The Russian invasion of Ukraine - and Putin’s growing hostility towards the West - have significantly heightened the risks of a large-scale cyber-attack.

As a result, financial investors are increasingly worried, and western companies find themselves under new pressure to show their stakeholders that, should this scenario occur, they have the necessary defences in place to minimise damage and be resilient. Still, many are unclear on the best way to provide their investors with that assurance.

There are two main ways companies can publicly disclose the components of their cyber readiness:

  1. By making specific technology disclosures in their reporting, as proposed by the World Economic Forum.
  2.  By incorporating evidence into existing environmental, social and governance (ESG) reporting frameworks.

Seeing that cybersecurity is no longer a separate technology or IT issue at most businesses, in my opinion, the ESG reporting option is the most practical, transparent and effective. And while financial institutions like JP Morgan have argued that cybersecurity metrics should be classified primarily as 'social', I believe there are equally important environmental and governance concerns. For instance, despite new fears over global energy security and indications that oil and gas exploration are back on the political agenda, initial signs show that investors remain committed to net-zero emissions and that the impact of cyber-management on a company's carbon footprint (e.g., the fuel consumption of cloud computing technologies) will come under increased scrutiny.

Public pressure, employee demands, and government regulations also strengthen the case for organisations to track and report cybersecurity goals and metrics within their ESG efforts. In fact, Gartner similarly predicted earlier in 2022 that 30 percent of large organisations will have publicly shared ESG goals focused on cybersecurity by 2026, up from less than 2% in 2021.

In support of these shifting expectations, I have outlined some practical considerations for boards and leadership teams to keep in mind as they develop new frameworks and decide what they need to disclose to provide a comprehensive picture of their cyber activities.

 

Environmental

Energy and utility providers, which use Information Technology (IT) and Operational Technologies (OT) such as industrial control systems, automated diagnostic, and monitoring tools, are particularly vulnerable to cyberattacks. OT technologies control critical infrastructure but are often not designed with security or privacy as a core function, allowing hackers to breach them more easily. Companies, therefore, need to develop and communicate a strong understanding of the environmental impact of a cyberattack, defining mitigation and response measures. They should include in their ESG reports:

  • The cyber capabilities that will support the business in the event of an environmental disruption
  • Cyber resilience strategies to reduce the risk of catastrophic events resulting from failed or compromised IT/OT systems
  • Controls in place to prevent malicious actors from using CPU processing power for nefarious purposes, e.g., cloud virtual machines for ransomware or illegal cryptocurrency mining. (Bitcoin mining is highly energy-consuming; according to analysis by Morgan Stanley in March 2022, every $1 of Bitcoin mined is estimated to be materially more carbon-intensive than every $1 of gold mined.)

 

Social

The May 2021 cyberattack on the JBS meat production facilities, which disrupted processing and production across the entire US food supply chain, is a good example of the broader cyber-attack risks on society. Organisations perceived to be lacking a solid ethical business model are particularly vulnerable to reputational damage. Good practices for the social domain in cyber-related disclosures may include:

  • Embedding cyber resilience in existing enterprise risk management frameworks and formulating a clear policy on cyber ransoms
  • Assessing the likely workplace impact of a cyberattack on staff. “Cyber stress” makes all employees, especially the security teams that respond to cyberattacks, more anxious. Those responding tend to work long hours - including weekends - and come under extreme pressure from business leaders to restore systems quickly.
  • Understanding the risks from cyber-attacks on critical public infrastructures, notably incidents that could jeopardise human life, and applying appropriate controls and mitigation measures
  • Considering the cybersecurity implications of AI around regulations covering data privacy and ethics

 

Governance

Strong governance delivers strong risk management. If cybersecurity governance is not part of the comprehensive strategy and plan, the organisations will not be able to detect and respond to an attack with confidence or speed. Good governance practices in cyber-related ESG disclosures include:

  • Practising and building confidence in the company’s ability to identify, quantify and manage cyber-risks and threats using cyber-risk appetite statements to demonstrate how cyber risks are managed
  • Identifying critical assets and ensuring that only those with the appropriate authorisation and training can use them
  • Having an accountable person on the board responsible for cyber-resilience and ESG disclosures
  • Ensuring that there is a separate cyber budget closely aligned to the total IT budget and that it addresses the most significant technology risks and threats faced by the business

More cyber-resilience disclosures are inevitable. As Song Hwee, Deputy CEO of Temasek International, observed, investors will begin to drive cybersecurity change and demand more transparency.

Companies must find the right balance between pressure from stakeholders and not inadvertently exposing the company to malicious attackers (for example, by revealing too much about the extent and nature of their defences). Regulators will also increasingly seek information, the absence of which could harm a business' share price in the eyes of investors.

Addressing cybersecurity concerns through ESG frameworks - adding the 'E' and the 'G' to the more familiar 'S' - can reassure markets by articulating how an organisation is preparing to withstand an attack. And reporting cyber readiness through ESG frameworks will provide the basis for a better internal dialogue, one spoken with non-technical, accessible business language understandable by executives of all backgrounds.