In today’s data-driven world, cybersecurity has emerged as one of the biggest threats to the global economy and is one of the top risks facing businesses worldwide. Data constitutes a staggering 90% of intangible asset value across companies, and with the average cost of a data breach now estimated at $4.45m, the stakes have never been higher. It is therefore not surprising that cybersecurity is increasingly at the forefront of corporate ESG agendas.
This article leverages insights from ERM’s internal cybersecurity experts and data to explore the cybersecurity landscape, how it pertains to ESG, and how corporate ESG and sustainability teams are addressing it.
Cybersecurity refers to the practice of protecting computer systems, networks, and data from theft, damage, or unauthorized access. In today’s digital age, where companies rely heavily on technology, cybersecurity is paramount to business continuity for several reasons:
- Data Protection – Companies store sensitive data, including customer information, financial records, and intellectual property. Breaches may result in severe financial and reputational damage.
- Legal and Regulatory Compliance – According to the United Nations Conference on Trade and Development, 137 out of 194 countries have enacted strict data protection and privacy laws that companies must adhere to or else pay hefty fines.
- Operational Continuity – Cyberattacks can disrupt operations, causing unplanned downtime and significant financial losses.
Cybersecurity is today considered an integral part of ESG. It began gaining traction as an ESG topic in the late 2010s, predominantly as a governance issue (thereby fitting under the “G” of ESG). ESG reporting frameworks such as the Global Reporting Initiative (GRI) and the Sustainability Accounting Standards Board (SASB), have since acknowledged cybersecurity’s materiality in corporate sustainability strategy. Examples of how cyber-attacks can impact ESG matters include:
- Environmental pollution – A facility’s leak detection system fails or hackers take control of industrial systems, leading to water and soil pollution.
-
In 2021, hackers infiltrated a water treatment plant in Florida, enabling them to change the chemical levels of the water supply remotely. Similar attacks on water and wastewater treatment plants have also occurred in the US, Australia, and Israel.
-
-
Occupational health and safety – An unanticipated shutdown of safety systems occurs, causing serious accidents including injuries and fatalities (particularly in manufacturing activities).
-
In 2014, a cyberattack targeting a German steel mill forced the shutdown of a blast furnace, causing significant damage to the facility and exposing workers to safety risks.
-
-
Product and service safety – Products may need to be recalled due to their cybersecurity vulnerabilities or susceptibility to hacking.
-
In 2017, the US Food and Drug Administration recalled 500,000 pacemakers due to the risk of hackers running down the battery or altering the patient’s heartbeat, potentially leading to death.
-
In 2020, a hospital in Germany was forced to close its emergency department after a ransomware attack, causing the death of a patient.
-
Because cybersecurity exigencies are relatively novel, companies have been required to quickly recruit in a field in which they may have little experience. This challenge has been exacerbated by a mass scarcity of cybersecurity professionals in the job market, meaning that many often struggle to find the necessary talent and expertise. Nonetheless, as cyberattacks are a constant threat, companies have also faced both internal and external pressure to act fast and efficiently. Luckily, there are exemplary performers who can serve as inspiration for how to do so.
How have Companies Stepped Up?
Acknowledging the need for robust governance mechanisms to address cybersecurity exigencies, many companies have started by creating accountability at C-suite level under the umbrella of business risk rather than IT risk. For example, they may appoint committees that preside over cybersecurity or conduct regular risk assessments, demonstrating superior governance practice. Another example of good cybersecurity governance is employing a standardized framework to convert cybersecurity threats into financial terms. This approach provides a widely accepted management structure and allows for clear communication between experts and non-experts, typically with the end goal of achieving certifications and standards such as ISO/IEC 27001, ISAE 3402/3000, and SSAE 18.
Several leading organizations have undertaken the following measures to mitigate their exposure to cybersecurity risks:
- Employee Training & Culture – Training all employees on cybersecurity best practices and creating a culture of security awareness. For example, periodic awareness-raising, compulsory online quizzes and educational sessions, or cyberattack simulations all help to prevent cyberattacks at the source.
- Technology – Investment in advanced cybersecurity technologies, expertise, and tools helps companies stay ahead of cyber threats. For example, a company may implement a 24/7 Security Monitoring and Incident Response Plan.
- Return on Security Investment – Assessing the effectiveness of companies’ security investment. For example, a company may assess the financial value of an email security solution by determining the cost and quantifying the benefits of the investment itself.
Just like other companies, ERM has also taken steps to proactively manage risks related to cybersecurity. A decisive moment for ERM was the establishment of a governance system presiding over cybersecurity, which is managed by a dedicated team separate from the IT department supported by leadership. This approach enabled ERM to mobilize required resources to address the issue head on. ERM has also adopted a hybrid model, comprising a core cybersecurity team of internal professionals and outsourced expert-based functions, which made more sense financially. Lastly, ERM established security and awareness training programs, an incident response plan, and constant cybersecurity monitoring, which allowed us to strengthen our resilience to cyber threats by targeting them at the source.
Even with best practice measures, no company is cyber-bullet-proof; however, they do provide protection that allows companies to mitigate and control potential ramifications from cyber threats. Looking ahead, there are several emergent capabilities that are now presenting pathways for companies to further bolster their cybersecurity efforts:
- Artificial Intelligence (AI) and Machine Learning – These technologies can detect anomalies and potential threats in real-time, improving incident response.
- Cyber Threat Intelligence – Leveraging threat intelligence to proactively identify emerging threats and vulnerabilities can prevent attacks altogether.
- Zero Trust Architecture – Adopting a "never trust, always verify" approach, where access is granted on a need-to-know basis, reduces the chances of attacks.
With cyber-attacks constantly growing in complexity, companies should design advanced cyber programs that leverage AI to constantly adapt to this fast-paced, multifaced threat. This is particularly relevant for industries that rely on sensitive data such as medical, financial, governmental, or personal customer information, which are highly exposed to cyber and data security risks.
How Can Your Organization Effectively Address Cybersecurity Concerns?
Cybersecurity should be made a priority in corporate ESG strategies and activities. Those companies who have not yet implemented best practices as outlined in this blog should consider taking immediate action to ensure they are well-prepared for any cybersecurity-related issues that may arise. From our research, we’ve identified the following key actions that your organization can take to mitigate cybersecurity-related risks:
- Integrate Cybersecurity into ESG Strategy – Recognize that cybersecurity is now a critical component of ESG considerations and incorporate cybersecurity initiatives and reporting into your ESG agenda. It is critical that this drive comes from the top down and is supported by senior leadership.
- Establish Strong Governance Mechanisms – Create accountability for cybersecurity at the C-suite level, treating it as a business risk rather than just an IT risk, with respective committees and regular risk assessments.
- Invest in Employee Training and Culture – Train all employees on cybersecurity best practices and foster a culture of security awareness via regular awareness-raising activities, quizzes, and cyberattack simulations.
- Leverage Advanced Cybersecurity Technologies – Invest in advanced cybersecurity technologies, expertise, and tools to stay ahead of cyber threats, ideally with a 24/7 Security Monitoring and Incident Response Plans to detect and respond to threats immediately.
- Explore Emerging Capabilities – Consider adopting emerging technologies and practices to enhance cybersecurity efforts, such as AI and Machine Learning for real-time threat detection, Cyber Threat Intelligence, and a Zero Trust Architecture.