Why is cybersecurity a growing ESG concern?

As the consequences of their actions ripple out to the world at large, companies now have to answer to more than just their stockholders.

Regulators, investors, and an increasingly-engaged public have heightened corporate scrutiny; under pressure from global investor groups¹ and new sustainability reporting regulations², companies have begun including environmental, social, and governance (ESG) disclosures in their financial reporting.

ESG is a tangible means of evaluating corporate behaviour—a series of objective benchmarks that focus on three key areas:

● Environmental data: how the company manages their resources and cares for the environment

● Social data: how well the company treats its clients and workers; how its management makeup reflects society’s diversity

● Governance data: information on the company’s internal governance and share class structure

ESG disclosures often reveal opportunities or risks that conventional financial analysis cannot adequately spell out. Consider cybersecurity: given today’s cloud-based and Internet-connected technology’s global reach, what ESG risks lie on the flipside of network technology’s benefits—and what are their implications for investors and the wider public?

In previous decades, the cost of cyberattacks proved mere chump change, as critical infrastructure like power generation plants and other public utilities were not connected to the Internet. That’s all in the past, as the rising cost of breaches and the increasing interconnection of critical utilities have advanced cyberattacks’ worst-case impacts.

According to recent research by IBM/Ponemon Institute³, the average cost of a data breach in 2021 is US$4.24 million, a 10% increase from the average in 2019⁴ (US$3.86 million). In Singapore, the government imposed a record fine of S$1 million⁵ on parties involved in the 2018 SingHealth breach that exposed the personal data of 1.5 million patients.

Public utilities’ operational technology/control systems’ connectivity has also made them tempting targets for cyber criminals, as demonstrated by recent, repeated cyberattacks by advanced persistent threats⁶ (APTs) in the Asia-Pacific region. According to the 2021 RBC Global Asset Management Responsible Investment Survey⁷, some 15% of Asia respondents rated cybersecurity/data privacy as a major ESG concern, with 10% considering it a “make or break” issue.

No surprise there–cybersecurity affects all ESG’s three pillars.

Cyberattacks on critical infrastructure like oil and gas production, manufacturing and chemical production, and marine systems can inflict a cataclysmic impact on the environment–causing “fires, explosions, and hazardous material releases that result in bodily injury, property damage, environmental remediation expense, and significant legal liability claims,” as an AXA XL paper explains⁸.

A sufficiently damaging cyber breach can also affect a company’s social standing. Cybersecurity failures can impact a company’s relationships with its workforce, the communities it serves, and political decision-makers. Never mind the effect on the bottom line; the reputational cyberattack costs may be difficult to bounce back from.

Finally, a company’s resilience against cyberattacks depends in large part on the leadership’s buy-in on cybersecurity. A company’s ESG standing may suffer if its governance fails in the event of an attack, particularly if its risk governance models⁹ have not been updated to cover cyber risk.

With these consequences in mind, companies must address cybersecurity concerns, not just for short-term impact, but also to satisfy questions from investors, stakeholders, and the wider public. Aligning cybersecurity with broader ESG factors require companies to take an organised approach to cybersecurity strategy, execution, and reporting.

Companies can address cybersecurity’s ESG impacts by taking four critical steps:

1. Build a cybersecurity strategy. Companies should create a plan that can identify present and potential vulnerabilities, and formulate a response to credible threats. Any effective strategy depends on adopting privacy and cybersecurity by design—an approach to cybersecurity “that builds in risk thinking from the onset¹⁰”, instead of considering them after the fact. This involves integrating privacy and cybersecurity into the design, operation, and management of the company’s systems and business practices.

Beyond simply helping staff to navigate the cyberattack risks, the plan can also reassure shareholders and the public that the company takes a proactive attitude towards cyber risk.

2. Formulate cybersecurity governance. Build accountability into cybersecurity: the company should identify the principals in charge of implementing the cybersecurity action plan; and develop privacy and data governance metrics that monitor cybersecurity-related ESG goals’ progress over time.

By building a leadership and accountability structure around the company’s cybersecurity, the management team and regulators can gain meaningful insight into the company’s cybersecurity-related issues, and hold business units and programs to account.

3. Align with external cybersecurity frameworks. Companies should consider applicable legislation and relevant industry standards and frameworks, and examine how well their governance frameworks comply with these standards.

These range from ESG-specific regulations, like the European Union’s Sustainable Finance Disclosure Regulation (SFDR)¹¹ and the climate and diversity disclosures¹² required by the Singapore Exchange (SGX); to data security regulations, like the European Union’s General Data Protection Regulation¹³ and the Singapore Personal Data Protection Act (PDPA)¹⁴.

4. Create a culture of accountability and transparency. Cybersecurity needs to be built into the company’s internal processes, at all levels. First, buy-in from the board and senior management must be secured, to ensure sustained progress on all cybersecurity initiatives. Management must be periodically appraised on information security and data governance issues; it can no longer be the IT department’s sole purview.

To protect any cybersecurity weak links, non-IT rank and file employees must also receive periodic cybersecurity training. Internal audits of cybersecurity practices and controls must be regularly undertaken.

Finally, the leadership must make full disclosures around data ethics and cybersecurity issues. High transparency demonstrates to customers and other stakeholders that data is being collected, stored, processed, and protected in an ethical manner. It shows the leadership’s awareness of their cybersecurity strategy’s broad social impact.

Cybersecurity is no longer a pure technology issue: it’s also an issue for investors and other stakeholders, who demand up-to-date disclosures on data protection and information security policies to better inform capital allocation and investment decision-making.

Tap Singtel’s pool of experienced, certified cybersecurity advisors that can secure your network, protect vital IT assets, and respond to threats in real-time. With Singtel on your side, you can provide peace of mind for your customers, and ensure that your cybersecurity can stand up to the most revealing ESG disclosures.

Speak to us now to find out how you can weave cybersecurity into your ESG goals.

References:

¹ PRI, Investor groups call on companies to reflect climate-related risks in financial reporting, 2020.

² S&P Global, New EU ESG disclosure rules to recast sustainable investment landscape, 2021.

³ IBM, Cost of a Data Breach Report, 2021.

⁴ IBM, Cost of a Data Breach Report, 2019.

⁵ The Straits Times, Singapore's privacy watchdog fines IHiS $750,000 and SingHealth $250,000 for data breach, 2019.

⁶ SOCRadar Cyber Intelligence Inc.,Top 5 Cyber Attacks in the Asia Pacific (APAC) in 2021, 2021.

⁷ RBC Global Asset Management, 2021 Key Findings: Responsible Investment Survey, 2021.

⁸ AXA, Environmental risks: cyber security and critical industries, 2020.

⁹ Harvard Law School Forum on Corporate Governance, Cybersecurity: An Evolving Governance Challenge, 2020.

¹⁰ EY - Global, How to manage cyber risk with a Security by Design approach, 2020.

¹¹ EUROSIF - Sustainable Finance Disclosure Regulation (SFDR)

¹² Allen & Gledhill, SGX mandates climate and board diversity disclosures, 2022.

¹³ Intersoft Consulting - General Data Protection Regulation (GDPR)

¹⁴ Singapore Statutes Online - Personal Data Protection Act 2012