Cyber Resilience – It’s all about ESG

Insights ▸ Articles ▸ Cyber Resilience – It’s all about ESG

The Russian invasion of Ukraine - and Putin’s growing hostility towards the West - have significantly heightened the risks of a large-scale cyber-attack.

As a result, financial investors are increasingly worried, and western companies find themselves under new pressure to show their stakeholders that, should this scenario occur, they have the necessary defences in place to minimise damage and be resilient. Still, many are unclear on the best way to provide their investors with that assurance.

There are two main ways companies can publicly disclose the components of their cyber readiness:

By making specific technology disclosures in their reporting, as proposed by the World Economic Forum.
By incorporating evidence into existing environmental, social and governance (ESG) reporting frameworks.

Seeing that cybersecurity is no longer a separate technology or IT issue at most businesses, in my opinion, the ESG reporting option is the most practical, transparent and effective. And while financial institutions like JP Morgan have argued that cybersecurity metrics should be classified primarily as 'social', I believe there are equally important environmental and governance concerns. For instance, despite new fears over global energy security and indications that oil and gas exploration are back on the political agenda, initial signs show that investors remain committed to net-zero emissions and that the impact of cyber-management on a company's carbon footprint (e.g., the fuel consumption of cloud computing technologies) will come under increased scrutiny.

Public pressure, employee demands, and government regulations also strengthen the case for organisations to track and report cybersecurity goals and metrics within their ESG efforts. In fact, Gartner similarly predicted earlier in 2022 that 30 percent of large organisations will have publicly shared ESG goals focused on cybersecurity by 2026, up from less than 2% in 2021.

In support of these shifting expectations, I have outlined some practical considerations for boards and leadership teams to keep in mind as they develop new frameworks and decide what they need to disclose to provide a comprehensive picture of their cyber activities.

Environmental

Energy and utility providers, which use Information Technology (IT) and Operational Technologies (OT) such as industrial control systems, automated diagnostic, and monitoring tools, are particularly vulnerable to cyberattacks. OT technologies control critical infrastructure but are often not designed with security or privacy as a core function, allowing hackers to breach them more easily. Companies, therefore, need to develop and communicate a strong understanding of the environmental impact of a cyberattack, defining mitigation and response measures. They should include in their ESG reports:

The cyber capabilities that will support the business in the event of an environmental disruption
Cyber resilience strategies to reduce the risk of catastrophic events resulting from failed or compromised IT/OT systems

Controls in place to prevent malicious actors from using CPU processing power for nefarious purposes, e.g., cloud virtual machines for ransomware or illegal cryptocurrency mining. (Bitcoin mining is highly energy-consuming; according to analysis by Morgan Stanley in March 2022, every $1 of Bitcoin mined is estimated to be materially more carbon-intensive than every $1 of gold mined.)

Social

The May 2021 cyberattack on the JBS meat production facilities, which disrupted processing and production across the entire US food supply chain, is a good example of the broader cyber-attack risks on society. Organisations perceived to be lacking a solid ethical business model are particularly vulnerable to reputational damage. Good practices for the social domain in cyber-related disclosures may include:

Embedding cyber resilience in existing enterprise risk management frameworks and formulating a clear policy on cyber ransoms
Assessing the likely workplace impact of a cyberattack on staff. “Cyber stress” makes all employees, especially the security teams that respond to cyberattacks, more anxious. Those responding tend to work long hours - including weekends - and come under extreme pressure from business leaders to restore systems quickly.
Understanding the risks from cyber-attacks on critical public infrastructures, notably incidents that could jeopardise human life, and applying appropriate controls and mitigation measures
Considering the cybersecurity implications of AI around regulations covering data privacy and ethics

Governance

Strong governance delivers strong risk management. If cybersecurity governance is not part of the comprehensive strategy and plan, the organisations will not be able to detect and respond to an attack with confidence or speed. Good governance practices in cyber-related ESG disclosures include:

Practising and building confidence in the company’s ability to identify, quantify and manage cyber-risks and threats using cyber-risk appetite statements to demonstrate how cyber risks are managed
Identifying critical assets and ensuring that only those with the appropriate authorisation and training can use them
Having an accountable person on the board responsible for cyber-resilience and ESG disclosures
Ensuring that there is a separate cyber budget closely aligned to the total IT budget and that it addresses the most significant technology risks and threats faced by the business

More cyber-resilience disclosures are inevitable. As Song Hwee, Deputy CEO of Temasek International, observed, investors will begin to drive cybersecurity change and demand more transparency.

Companies must find the right balance between pressure from stakeholders and not inadvertently exposing the company to malicious attackers (for example, by revealing too much about the extent and nature of their defences). Regulators will also increasingly seek information, the absence of which could harm a business' share price in the eyes of investors.

Addressing cybersecurity concerns through ESG frameworks - adding the 'E' and the 'G' to the more familiar 'S' - can reassure markets by articulating how an organisation is preparing to withstand an attack. And reporting cyber readiness through ESG frameworks will provide the basis for a better internal dialogue, one spoken with non-technical, accessible business language understandable by executives of all backgrounds.

Indy Dhami

Indy Dhami has over 19 years of Information/Cyber Security, Governance and Compliance experience in director-level positions, both in consulting and operational roles. His previous employers include PwC, IBM, Accenture, AXA, Deutsche Bank and Mercedes Benz. Indy also holds a Fellowship of the Chartered Institute of Information Security in the UK.

What to read next

Back to Articles

12.2023 . Articles

The Future of DevSecOps: Emerging Trends in 2024 and Beyond

In the rapidly evolving landscape of software development and cybersecurity, the integration of security planning earlier in the software development life cycle has become paramount.

BY JD Sherry

12.2023 . Articles

Transforming Cyber Risk Management in the Supply Chain

When the CL0P ransomware gang from Russia (also known as TA505) exploited a zero-day SQL injection vulnerability to hack Progress Software's MOVEit Transfer app, it soon became evident that a significant number of organisations and…

BY Murali Aiyer
Supply Chain Cyber Risk

12.2022 . Articles

How We Used AI To Write An Article For Our Blog

We recently used AI to create an article for our newsletter. How did we do it?

BY Dr. Manuel Hepfer