Integrating cybersecurity and ESG
As part of ongoing risk management efforts to protect critical infrastructure and data, companies should consider integrating an ESG program into their cybersecurity strategies.
Companies globally now increasingly deliver detailed reporting on ESG issues, like their environmental impact, social metrics that include fair wages, diversity and inclusion, and their governance which relates to how their company is led and managed.
However, while every business faces global systemic risks, the issue of cybersecurity has largely been left out of the conversation when it comes to ESG. There are increasing reasons to argue that integration makes good business sense.
First coined in 2005, ESG (environmental, social and governance) has become a well-known term in company boardrooms and impact reports globally. In more recent years, the evolving geopolitical and macroeconomic environment has only increased the importance, not least by the regulatory push to increase scrutiny on how companies, as well as investors, address ESG.
To that end, ESG may be best characterised as a framework that helps stakeholders understand how a company or organisation is managing risks and opportunities related to environmental, social and governance criteria. A company’s stakeholders include not just the investment community, but also employees, third-party suppliers and customers, and all of them are now becoming increasingly interested in how sustainable a company’s operations are.
The risk is that climate, societal or reputational-related damage could cost far more than a data breach or a costly insurance claim.
During 2022, investment managers have begun increasingly sounding the alarm on hidden cybersecurity risks, with sectors favoured by ESG funds such as energy, healthcare and technology often particularly exposed.
According to the World Economic Forum's Global Cybersecurity Outlook 2024, there is a clear link between cyber resilience and CEO engagement. This year, 93% of respondents that consider their organisations to be leaders and innovators in cyber resilience trust their CEO to speak externally about their cyber risk. Of organizations that are not cyber resilient, only 23% trust their CEO’s ability to speak about their cyber risk.
Cybersecurity through the prism of ESG
From a risk management perspective, cybersecurity and ESG need to be more closely aligned. It has become increasingly obvious in the last few years that cybersecurity should be incorporated into the ESG framework.
It is good governance to make sure that you manage your cybersecurity or your data security. These days, the C-suite of executives certainly do need to know how well their company’s security team does their job, given GDPR and many other legislative requirements.
This is one perceived benefit of integration, particularly as both cybersecurity and ESG are becoming increasingly subject to regulatory compliance frameworks. Standardised frameworks can help stakeholders measure and understand a company’s risk assessments, governance and accountability.
To that end, efforts to both strengthen and standardise legislation in Europe are gathering pace. Recently the Cyber Resilience Act, DORA and NIS2 came into play, all of them bringing cyber security into legislation.
Financial aspect to consider
As part of this context, there is also the purely financial aspect to consider. Cybersecurity breaches threaten the value of business assets, and the value of stored data can, for some companies, be worth more than the physical infrastructure. The average cost of a cyber breach to an organisations is USD 3.6 million.
According to the World Economic Forum's Global Cybersecurity Outlook 2024, there is growing cyber inequity between organisations that are cyber-resilient and those that are not. At the Annual Meeting on Cybersecurity, 90% of cyber leaders believe that this inequity requires urgent action. 93% of leaders of organisations excelling in cyber resilience trust their CEO to speak externally about their cyber risk.
Complexities and vulnerabilities
Implementing ‘watertight’ cybersecurity is very difficult and there are many aspects to take into consideration, and even if a company has all the possible state-of-the-art controls and solutions in place, it may still have an easy human element there that can be social engineered, or a software vulnerability exploited that was not patched in time. Companies, then, should understand that cyber-risk has a strong link to the social impacts of ESG and that the impact on the business and the wider community can be severe.
Managing personal data is both complex and important and every company has challenges, but unless we quite rapidly start making it a key factor in how we manage the company, the situation is going to get worse. What we do in cyber insurance is that we underwrite every client separately. We look into the material provided by the client, and we look into the different cyber security controls they have in place today.
In terms of the broader scope of insurance, like traditional lines, we need to start to consider this as part of the ESG framework. We are investing in the risk, just in the same way as banks are investing in the future success of a company by giving them a loan, for example. Banks, of course, consider ESG factors as part of that process. So, we as an insurer also need to fully understand the implications of ESG, including the digital aspects.
Sustainable investments and climate risks
One further perceived benefit of integrated ESG and cybersecurity strategies is that cyber-related risks – that can threaten the viability and integrity of sustainability investments on critical infrastructure projects with ambitions to transition to renewable energy – can be mitigated.
Likewise, climate-related risks can negatively impact a company’s operations and increase safety risks and human error incidents, as well as reduce system reliability and cyber defence protocols. Integrating ESG and cybersecurity can potentially help companies and other stakeholders further understand that our cyber, physical and social worlds are becoming increasingly interconnected and that a disruption in one area can rapidly disrupt the whole.
The key issue for If is that the client themselves knows their risks and has the controls required in place and implemented to mitigate the risks that they have. Whatever investments are made in cybersecurity must be made on a risk-based approach, so the client must first understand what is the risk that they are facing.
If a company deals with huge amounts of personal data, the controls mitigating the loss of that personal data become most important. But if it is a manufacturing company, then the protection of productions lines, renewable energy supplies, the supply chain, continuity planning, and other issues will be more important.
One important thing that needs to happen is that the risk management organisation of a company needs to start working much closer with the security department. They are on the same side. Cybersecurity has long been viewed as an IT issue and teams often think too much about technology and they don’t see the risk as much as they should. Conversely, risk management experts don’t really understand all the threats that they could be facing. Cybersecurity, then, should become more risk-focused, and risk management should become more cyber-focused.
A note of caution
However, if there is a push for companies to start reporting on their cybersecurity initiatives and incorporating them within the ESG framework on a broader scale, then that could also potentially be a risky proposition in the sense that some companies might report too much. Care is needed.
ESG is now a critical business framework that describes how businesses across the globe assess the impacts of their activities and investments, as well as their impact on stakeholders, like insurers, for example. For companies, failure to integrate ESG and cybersecurity strategies could mean that they are failing to address the fact that radical change is taking place globally. The risk for a company is that climate, societal or reputational-related damage could cost far more than a data breach or a costly insurance claim.
Does it serve a purpose to integrate cybersecurity into the framework of ESG? From a risk management perspective, we think the link is becoming increasingly obvious and that there is a significant added value in doing so.