With the number of cyber threats facing businesses growing by the day, cyber risk management is becoming a priority for many organisations. Investors are also becoming more tuned in to the impact cybercrime can have on businesses, and are making it central to environmental, social and governance (ESG) analysis they carry out of a company’s sustainability. But this information is often difficult to come by, with businesses still reticent to disclose cyber incidents in full. Developing standards around cyber incident reporting could help.
Government data released in March laid bare the problem facing UK businesses when it comes to cybercrime. The Cyber Security Breaches Survey 2022 from the Department for Digital, Culture, Media & Sport (DCMS) shows that 39% of companies fell victim to at least one cyberattack in the past year, with 31% of businesses and 26% of charities estimating they were attacked at least once a week, with criminals deploying phishing attacks, ransomware and distributed denial of service
The DCMS report says the average breach cost £4,200, rising to £19,400 where only medium and large businesses are taken into account. The cost and frequency of breaches means it is no surprise that how companies deal with them is becoming a big factor in investment decisions.
For businesses, putting cybersecurity at the heart of ESG strategies is vital to demonstrate good governance. “Cyber risk is the most immediate and financially material sustainability risk that organisations face today,” argue Anna Sarnek and Cristina Dolan in an article for the World Economic Forum. “Those that fail to implement good governance on cybersecurity, using appropriate tools and metrics, will be less resilient and less sustainable.”
ESG and cybersecurity: how important is risk management?
The Covid-19 pandemic, which saw a steep increase in the number of cyberattacks globally, also served as a wake-up call for the investment community when it comes to ESG and cybersecurity. The pandemic “amplified the challenges of dealing with cybersecurity risks,” says Betina Vaz Boni, senior analyst for corporate governance at Principles for Responsible Investment (PRI), a United Nations-backed organisation promoting sustainable investment.
“Cybersecurity threats continue to evolve at a rapid pace, with an increasing number of data breaches with severe impacts in the past few months,” Vaz Boni says. “While some investors have been comprehensively engaging with portfolio companies on this for years to mitigate risks and identify opportunities, many more are only just recognising the need to do so given its systemic relevance and the potential severity of impact.”
Alongside the increasing threat level, digital transformation has also moved cybersecurity up the investment agenda, says Katerina Kosmopoulou, partner and portfolio manager at asset manager J.Stern & Co. “Businesses that historically were not digitised, in things like infrastructure and industrial settings, are now starting to rely on digital supply chains,” she says. “That means cybersecurity, and how those risks are being addressed, is key.”
For businesses themselves, making cybersecurity central to ESG strategies is vital for three reasons, Sarnek and Dolan argue in their WEF article. It helps protect intangible assets, such as data, and protects society from the potential impacts of a damaging cyberattack such as the Colonial Pipeline breach last year, which caused fuel shortages on the East coast of the US.
Introducing good governance around cybersecurity can also reduce the reliance on cyber insurance, which is becoming harder to obtain as the number of breaches increases, as Tech Monitor reported earlier this year.
"Instead of implementing governance around cybersecurity, organisations have heavily relied on insurance to manage the risk," Sarnek and Dolan write. "But as courts rule in favour of policyholders, insurers will continue to narrow the scope of the cyber policy coverage, limiting the extent to which organisations can rely on it to mitigate the risk."
What do businesses tell investors about cybersecurity incidents?
While investors are keen to get their hands on data around cybersecurity, companies seeking investment are not always forthcoming. Many cyber incidents are resolved privately and go completely unreported. "A lot of information that gets provided to investors [about cybersecurity] is top-level and usually qualitative," Kosmopoulou says. "For obvious reasons, companies don't want to disclose too much, so we have to look at a company's broader digital capabilities, and the expertise they have and make a judgement."
Some companies are concerned that too much disclosure may draw "undesired scrutiny from hackers", says PRI's Vaz Boni. Others "are at early stages in terms of building an understanding of the issue, and therefore are not prepared to put detailed information in the public domain," she adds. "The lack of public disclosure makes it difficult for investors to differentiate between those companies that are proactively developing, monitoring, and managing cybersecurity risks versus those failing to prioritise these risks."
Businesses are becoming more transparent on cybersecurity, according to research from PRI. Its Engaging on cyber security project saw it work with 55 investment funds, who consulted with 53 of their portfolio companies on issues around cyberdefence strategies. The study compared attitudes in 2017 and 2019, assessing cybersecurity governance on 14 indicators including legal compliance, expertise, policies and training. It found that by 2019 the average number of indicators met had risen to 8.5, from 6.1 in 2017. The number of companies meeting ten or more of the indicators had risen from 13% to 42% in that time period.
Vaz Boni says this represents a positive direction of travel, but there is still work to do. "Companies signalled different levels of comfort in effectively communicating cybersecurity matters internally and externally," she says. "While it was clear that companies were actively reporting to their boards on the number of cyber breach incidents and their impact, the conversations often did not describe escalation mechanisms and the type of incidents that triggered reporting."
She adds: "Companies were more inclined to talk openly about their cyber policies and procedures if a peer had been affected by a cyber-related incident, or if they had experienced a severe incident previously."
ESG: how can businesses improve cybersecurity governance to impress investors?
Even if they don't want to disclose full details of incidents, J.Stern's Kosmopoulou says businesses can show investors they are focused on cybersecurity by ensuring their governance structures reflect this. "We would look at whether the board and senior management have expertise in cybersecurity and broader IT, and where [cybersecurity] lies in the reporting structure," she says. "If it's up to board or senior management level, you can think they take it seriously and it's at the heart of what they do. If not, that's a red flag."
Similarly, Kosmopoulou says, cybersecurity should feature prominently in any risk mapping carried by companies as part of ESG strategies. "The board will normally have a map of risks to the business," she says. "And cybersecurity should be right up there as something that comes up as a main issue in any risk assessment."
More broadly, standards for cyber incident reporting would be a welcome development, PRI's Vaz Boni says. In March, US financial regulator the Securities and Exchange Commission proposed new rules around cyber reporting, which would introduce a periodic requirement to report cyber incidents, update on past breaches and outline security risk management policies. "I think companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner," SEC chair Gary Gensler said at the time. Consultation on the plans runs until May 9.
Vaz Boni says the PRI "welcomes regulations on the topic", adding: "Regulations on cybersecurity can help drive standardised and transparent disclosure from companies."