With these consequences in mind, companies must address cybersecurity concerns, not just for short-term impact, but also to satisfy questions from investors, stakeholders, and the wider public. Aligning cybersecurity with broader ESG factors require companies to take an organised approach to cybersecurity strategy, execution, and reporting.
Companies can address cybersecurity’s ESG impacts by taking four critical steps:
1. Build a cybersecurity strategy. Companies should create a plan that can identify present and potential vulnerabilities, and formulate a response to credible threats. Any effective strategy depends on adopting privacy and cybersecurity by design—an approach to cybersecurity “that builds in risk thinking from the onset10”, instead of considering them after the fact. This involves integrating privacy and cybersecurity into the design, operation, and management of the company’s systems and business practices.
Beyond simply helping staff to navigate the cyberattack risks, the plan can also reassure shareholders and the public that the company takes a proactive attitude towards cyber risk.
2. Formulate cybersecurity governance. Build accountability into cybersecurity: the company should identify the principals in charge of implementing the cybersecurity action plan; and develop privacy and data governance metrics that monitor cybersecurity-related ESG goals’ progress over time.
By building a leadership and accountability structure around the company’s cybersecurity, the management team and regulators can gain meaningful insight into the company’s cybersecurity-related issues, and hold business units and programs to account.
3. Align with external cybersecurity frameworks. Companies should consider applicable legislation and relevant industry standards and frameworks, and examine how well their governance frameworks comply with these standards.
These range from ESG-specific regulations, like the European Union’s Sustainable Finance Disclosure Regulation (SFDR)11 and the climate and diversity disclosures12 required by the Singapore Exchange (SGX); to data security regulations, like the European Union’s General Data Protection Regulation13 and the Singapore Personal Data Protection Act (PDPA)14.
4. Create a culture of accountability and transparency. Cybersecurity needs to be built into the company’s internal processes, at all levels. First, buy-in from the board and senior management must be secured, to ensure sustained progress on all cybersecurity initiatives. Management must be periodically appraised on information security and data governance issues; it can no longer be the IT department’s sole purview.
To protect any cybersecurity weak links, non-IT rank and file employees must also receive periodic cybersecurity training. Internal audits of cybersecurity practices and controls must be regularly undertaken.
Finally, the leadership must make full disclosures around data ethics and cybersecurity issues. High transparency demonstrates to customers and other stakeholders that data is being collected, stored, processed, and protected in an ethical manner. It shows the leadership’s awareness of their cybersecurity strategy’s broad social impact.