regulatory scrutiny, but more importantly due to its real-world impact on critical infrastructures and financial networks. To that end, organisations that fail to implement appropriate governance, metrics, and tools to address and embed cyber security concerns into the ESG narrative will be deemed less resilient and less sustainable. This, in turn, will adversely affect the stability of other affiliated organisations, whole communities, and governments due to the interconnectedness of global networked systems (World Economic Forum, 2022).

Furthermore, as ESG reporting requirements grow more rigorous within the financial services sector, the urgency to prioritise, address, and mitigate cyber security risks is amplified by heightened pressure for transparency from investors, Board of directors, and other key stakeholders.

Why should organisations integrate Cyber Security into the ESG narrative?

Increasing demand for transparency with regard to how organisations protect the confidentiality and integrity of data.
Cyber Security breaches present a threat to society, critical infrastructures, and functions (e.g., hospitals can be targeted, Colonial Pipeline breach etc.,).
Financial materiality of cybersecurity risk (regulatory fines, litigation risks due to operational disruption, damages to organisation’s bottom line etc.,).
Cyber insurance reliance is not a substitute for good governance especially since it is becoming increasingly more difficult to obtain as the number of cyber security breaches rise.
Cyber Security breaches present a threat to value (loss of assets e.g., data).
Cyber Security breaches present a loss of “trust” between the organisation and their customers (reputational damages).

How does Cyber Security align with “E”, “S”, and “G”?

How does Cyber Security align with “E”?

The ransomware attack that occurred on the Colonial Pipeline in May 2021 serves as a reminder of the interconnectedness of environmental and cyber security hazards. The Colonial Pipeline cyber security breach, the most catastrophic cyberattack on a US pipeline, brought the nation’s primary supply of gasoline and refined products to a standstill, which ultimately resulted in regional shortages, pricing spikes, and panic-buying.

Cyber-attacks of this nature acknowledge that one of the primary threats to environmental security occur at the infrastructure level. In fact, public and environmental health is becoming increasingly reliant on cyber control and command systems, which are often susceptible to cyber security threats (both external hacking and malicious insider attempts). It therefore becomes evident that failure to mitigate cyber security risk could result in environmentally damaging incidents and devastating critical infrastructure breakdowns, which can, in turn, violate regulations and have a debilitating effect on public health and safety.

How does Cyber Security align with “S”?

There is an increasing tendency for the public to scrutinise the actions of organisations with regard to ESG, be it for their efforts to promote diversity or mitigate the negative externalities of their environmental impact. While cyber security may not seem to be an immediately apparent pillar of ESG’s social dimension, it is a critical consideration that cannot, and should not, be overlooked.

Customers are seeking reassurance from organisations that their personal data will be safeguarded from malicious insider attempts and cyber-attacks. They expect that the preservation of individual privacy rights and information security are at the forefront of organisational agendas and are increasingly inclined to hold an organisation accountable for any improper use or mishandling of their data. The recent surge in high-profile cyber-attacks serves as a vivid illustration of the risks that organisations face and the damage that can be inflicted on customer relations and reputations in the event of data breach and/or misuse.

It’s hardly surprising that cyber security consistently ranks among the top five global risks when surveying global CEOs, along with climate change and geopolitical conflict (Figure 1). The escalating direct and indirect costs of having weak corporate cyber security are now well understood by organisations and broader market participants. Economic damages resulting from cyber-attacks and espionage are reaching an unsurmountable scale, with global annual losses predicted to reach $10.5 trillion per year by 2025 (Nomura, n/a). Yet the threat goes beyond data privacy violations, it encompasses macro-economic damages, industrial espionage, and a decrease in the incentives for innovation and investment. It therefore becomes evident that cyber security threats and risks extend far beyond the organisations directly involved. In fact, they trickle down to affect market participants, the economy, and broader society. Consequently, it is vital that organisations take requisite steps to safeguard themselves, their customers, and society at large from these potential threats.

How does Cyber Security align with “G”?

ESG Cyber Security covers all aspects of an organisation’s security requirements and lifecycle, including, inter alia, the network, endpoints, data, cloud, services, software, hardware, and how critical data is safeguarded.

The system by which cyber security is directed and controlled, and the degree to which this is disseminated throughout the organisation, serves as a significant indicator of an organisation’s culture and corporate behaviour. Consequently, having a good understanding of the risks and opportunities associated with cyber security and cyber governance is crucial, particularly since poor corporate practices have been the leading cause of most corporate scandals. On the contrary, good governance practices such as the alignment of strategies with objectives, rigorous policies and procedures, clear accountability and definition of roles and responsibilities, the management of risks, and the upholding of high ethical and integrity standards, all establish a framework that prevents and contains the repercussions of a corporate scandal. Moreover, cyber governance also plays a critical role in safeguarding systems, networks, programs, and data, and it is equally important to stakeholders who typically view data protection and information security policies to assess an organisation’s cyber security risks.

An additional facet of cyber governance is the role of the Chief Information Security Officer (CISO) or equivalent, as well as their reporting line. The CISO’s primary responsibility in ESG is to clearly articulate to the C-suite and Board the organisation’s cybersecurity hygiene, strategy for continuous improvement, cyber resiliency capabilities, cyber governance framework, and the alignment to other interconnected policies and controls within the organisation’s corporate governance. Moreover, the CISO or equivalent play a vital role in the shaping of security and risk strategies, making it imperative that they directly report to the Board. This requirement correlates to the continuous transformation of cyber security as a back-office function to a strategic enabler. The importance of the CISO or equivalent, and the increasing number of stakeholders invested in security, data privacy, regulatory compliance, and ESG can be discerned through the increasing prevalence of cyber security committees. With this in mind, Gartner forecast that by 2025, 40% of all Boards will have cyber security committees (Gartner, 2021).