Integrating cybersecurity and ESG
As part of ongoing risk management efforts to protect critical infrastructure and data, companies should consider integrating an ESG program into their cybersecurity strategies.
Companies globally now increasingly deliver detailed reporting on ESG issues, like their environmental impact, social metrics that include fair wages, diversity and inclusion, and their governance which relates to how their company is led and managed.
However, while every business faces global systemic risks, the issue of cybersecurity has largely been left out of the conversation when it comes to ESG. There are increasing reasons to argue that integration makes good business sense.
First coined in 2005, ESG (environmental, social and governance) has become a well-known term in company boardrooms and impact reports globally. In more recent years, the evolving geopolitical and macroeconomic environment has only increased the importance, not least by the regulatory push to increase scrutiny on how companies, as well as investors, address ESG.
To that end, ESG may be best characterised as a framework that helps stakeholders understand how a company or organisation is managing risks and opportunities related to environmental, social and governance criteria. A company’s stakeholders include not just the investment community, but also employees, third-party suppliers and customers, and all of them are now becoming increasingly interested in how sustainable a company’s operations are.
The risk is that climate, societal or reputational-related damage could cost far more than a data breach or a costly insurance claim.
During 2022, investment managers have begun increasingly sounding the alarm on hidden cybersecurity risks, with sectors favoured by ESG funds such as energy, healthcare and technology often particularly exposed.
According to a recent report by the Swiss bank Lombard Odier, costs and damages associated with cybercrime were an estimated EUR 5.5 trillion in 2021 and are likely to be in excess of EUR 10 trillion by 2025. In addition, researchers at the German bank Berenberg recently identified cybersecurity as a key ESG theme for 2022, and in their ESG report noted that “many companies appear under-prepared” for cyberattacks. Furthermore, analysts at Goldman Sachs Group Inc. have also recently singled out cyberattacks as an area of particular concern to ESG investors.
Cybersecurity through the prism of ESG
Mikko Peltonen, Head of Digital Risks and Cyber at If, agrees that from a risk management perspective, cybersecurity and ESG need to be more closely aligned. “It has become increasingly obvious in the last few years that cybersecurity should be incorporated into the ESG framework.
It is good governance to make sure that you manage your cybersecurity or your data security. These days, the C-suite of executives certainly do need to know how well their company’s security team does their job, given GDPR and many other legislative requirements.”
This is one perceived benefit of integration, particularly as both cybersecurity and ESG are becoming increasingly subject to regulatory compliance frameworks. Standardised frameworks can help stakeholders measure and understand a company’s risk assessments, governance and accountability.
To that end, efforts to both strengthen and standardise legislation in Europe are gathering pace. In September 2022, a proposed law, titled the Cyber Resilience Act, was unveiled by the European Commission. The new legislation mandates that products are designed, developed and produced in ways that mitigate cybersecurity risks.
Financial aspect to consider
As part of this context, there is also the purely financial aspect to consider. Cybersecurity breaches threaten the value of business assets, and the value of stored data can, for some companies, be worth more than the physical infrastructure.
To highlight the financial risks now facing companies, in early 2022, the World Economic Forum’s Global Cybersecurity Outlook reported that the average cost of a cyber breach for a company was USD 3.6 million, targeted companies saw stock prices fall, and they spent, on average, 280 days both identifying and responding to a cyberattack.
Noted Daniel Dobrygowski, Head of Governance and Trust at the Forum’s Centre for Cybersecurity, “Technology leaders, companies and their boards of directors would do well to pay attention to these developments and recognise that cyber strategy is a business strategy and understanding cyber risk is part of good governance in the digital age.”
Complexities and vulnerabilities
Implementing ‘watertight’ cybersecurity is very difficult and there are many aspects to take into consideration, and even if a company has all the possible state-of-the-art controls and solutions in place, it may still have an easy human element there that can be social engineered, or a software vulnerability exploited that was not patched in time. Companies, then, should understand that cyber-risk has a strong link to the social impacts of ESG and that the impact on the business and the wider community can be severe.
Says Peltonen, “Managing personal data is both complex and important and every company has challenges, but unless we quite rapidly start making it a key factor in how we manage the company, the situation is going to get worse. What we do in cyber insurance is that we underwrite every client separately. We look into the material provided by the client, and we look into the different cyber security controls they have in place today.
However, I think that what needs to happen is that in terms of the broader scope of insurance, like the more traditional lines of insurance, they need to also start to consider this as part of their ESG framework. We are investing in the risk, just in the same way as banks are investing in the future success of a company by giving them a loan, for example. Banks, of course, consider ESG factors as part of that process. So, we as an insurer also need to fully understand the implications of ESG, including the digital aspects.”
Sustainable investments and climate risks
One further perceived benefit of integrated ESG and cybersecurity strategies is that cyber-related risks – that can threaten the viability and integrity of sustainability investments on critical infrastructure projects with ambitions to transition to renewable energy – can be mitigated.
Likewise, climate-related risks can negatively impact a company’s operations and increase safety risks and human error incidents, as well as reduce system reliability and cyber defence protocols. Integrating ESG and cybersecurity can potentially help companies and other stakeholders further understand that our cyber, physical and social worlds are becoming increasingly interconnected and that a disruption in one area can rapidly disrupt the whole.
The key issue for If is that the client themselves knows their risks and has the controls required in place and implemented to mitigate the risks that they have. Whatever investments are made in cybersecurity must be made on a risk-based approach, so the client must first understand what is the risk that they are facing.
If a company deals with huge amounts of personal data, the controls mitigating the loss of that personal data become most important. But if it is a manufacturing company, then the protection of productions lines, renewable energy supplies, the supply chain, continuity planning, and other issues will be more important.
Adds Peltonen, “One important thing that needs to happen is that the risk management organisation of a company needs to start working much closer with the security department. They are on the same side. Cybersecurity has long been viewed as an IT issue and teams often think too much about technology and they don’t see the risk as much as they should. Conversely, risk management experts don’t really understand all the threats that they could be facing. Cybersecurity, then, should become more risk-focused, and risk management should become more cyber-
focused.”
A note of caution
However, Peltonen adds a note of caution, “If there is a push for companies to start reporting on their cybersecurity initiatives and incorporating them within the ESG framework on a broader scale, then that could also potentially be a risky proposition in the sense that some companies might report too much. Care is needed.”
ESG is now a critical business framework that describes how businesses across the globe assess the impacts of their activities and investments, as well as their impact on stakeholders, like insurers, for example. For companies, failure to integrate ESG and cybersecurity strategies could mean that they are failing to address the fact that radical change is taking place globally. The risk for a company is that climate, societal or reputational-related damage could cost far more than a data breach or a costly insurance claim.
“Does it serve a purpose to integrate cybersecurity into the framework of ESG? From a risk management perspective, I think the link is becoming increasingly obvious and that there is a significant added value in doing so,” concludes Peltonen.