The unknown risk for D&Os - when cyber risks lead to personal liability
Adding C to ESG: why cyber risk management is a critical ESG factor in your investment decision-making
While we all know that there is no C letter in “ESG”, growing demand for transparency dictates new additions to the regular standards in assessing a company’s sustainability and its societal impact. Apart from perennial concerns such as environmental and social topics being at the forefront of every investor’s mind, there is now a new, crucial element missing in the ESG puzzle, which affects literally every business in the world and can pose significant risk to your investment portfolio if not properly considered and addressed: cyber risk.
ESG and cyber risk: so what’s the link?
The purpose of ESG frameworks were initially to establish a company’s stance on the environment, their societal impact, and how the company is governed. This was to protect investors from investing in a company that might be profitable but had hidden unethical practices. The ESG strategy for a business provides potential investors with insights into those aspects of a company that determine how safe of an investment they are. ESG differs from many of the other criteria that businesses have traditionally followed, as it focuses on social and environmental issues. This has led to ESG being seen by some businesses as a form of box-ticking, but it is one of the increasingly solid sets of criteria for a company to remain investable since COVID has caused widespread uncertainty for the future of many businesses.
But how does ESG link with cyber risk? Well, in an era of digitalisation and interconnection, cyber risk is ranked as the most immediate and financially significant sustainability risk facing businesses globally, and ESG strategies present an enormous opportunity to incorporate the vital services of cyber risk management into ESG governance. Not only would this bolster and secure the work already done by ESG frameworks to make companies more sustainable, but it would provide a new baseline for good cyber hygiene in corporate culture. Ultimately investors want to know their investment is secure and sustainable, and cyber risk management is vital to that process.
There is even further nuance to this issue. Whilst the importance of incorporating cyber risk management into existing ESG reporting can’t be overstated, it may not always be evident just how big of a problem unchecked cyber risk can be, and exactly how this ever-evolving threat affects all three of ESG’s pillars. Luckily, we’re here to shine some much-needed light on this “little-known” detail.
Cyber risk and environmental factors
Cyber risk management is not an isolated aspect of ESG; it impacts every single aspect of the strategy. Cyber threats have massive ramifications for the environmental responsibility of organisations. With the upswing in cyber incidents that target the oil and gas industry, including the high profile Colonial Pipeline hack, cyber risk is one of the most pressing concerns for organisations looking to expand and solidify their ESG initiatives.
Cyber attacks are closely linked to disruptions concerning climate change. Both are concerns that are not only a constant threat, but also constantly growing and evolving. The effects of climate change are hard to predict so it’s important to stay ahead of the curve. With businesses’ impact on climate change becoming increasingly an area of public scrutiny, cyber risk management strategies are absolutely necessary for any business to protect themselves from devastating environmental fallouts after a cyber attack.
Cyber risks are inextricably linked to environmental risks. Effects of climate change such as heatwaves, floods, and wildfires all pose a threat to business operations, including system availability, and health and safety. The converse is also true; a successful cyber attack could have massive ramifications for a company’s pledge to be sustainable. Many businesses in critical infrastructure sectors operate technology that is increasingly connected. These operational technologies are at the core of critical processes and face an increasing number of cyber threats, including from highly sophisticated nation-state actors. Potential attacks against these systems threaten to stop production, impair the integrity of safety-critical systems or even cause physical damage or personal injury. As recently as 2021, there was an attempted cyber attack on a Florida water treatment facility which would have increased the amount of sodium hydroxide in the water to an incredibly dangerous and toxic level.
The fallout from a cyber attack that targets the environment in this way would be completely devastating, demonstrating how utterly crucial it is for a company to implement an effective cyber risk management strategy into their ESG framework.
Cyber risks are not only linked to the environmental factors of a company’s ESG framework, but have a direct effect on the societal impact of a business.
A common motivation for cyber attacks is to steal data that can be used for identity theft, financial theft, and realistic phishing attacks. These attacks all rely on stealing personally identifying information (PII) including name, address, medical records, bank details, and so on, all of which can be sold on the dark web. If a company suffers a successful cyber attack and the details of millions of customers are made public, the likelihood of vulnerable groups or marginalised communities suffering the most impact from their data being exposed is extremely high.
The widespread societal impact of cyber attacks has been highlighted by the war between Russia and Ukraine, in which Ukrainian critical infrastructure companies are on the radar of cyber criminals more than ever. Although Russia has repeatedly denied targeting civilian infrastructure in its attacks, cyber attacks have continued since the initial invasion, with government and financial websites being targeted, as well as NGOs, non-profits, and aid organisations. These all have the result of disrupting relief efforts to those most affected by the war. Phishing attacks have also targeted Ukrainian citizens and telecommunication service providers with the result of spreading false news. In March of 2022, Ukrainian government organisations were infiltrated by a series of malware, and days later, a disinformation campaign was launched on Ukrainian news network Ukraine 24, claiming that Volodymyr Zelenskyy had requested for Ukraine to surrender. Further cyber attacks disrupted Ukraine’s national telecommunications company, Ukrtelecom, leaving most of the country without internet access.
Never has the link between cyber risk management strategies and the impact on a business’ ESG framework been more stark than in this time of humanitarian crisis and geopolitical turmoil. To prevent this from happening to your investments, effective cyber risk monitoring should go hand in hand with formulating an ESG management strategy in order to avoid widespread damage.
Cyber risk and governance factors
Not only is the ESG framework and cyber risk management strategy of a business important for how it affects the planet or society, but investor companies are increasingly subjecting organisations to greater regulation and compliance checks before investing.
Intangible value – the value of assets that are not physical such as brand recognition, trademarks, copyright, intellectual property, and proprietary technology – currently represents 90% of an organisation’s asset value. Intangible value has grown significantly in the last few decades as the world witnessed the integration of digital technology into all aspects of a business. In response to the COVID-19 pandemic and a forced shift to remote operations, businesses have accelerated the digitisation of their assets more than ever before.
This increased asset digitisation, resulting in increased dependence on technology, has made data the world’s most valuable asset. Think of the amount of data each of your investments gather and process daily - be it personally identifiable information, financial data, or any other sensitive information which is not intended for prying eyes. Not only has data become a critical and a valuable asset for any organisation, but also the most vulnerable to those looking to capitalise at someone else’s expense: cybercriminals. As a business grows, so does its intangible value, which in turn, increases the potential impact of a successful cyber attack.
It’s no surprise, therefore, that governance of data and technology is now a key element of effective cyber risk management. GDPR regulations are strict and punitive, with data breach fines being levied that could cause damage to an organisation’s bottom line in case they haven’t taken adequate precautions to protect their and their clients’ data. A case in point, mobile communication giant T-Mobile lost the personal information of more than 76.6 million of its current, former, and prospective users due to an internet-exposed router with a security vulnerability. They agreed to pay $350 million to settle multiple class-action suits filed after the company disclosed last August that personal data like social security numbers had been stolen as a result of a data breach.
Unfortunately, when a company suffers a data breach, there is more at stake than just substantial financial losses to cope with. A more far-reaching implication of data loss – reputational damage – can impact their stock value and your investment capital. A stark example would be US online stock trading platform Robinhood, which suffered a data breach last November that exposed the names or email addresses of more than 7 million of their customers. After the company issued a statement saying it had contained the attack and believed there wasn’t financial loss to any customers as a result of the hack, Robinhood’s stock fell 3.8%. Sadly, this is just one example of many.
The longer-term impact on reputation can’t be ignored either. According to Aon and Pentland Analytics’ report “Reputation risk in the cyber age”, the impact of a cyber incident on shareholder value can be substantial and sustained with some companies in the report showing a fall of 25% in their market value over the year following an attack.
Many companies believe in trading insurance for governance, and abdicating responsibility because they know they’ll be covered in the event of a successful breach. However, the rise in attacks and the increase in the cost of these breaches has been so rapid as to result in insurance companies enforcing much more stringent criteria for its insureds.
As risk management strategies incorporate ESG frameworks more and more prominently, cyber threats are one of the top concerns within the governance sector for investors. Swiss asset management company Lombard Odier spoke to Bloomberg recently about how becoming aware of their investments’ cyber risk profile pushed them towards seriously considering the benefits of a rigorous ESG framework. They commented that they discovered “shocking” results during their analysis into cyber risks lurking in portfolio companies, and this resulted in them including in their ESG framework their cyber risk management strategy, in order to better protect their assets from losses. Lombard Odier also noted that after screening upwards of 500 companies a month to detect software vulnerabilities, they have discovered that roughly 20% are running outdated and exploitable software. Jeroen van Oerle, the portfolio manager of Lombard Odier’s Global FinTech fund, stated that their firm wants to treat “cybersecurity risks the same way as we look at climate-related risks, or water usage risks, or corporate governance risks.” We couldn’t agree more!
This year in the US, the Securities and Exchange Commission has proposed requirements for organisations to disclose their cybersecurity governance, and the policies and procedures that they have in place to identify and manage cyber risks. As we’ve just discussed, cyber risks are integral to all the pillars of an ESG framework, but the governance factor is receiving the most accelerated action in terms of active regulatory requirements and therefore should be regarded as a pressing concern for any business.
When “investable” equals “insurable”
The verdict is clear: cyber risk management is integral to environmental, social, and governance (ESG) considerations, and as more and more companies begin to adopt strategies to tackle their impact on these factors, it’s important to strategise about how you can implement cyber risk management to your ESG framework to the benefit of both your investments and their stakeholders. It is noteworthy, by the way, that those stakeholders aren’t just investors or shareholders.
We often hear the phrase “if it’s not insurable, then it’s not investable”. But what does this actually mean in the context of the growing cyber threat landscape? It may come as a surprise, but whilst being completely different from each other, there is one thing both cyber underwriting and investment due diligence processes have in common when it comes to cyber risk: investors and insurers alike consider an organisation’s approach to cyber risk management a crucial indicator in their decision making. As we mentioned above, the most immediate and financially significant sustainability risk facing businesses globally is cyber, demonstrating that it’s an absolute necessity to include cyber risk management as part of your investment due diligence and throughout the investment cycle. Ensuring your assessments follow best practices for good cyber hygiene is a win-win situation for all parties involved. Not only does effective cyber risk management help you drive better-informed decisions, safeguard your portfolio from the unexpected and avoid losses, but it also supports the sustainability and competitiveness of your investments and helps build trust among their shareholders, partners, and customers.
A new approach to risk evaluation and management – with the help of KYND
The environmental, social, and governance factors of a business are all linked to each other as much as they are linked to cyber risks. None of them are unaffected by the other. Societal breakdowns can be encouraged by climate change events and vice versa, and cyber risks accelerate all of these.
Luckily, KYND is here to help the financial services industry win over digital perils. KYND provides intuitive and effective cyber risk management solutions across the board, no matter what size of business or industry. With discussions of making cyber risk management policies and approaches a requirement for ESG strategies, it’s important for all businesses to consider what steps they can take to manage their own cyber risks and avoid negative ramifications of a poor risk management strategy, or even worse, a successful cyber attack.
The world of cyber risk is often rife with complicated jargon and counterintuitive tools, leaving many firms with too much information, often having to mine through technical data that they don’t understand. KYND’s mission is to take these vast, complex and often inaccessible aspects of cyber risk management, and make it possible for anyone to see, understand and manage their cyber risks.
Whether it’s due diligence, third-party ESG screening, or daily portfolio management, KYND provides comprehensive insight into your investment portfolio’s cyber vulnerabilities, both at the portfolio level and the individual level, as well as personalised remediation advice to help improve your investments’ cyber posture and reduce their risk of falling victim to a cyber-attack. Leveraging its industry-leading risk intelligence and expert support, KYND enables proactive cyber risk management as part of the day-to-day business activity that positively affects ESG compliance and promotes cyber resilience for growth and sustainability in the face of the expanding threat landscape.
So, what are you waiting for? If you would like to find out more about how KYND helps investment firms like yours incorporate effective cyber risk management within the ESG framework, get in touch with our friendly team.
Adding C to ESG: why cyber risk management is a critical ESG factor in your investment decision-making
PRESS RELEASE: KYND recognised as a global Top 100 InsurTech innovator for second year in a row