Chris Brown, of New Cyber Executive, explains why managing cyber risk is a key part of ESG strategy.
Cybersecurity is an emerging threat to business sustainability. It’s more important than ever to understand what it is, why it’s important and how to manage it. Companies shouldn’t treat it as a compliance cost or technical issue for the IT team. Cybersecurity is a strategic function essential to the long-term sustainability of business and its management of environmental, social and governance (ESG) considerations.
The changing landscape of cybersecurity
Business leaders, investors and regulators are increasingly aware of the growing costs of weak cybersecurity. Whether driven by organised hackers, insiders, competitors, hostile foreign powers, poor configuration or third-party vendors, cyber threats are growing in severity and frequency.
The impact of cyber threats to data and systems, within and outside an enterprise, can result in significant economic, operational, legal and reputational costs, and ultimately threaten licence to operate.
In addition, cyber threats can ripple out to harm stakeholders including customers, employees and local communities. This can be devastating for the people and organizations affected, especially in the government services, financial services, utilities and healthcare sectors.
However, cybersecurity has traditionally been out of scope of legislation and regulation with most cybersecurity policies typically based on best practice rather than regulatory requirements. A new raft of regulation by the Securities and Exchange Commission (SEC) in the US is changing that. New rules and proposals are mandating better cyber governance and greater disclosure at both public companies and the fund managers who invest in them. In the UK, General Data Protection Regulation (GDPR) mandates risk management of cybersecurity and requires that data is processed securely and in way that protects privacy rights.
Businesses traditionally rely on insurance to manage cyber risk, but this too is changing. Insurers are limiting the scope of cyber policy coverage as demand for insurance grows and courts side with policyholders. In addition, making an insurance claim increasingly involves the insurer evaluating the claim against the company’s security disclosures at the time of application and renewal which can adversely affect the feasibility and cost of future coverage. This makes insurance an unsustainable way of managing cyber risk in an ever-more challenging threat landscape.
How to manage cyber risk and business sustainability
With cybersecurity regulation on the rise, and reliance on cyber insurance falling, organisations must focus on cybersecurity governance and strategy to ensure business resilience and sustainability.
Companies should look to align their cybersecurity efforts with their environmental, social and governance (ESG) strategies. ESG is a framework for considering sustainability-related risks and opportunities and incorporating them into business strategy and operations. It’s therefore an ideal framework for companies to adopt when thinking about the impacts of cyber risk, both within and outside their organization, and how to develop and implement cyber strategies at every level of the enterprise.
Businesses should consider cybersecurity under each strand of ESG. For example, under the environmental component of ESG, management should recognise that cybersecurity is essential for safeguarding the digital infrastructure supporting environmental sustainability, and a significant threat to that infrastructure.
For example, the technologies underpinning climate change mitigation are highly dependent on cybersecurity, including the systems used in renewable energy generation, electric vehicles and smart grids. Protection from cyber threats is critical to their resilience, integrity and availability, especially as these systems grow increasingly interconnected.
In terms of the social component of ESG, cyber risk is a threat to the stability of civil society. Cyber-attacks on critical infrastructure, such as utilities, financial networks and healthcare, can disrupt the provision of essential services, corrode trust in public institutions and foment civil unrest.
Whether driven by geopolitical tension or organised crime, cyber threats can undermine the critical functions that underpin economic and national security, public health, and the safety and freedom of citizens.
Under the governance pillar of ESG, financial reporting, administrative systems and diversity and inclusion initiatives all rely on effective data collection, analysis and management. Cybersecurity measures are essential to ensuring the integrity of this critical data and protecting against unauthorised access, tampering or theft.
Steps for businesses to take
CEOs and boards play a crucial role in spearheading cybersecurity. They should clarify their cybersecurity leadership and oversight responsibilities, verify that cyber reporting lines and responsibilities are clear, and ensure cyber budgets are sufficient relative to the level of risk.
In addition, business units and functions should be cognizant of their cybersecurity obligations and incorporate them into their risk management and decision making.
Organisations should define the priority roles needed to achieve cybersecurity objectives, develop job descriptions for them, and determine a talent development plan for the cyber team.
By nurturing a strong cyber function, businesses can better identify their critical assets, understand their cyber threats, and manage risk and operations accordingly.
The way forward
In an increasingly digital and interconnected global economy, companies must pay greater attention to cybersecurity. By implementing effective cybersecurity, business leaders can help protect the sustainability of their own business, safeguard essential infrastructure, bolster economic security and ultimately help ensure peace, inclusion and resilience for future generations.
When seen through the lens of sustainability, rather than technology or compliance, cybersecurity is clearly a strategic imperative for business. Effective cybersecurity can ensure the business exploits the opportunities that technology brings while strengthening sustainability over the long term.
Chris Brown is CEO and Executive Coach at New Cyber Executive. He has worked with Nike, Ernst & Young, and the California Jucidial Branch, among other top organisations.
