Why Cybersecurity Needs to be Part of ESG

When a Board reviews its ESG commitments, it’s unlikely they’ll consider cybersecurity. But Tim Wallen is here to explain why that is a big mistake…

Environmental, social and governance (ESG) policies see the business implement ethical practices to demonstrate its commitment to its stakeholders, customers, and society at large. Still, they’re more commonly associated with lowering the carbon footprint or promoting equality than cybersecurity.  That’s now set to change with a growing call for cyber to be included in ESG. The World Economic Forum, for instance, is a firm advocate and lists three reasons why it believes cyber should no longer be siloed.

1:  Data is now a critical asset and the mainstay of most businesses. The risk of data being compromised is escalating due to the rise in automated attacks, organised criminal activity, and politically motivated nation-state-sponsored attacks, which have seen the emergence of ransomware-as-a-service (RaaS) and devastating supply chain attacks.

“The SolarWinds attack, for example, saw 23% shaved off the value of its stock following the now infamous espionage attack”

Cyber attacks were believed to cost the UK between £130bn-£190bn annually in 2019 and are now regarded as the biggest threat to organisational resilience. According to a PWC survey, attacks now outstrip the perceived threat of a global recession or another pandemic. Moreover, 25% of CEOs considered their businesses extremely or highly exposed to cyber risk over the next five years, a risk that outweighs inflation, macroeconomic volatility, climate change and geopolitical conflict.

2: While securing data is, of course, in the commercial interests of the business, ESG sees that responsibility extended to the wider world. Protecting an ecosystem of partners and customers will also ensure economic stability and safeguard society.

3: While many organisations have Governance, Risk and Compliance (GRC) policies, they are generally in place to meet compliance requirements. Others rely on the safety net of a cyber insurance policy. Still, with Zurich’s CEO warning that cyber is set to become more prescriptive, businesses must also be proactive.

The impact on stock value

Investors are now looking for evidence of organisations taking firm cybersecurity action, given the close link between cyber and financial risk. Pre-2015, evidence indicated that cyber breaches seldom impacted share prices, but that is no longer true. A severe cyber attack can lead to a dip in share price and even call into question the company’s future viability. The SolarWinds attack, for example, saw 23% shaved off the value of its stock following the now infamous espionage attack.

Given the shock waves caused by major cyber attacks and the resulting financial fallouts, it stands to reason that more investors will include cybersecurity alongside financial and ethical considerations when weighing up investments. There’s already the expectation that cybersecurity risk and resilience as part of ESG will become a regulatory requirement in the US when investing in the financial sector.

Indeed, some ethical investors will only invest in businesses that can demonstrate they have an ESG policy or who follow similar ethical practices, such as the United Nations Sustainable Development Goals (SDGs). These already accommodate elements of cybersecurity ESG, such as SDG 9, which refers to the need to build resilient infrastructure, and SDG 16, which relates to building effective, accountable and inclusive institutions, providing public access to information.

Adding cyber to ESG

So, how should organisations go about embedding cybersecurity in an ESG policy? It’s not as onerous as it may sound, given that most businesses will already be doing many things you’d expect to see included, such as appointing a senior executive to oversee cyber risk, regularly reporting on cyber risk to the board, and observing disclosure best practices. Elements of compliance regulations such as PCI DSS or GDPR also lend themselves to ESG.

Businesses need to do more in taking a proactive rather than a reactive stance. In addition to incident detection and response, it’s worth looking at threat hunting and detection. It’s here where tools such as security orchestration and response (SOAR) can help, automating the investigation of incidents and creating audit trails for reporting.  Additionally, endpoint detection and response (EDR) can monitor end-user devices to prioritise the protection of user data.

These are just some examples, but technology from across the security arsenal can be used to help prove the business is diligently protecting its data, systems and users. The main problem is bringing all that evidence together, which is why convergence is now crucial. Being able to quickly collate and analyse event data with contextual indicators in the SIEM expedites decision-making and reporting. Just as importantly, it also provides the C-suite with a single pane of glass to view the risk profile of the business to determine how well it is meeting its ESG objectives.