Why cybersecurity needs to be part of ESG

ESG (Environmental, Social, and Governance) policies tend to be viewed as being predominantly concerned with climate change and the social responsibilities of the company. They lay down ethical practices to safeguard not just the business but its ecosystem of partners and customers and the wider world. In this respect, it has much in common with other risk management practices within the company in that it aims to reduce the risks posed to those parties and to communicate how this is being achieved.

The key to managing risk is cybersecurity, with many now calling for this to be included in ESG, and it’s easy to see why. Events over the past few years have focused attention on the importance of cybersecurity in creating a resilient economy, from the rise in attacks due to the commercialisation of malware i.e. through RaaS (Ransomware as a Service), to the vulnerability of the supply chain, and the volatility of global relations which is seeing heightened risk from nation-state actors. All have heightened awareness of the vulnerability of the business and society at large.

People want to know that the business takes its responsibilities seriously when it comes to protecting their data and doesn’t just pay lip service to data protection regulations, with cyber insurance as a safety net. Investors, too, are now looking at cybersecurity posture analysis to determine the level of risk involved. In September 2022, Lombard Odier investment managers said cybersecurity risks within portfolio funds were shocking, leading it to apply ESG processes far more widely and to demand that these companies improve their cyber hygiene i.e. regularly patch their systems and follows industry best practice.

Cyber hygiene

Gaining that kind of insight can be achieved by developing an understanding of the security posture of the business and what needs to happen to improve its maturity. How effectively does it monitor the network for threats? How are those threats assessed and prioritised? Does it have incident response processes in place that can automatically remediate? The answers to these questions will reveal how quickly the business can curtail the impact of an attack, recover, and resume business as usual (BAU). But how do you ensure an appropriate level of transparency that gives insurers and investors the information they need without divulging too much information?

The answer lies in integrating cybersecurity frameworks into the ESG framework. Elements of baseline security standards such as ISO 27001 or Cyber Essentials can easily be incorporated into ESG reporting to give a comprehensive understanding of risk, governance, and accountability. Both can be used to create a risk profile of the business that then addresses cyber and physical risks that extend beyond the realms of the digital and reflect the interconnected nature of the business and the environment within which it operates. Just how much information is shared is also at the discretion of the business, and this can be discussed to determine what additional information is in its best interests to disclose.

The costs involved in a data breach are not just financial, however, and for many investors, the social responsibilities of the organisation to data subjects are also of the utmost importance. Some ethical investors will only back those who can prove they are looking to uphold the social aspect of ESG and are also using this to guide their own investment in resources by choosing vendors who observe honourable objectives such as those laid down by the United Nations Sustainable Development Goals (SDGs). 

The SDGs aim to address poverty, inequality, climate change, environmental degradation, peace, and justice on a universal scale and are also applicable to cybersecurity. SDG 9, for instance, refers to the need to build resilient infrastructure which echoes the drive to protect critical national infrastructure from attack, while SDG 16 states the need to build effective, accountable, and inclusive institutions, with public access to information, reflecting the need to give data subjects control over their own data but to protect it while it is in the care of the business.

The importance of oversight

However, as we’ve heard, many investors are having trouble getting the information they need to make an accurate assessment with regards to cyber in ESG, and that’s because there is a lack of oversight as well as poor cyber hygiene. Some may not have a CISO or CSO, and those that do may not have them report to the CEO, leading cybersecurity to be siloed. And even where there is a good relationship and regular reporting with collective decision-making, the CISO may not be fully informed if they don’t have visibility of what’s happening day-to-day in the information estate.

Centralising the cybersecurity function by reducing the cybersecurity stack can significantly help here. Collecting event data into a converged Security and Incident and Event Management (SIEM) with threats assessed and context added via User Behaviour and Entity Analytics (UEBA) and automated investigation and response by Security Orchestration Automation and Response (SOAR) sees processing happen within the same platform. This not only makes it easier to deal with issues but also streamlines reporting and provides the CISO with a single pane of glass through which to assess the security posture. Being able to lay hands on this information will be vital as cyber becomes more entwined with ESG efforts. 

Today, ESG rating agencies often take into account cyber resilience in their ESG scores, with its weighting varying depending on the sector (it is higher in retail and telecoms, for instance). The more information those agencies can access, the more informed that assessment will be and the more assurance it will give to interested parties, such as insurers and investors. But consider also the impact of a breach. Publicly disclosed, this information could have the power to degrade the ESG score of the business but what can counter that is information on how the breach was dealt with. How effectively was it detected and contained? Was the incident response swift to react? Were the authorities and data subjects informed speedily? And just as importantly, how has the business adjusted practices post-breach to mitigate the risk, and drive down Mean Time to Detect and Mean Time to Respond (MMTD/MTTR)?

What’s clear is that cybersecurity is no longer an outlier when it comes to ESG. Those who are able to seize the initiative, streamline their operations and their reporting, and use that to create greater transparency over how data is handled, protected, and defended, will inevitably stand to gain as insurance premiums rise, investors demand more information, and people more accountability.