Cybersecurity on the ESG agenda for investors, regulators
With the number of cyber threats facing businesses growing by the day, cyber risk management is becoming a priority for many organisations. Investors are also becoming more tuned in to the impact cybercrime can have on businesses, and are making it central to environmental, social and governance (ESG) analysis they carry out of a company’s sustainability. But this information is often difficult to come by, with businesses still reticent to disclose cyber incidents in full. Developing standards around cyber incident reporting could help.
Government data released in March laid bare the problem facing UK businesses when it comes to cybercrime. The Cyber Security Breaches Survey 2022 from the Department for Digital, Culture, Media & Sport (DCMS) shows that 39% of companies fell victim to at least one cyberattack in the past year, with 31% of businesses and 26% of charities estimating they were attacked at least once a week, with criminals deploying phishing attacks, ransomware and distributed denial of service
For businesses, putting cybersecurity at the heart of ESG strategies is vital to demonstrate good governance. “Cyber risk is the most immediate and financially material sustainability risk that organisations face today,” argue Anna Sarnek and Cristina Dolan in an article for the World Economic Forum. “Those that fail to implement good governance on cybersecurity, using appropriate tools and metrics, will be less resilient and less sustainable.”
ESG and cybersecurity: how important is risk management?
The Covid-19 pandemic, which saw a steep increase in the number of cyberattacks globally, also served as a wake-up call for the investment community when it comes to ESG and cybersecurity. The pandemic “amplified the challenges of dealing with cybersecurity risks,” says Betina Vaz Boni, senior analyst for corporate governance at Principles for Responsible Investment (PRI), a United Nations-backed organisation promoting sustainable investment.
“Cybersecurity threats continue to evolve at a rapid pace, with an increasing number of data breaches with severe impacts in the past few months,” Vaz Boni says. “While some investors have been comprehensively engaging with portfolio companies on this for years to mitigate risks and identify opportunities, many more are only just recognising the need to do so given its systemic relevance and the potential severity of impact.”
Alongside the increasing threat level, digital transformation has also moved cybersecurity up the investment agenda, says Katerina Kosmopoulou, partner and portfolio manager at asset manager J.Stern & Co. “Businesses that historically were not digitised, in things like infrastructure and industrial settings, are now starting to rely on digital supply chains,” she says. “That means cybersecurity, and how those risks are being addressed, is key.”
For businesses themselves, making cybersecurity central to ESG strategies is vital for three reasons, Sarnek and Dolan argue in their WEF article. It helps protect intangible assets, such as data, and protects society from the potential impacts of a damaging cyberattack such as the Colonial Pipeline breach last year, which caused fuel shortages on the East coast of the US.
"Instead of implementing governance around cybersecurity, organisations have heavily relied on insurance to manage the risk," Sarnek and Dolan write. "But as courts rule in favour of policyholders, insurers will continue to narrow the scope of the cyber policy coverage, limiting the extent to which organisations can rely on it to mitigate the risk."
What do businesses tell investors about cybersecurity incidents?
While investors are keen to get their hands on data around cybersecurity, companies seeking investment are not always forthcoming. Many cyber incidents are resolved privately and go completely unreported. "A lot of information that gets provided to investors [about cybersecurity] is top-level and usually qualitative," Kosmopoulou says. "For obvious reasons, companies don't want to disclose too much, so we have to look at a company's broader digital capabilities, and the expertise they have and make a judgement."
Some companies are concerned that too much disclosure may draw "undesired scrutiny from hackers", says PRI's Vaz Boni. Others "are at early stages in terms of building an understanding of the issue, and therefore are not prepared to put detailed information in the public domain," she adds. "The lack of public disclosure makes it difficult for investors to differentiate between those companies that are proactively developing, monitoring, and managing cybersecurity risks versus those failing to prioritise these risks."
Vaz Boni says this represents a positive direction of travel, but there is still work to do. "Companies signalled different levels of comfort in effectively communicating cybersecurity matters internally and externally," she says. "While it was clear that companies were actively reporting to their boards on the number of cyber breach incidents and their impact, the conversations often did not describe escalation mechanisms and the type of incidents that triggered reporting."
She adds: "Companies were more inclined to talk openly about their cyber policies and procedures if a peer had been affected by a cyber-related incident, or if they had experienced a severe incident previously."
ESG: how can businesses improve cybersecurity governance to impress investors?
Even if they don't want to disclose full details of incidents, J.Stern's Kosmopoulou says businesses can show investors they are focused on cybersecurity by ensuring their governance structures reflect this. "We would look at whether the board and senior management have expertise in cybersecurity and broader IT, and where [cybersecurity] lies in the reporting structure," she says. "If it's up to board or senior management level, you can think they take it seriously and it's at the heart of what they do. If not, that's a red flag."
Similarly, Kosmopoulou says, cybersecurity should feature prominently in any risk mapping carried by companies as part of ESG strategies. "The board will normally have a map of risks to the business," she says. "And cybersecurity should be right up there as something that comes up as a main issue in any risk assessment."
More broadly, standards for cyber incident reporting would be a welcome development, PRI's Vaz Boni says. In March, US financial regulator the Securities and Exchange Commission proposed new rules around cyber reporting, which would introduce a periodic requirement to report cyber incidents, update on past breaches and outline security risk management policies. "I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner," SEC chair Gary Gensler said at the time. Consultation on the plans runs until May 9.
Vaz Boni says the PRI "welcomes regulations on the topic", adding: "Regulations on cybersecurity can help drive standardised and transparent disclosure from companies.