Integrating cybersecurity and ESG
As part of ongoing risk management efforts to protect critical infrastructure and data, companies should consider integrating an ESG program into their cybersecurity strategies.
During 2022, investment managers have begun increasingly sounding the alarm on hidden cybersecurity risks, with sectors favoured by ESG funds such as energy, healthcare and technology often particularly exposed.
According to a recent report by the Swiss bank Lombard Odier, costs and damages associated with cybercrime were an estimated EUR 5.5 trillion in 2021 and are likely to be in excess of EUR 10 trillion by 2025. In addition, researchers at the German bank Berenberg recently identified cybersecurity as a key ESG theme for 2022, and in their ESG report noted that “many companies appear under-prepared” for cyberattacks. Furthermore, analysts at Goldman Sachs Group Inc. have also recently singled out cyberattacks as an area of particular concern to ESG investors.
Sustainable investments and climate risks
One further perceived benefit of integrated ESG and cybersecurity strategies is that cyber-related risks – that can threaten the viability and integrity of sustainability investments on critical infrastructure projects with ambitions to transition to renewable energy – can be mitigated.
Likewise, climate-related risks can negatively impact a company’s operations and increase safety risks and human error incidents, as well as reduce system reliability and cyber defence protocols. Integrating ESG and cybersecurity can potentially help companies and other stakeholders further understand that our cyber, physical and social worlds are becoming increasingly interconnected and that a disruption in one area can rapidly disrupt the whole.
The key issue for If is that the client themselves knows their risks and has the controls required in place and implemented to mitigate the risks that they have. Whatever investments are made in cybersecurity must be made on a risk-based approach, so the client must first understand what is the risk that they are facing.
If a company deals with huge amounts of personal data, the controls mitigating the loss of that personal data become most important. But if it is a manufacturing company, then the protection of productions lines, renewable energy supplies, the supply chain, continuity planning, and other issues will be more important.
Adds Peltonen, “One important thing that needs to happen is that the risk management organisation of a company needs to start working much closer with the security department. They are on the same side. Cybersecurity has long been viewed as an IT issue and teams often think too much about technology and they don’t see the risk as much as they should. Conversely, risk management experts don’t really understand all the threats that they could be facing. Cybersecurity, then, should become more risk-focused, and risk management should become more cyber-
A note of caution
However, Peltonen adds a note of caution, “If there is a push for companies to start reporting on their cybersecurity initiatives and incorporating them within the ESG framework on a broader scale, then that could also potentially be a risky proposition in the sense that some companies might report too much. Care is needed.”
ESG is now a critical business framework that describes how businesses across the globe assess the impacts of their activities and investments, as well as their impact on stakeholders, like insurers, for example. For companies, failure to integrate ESG and cybersecurity strategies could mean that they are failing to address the fact that radical change is taking place globally. The risk for a company is that climate, societal or reputational-related damage could cost far more than a data breach or a costly insurance claim.
“Does it serve a purpose to integrate cybersecurity into the framework of ESG? From a risk management perspective, I think the link is becoming increasingly obvious and that there is a significant added value in doing so,” concludes Peltonen.