As the world increasingly goes digital, cybersecurity should be a key concern for any board of directors charged with overseeing a company’s Environmental, Social, and Governance (ESG) agenda. The potential risks posed by cyberattacks are becoming more and more severe, and companies must take steps to protect themselves against these threats.
DATA AS A “CRITICAL INTANGIBLE ASSET”
This World Economic Forum (WEF) article states that intangible value, or the value of assets that are not physical in nature, now represents 90% of the asset value in organisations. Data, perhaps, has become the most critical intangible asset in determining the value of an organisation. As companies scale, this intangible asset grows as well. This increases the likelihood of cybersecurity breaches.
Cybersecurity, therefore, ought to be a concern for boards. Organizations that take an ESG approach to cybersecurity can create a more holistic and effective risk management strategy, so that in the event of a breach, value is “not lost, or the loss is [at least] minimised.”
REASONS WHY CYBERSECURITY SHOULD BE ON THE ESG AGENDA
The connection between cybersecurity and ESG may not be obvious to many. In this section, we spell out how cybersecurity affects the individual elements of ESG and why it should concern boards as a significant trigger for risk exposure.
Impact of Cybersecurity on the Environment
Cyberattacks on equipment and monitoring systems in critical infrastructure, including power grids, hospitals, factories, and water systems may result in “spillage, waste discharge, fire, explosion, or release of hazardous materials.”
For example, maritime activity relies on information and communication technology (ICT) to meet customer demand and ensure transportation safely. ICT, as explained in the above mentioned article, is used to deliver operations that include “ship propulsion, navigation, freight management, traffic control, maintenance and communications.” A cyberattack on this industry can lead to disasters such as tanker accidents. One tanker incident can lead to the release of millions of gallons of crude oil into the ocean.
There is the assumption that boards belonging to such critical industries understand their potential environmental impact should one thing or another go awry (such as remediation expenses, legal liabilities, claims, fines, reputational damage, and the potential loss of life). What needs to be highlighted here, however, is the identification of cyberrisk and threats as a possible trigger for environmental damage.
Impact of Cybersecurity on Society
We highlighted data as quite possibly the most valuable intangible asset of companies. The companies who retain and manage large volumes of personal identifying information (PII) assume significant risk for cyberattacks. From election meddling to identity theft, the potential societal impact of weak cybersecurity measures is far-reaching.
Cybercriminals are increasingly targeting healthcare data and institutions which impact the quality of care communities are able to receive. Healthcare data breaches hit an all-time high in 2021, impacting 45 million people. Criminals have also set their sights on utility industries. The recent Colonial Pipeline attack in the US, for instance, led to temporary income loss for the community, long lines at gas stations, and increased fuel prices.
Consumers and institutions alike have adopted and shifted to digital transactions in recent years. Criminals have taken notice of the vulnerabilities this presents. In fact, in 2021, identity theft victims were up by over 23% over the previous all-time high. Identity theft is a major inconvenience to individuals, companies, and industries. It disrupts lives.
The Equifax (a credit agency) data breach is a good example of how costly cybersecurity lapses can be to organisations and its shareholders. Equifax lost the PII and financial data of almost 150 million individuals in 2017, exposing its users to the real risk of identity theft. As a result, Equifax had to pay a USD575 million settlement for the breach. Apart from regulatory fines, penalties and damage to its reputation, the company’s bottomline took a significant hit. Shareholders were not spared from this.
Cybersecurity is not just an IT issue — it is a societal one. Boards must understand the extent to which cybersecurity issues can affect their stakeholders and address the risks accordingly.
Impact of Cybersecurity on Governance
As stated, a company’s ability to protect its data and intellectual property from cyberattacks can make or break its reputation and bottom line.
Cyberattacks can have a serious impact on a company’s share price. In some cases, the stock price of a company can drop precipitously. This is especially true if the attack results in the loss of PII, compromises intellectual property, or disrupts operations.
Equifax’s stock price plunged from $142.72 to $92.98 in just one week in 2017. Its market share also dropped and struggled to recover.
As an organisation’s losses can rack up in the millions as a result of an attack, financial resources may need to be drawn from other areas of the business in order to cover the costs. This, again, impacts the bottomline and the reputation of the company. The reputational damage can be extensive: from loss of revenue to difficulties in talent acquisition.
To close this section, boards need to be aware of the legal implications of cybersecurity breaches. In some cases, boards and top leaders of organisations may be held liable for the damages caused by a cyberattack.
The SolarWinds’ software breach, which gave hackers access to the data of thousands of companies and government offices that used the software, resulted in a suit against the company’s top executives. Investors alleged that the company’s leaders failed to monitor cybersecurity risks ahead of the attack.
While some organisations have availed of cyber-insurance to minimise risk and losses, insurers are increasingly narrowing the scope of coverage. This limits how much organisations can rely on it to mitigate risk.
But it’s important to emphasise what the WEF paper has stated: insurance is not a substitute for good governance.
Instead, the reliance on a framework for identifying, measuring, analysing, and managing cyberrisk should be part of any organisation’s ESG strategy and set the tone for effective governance.
How Boards Can Reduce ESG-related Cybersecurity Risk Exposure
There is no silver bullet when it comes to cybersecurity, but boards can introduce these steps to ensure it reduces its ESG-related cybersecurity exposure:
- Give cybersecurity the attention it deserves. Regularly include the topic in the board’s meeting agenda.
- Assess the company’s risk profile and compare it to peers. Identify any gaps in the company’s current cybersecurity posture and address them.
- Ensure adequate funding for cybersecurity initiatives — in the short and long-term. In the short term, boards should ensure there are enough resources to implement effective mitigation strategies. In the long term, they should plan for future investment in new technologies and personnel.
- Get the right people to address cybersecurity. From obtaining the services of a Chief Information Security Officer (CISO) to senior security experts, boards need to ensure they have access to the knowledgeable security personnel to help oversee the organisation’s cybersecurity strategy. If possible, establish a subcommittee to oversee this.
- Stay informed. Boards should be briefed on cybersecurity risks and trends to provide them with an understanding of how these might impact the organisation’s ESG and corporate strategy.
- Set clear expectations for management on what needs to be done to mitigate risks. Set strong achievable goals and timelines. Communicate ESG expectations to the management team so that everyone works towards the same goal. Review progress and hold leaders accountable for results.
- Incorporate cybersecurity into ESG reporting initiatives. This gives invaluable insights into the effectiveness of a company’s cybersecurity program and allows boards to make better decisions about where to allocate present and future resources.
- Implement a strong data protection and governance strategy. Monitor the risks the company, stakeholders, and customers face around the use of data.
- Institute a security-oriented culture. Start from the top. From the adoption of secure board technologies such as board portals to implementing internal cybersecurity strategies, training, and controls, boards need to invest the time and resources to ensure employees, contractors, and suppliers understand the value it places on securing the organisation. This begins at the board level.
CONCLUSION
Investors are becoming increasingly interested in responsible investing.
Seventy-two percent (72%) of global investors integrate ESG principles into their investment approach and decision-making. Cybersecurity ranks as a Top 2 concern (second to anti-corruption) when it comes to ESG investing. It’s reason enough to take ESG-related cybersecurity issues seriously.
But more than that, cyberthreats have evolved to become a material sustainability risk. Good governance, especially at the boardroom level, is key.
As the WEF article cited above states, organisations who fail to realise this will find themselves to be less resilient and less sustainable. Making cybersecurity an ESG priority can spell the difference between a successful future and a catastrophic mistake.
Speak to us about securing your board processes today.