Six Reasons Why Board Members Should Manage Cyber Risk as an ESG Issue

By all measures, Cybersecurity threats continue to propagate and intensify. Not only do they present enormous risks to the value of companies, they also have the potential to weaken the broader stability of society. Over the past several months, there have been an increasing number of cyber attacks on critical infrastructure, financial networks, healthcare, federal and local governments, and networked systems. In 2020 alone, the adjusted average total cost of a data breach reached $4 million per company.

Accordingly, regulators have responded. The US Securities and Exchange Commission’s (SEC) new cybersecurity guidelines, which went into effect in December, mark a major period of transformation for public companies, as they must not only disclose material cyber incidents within four days of discovery, but they will be compelled to report details about their risk management, strategy, and governance policies.

Board directors converge on the existential threat of cyber-attacks and prioritization of cybersecurity, yet, they have not yet fully considered cybersecurity as part of their Environmental, Social, and Governance Strategy. That should change. By integrating cyber risk management into the broader processes, metrics, and systems on good governance, corporate directors are losing an important opportunity to be less resilient and less sustainable.

Even with the hastening frequency and growing impact of these threats, investor, and board pressure on ESG tend to focus on environmental and social justice, while cybersecurity has been relegated to regulators, insurance industries, and CISOs to take on.

Why should corporate directors include cybersecurity in the design and implementation of ESG strategies:

1. Cybersecurity poses a social risk to employees and the broader public, especially as the economy and our lives becomes more digital. Cybersecurity has gained wider attention as the global workforce has pivoted from working from home and as data breaches occurred to companies across industries. Digital applications and systems are now integrated into every aspect of our lives, from the personal devices we rely on and the social media we use to interact, through the sophisticated automated platforms and systems that support digital workplaces and lifestyles. Moreover, data breaches have a huge impact on people. Hackers have increasingly targeted healthcare data and institutions, with an impact on the quality of care for the community as a whole.
   
   
2. Insurance isn’t enough to mitigate growing risk and it will be harder to get. Insurance is not a silver bullet against cyber threats. Much has changed over the past five years; it used to be very easy for firms to get cyber insurance coverage at relatively low premiums. With the heightened cyber risks, particularly ransomware attacks, cyber insurance carriers have been losing money and have therefore raised premium and deductible costs for buyers. This has reated more exclusions for coverage and have prevented organizations from renewing or purchasing cyber insurance. For example, the average ransom payment skyrocketed by 82% from 2020 to 2021. By the middle of 2021, the number of ransomware attacks grew more than 150% over the entirety of 2020. It’s no wonder why the uptick in attacks and payouts has meant such significant losses for insurers and dulled their appetites for this growing business segment.
   
   
3. Board directors are building up individual capability in ESG and Cybersecurity in a siloed way, losing opportunity to mitigate risk, integrate into organizational strategy, and build long-term value. Board members self-identify material knowledge gaps in both cybersecurity and ESG principles and best practices. A recent survey found that only 29% of global board directors feel knowledgeable enough to challenge or monitor execution on Sustainability, and 89% rely only on management updates to stay informed on the topic of ESG. Similar  In the Fortune 500, only 9% of boards have directors with a strong understanding of cybersecurity. In the Russell 3000, just 8% of companies have directors with cybersecurity acumen.
   
   
4. Investors continue to put pressure on companies for better cyber and environmental disclosures and trainings. Investors are aggressively pushing for companies to disclose instances of cyber attacks as well as greenhouse gas emissions, given the financial materiality to the long-term viability of the business. Currently, few investors receive all the information they need, as highlighted in EY’s 2020 Institutional Investor Survey.  While 98% of investors signaled a move to a more disciplined and rigorous approach to evaluating companies’ non-financial performance, an increasing proportion believe that companies do not adequately disclose ESG risks. They are increasingly frustrated by the disconnect between ESG, cyber risk and mainstream financial reporting. Investors continue to push for ESG disclosures and cyber risk disclosures that demonstrate the impact of Sustainability and cyber issues on enterprise value.
   
   Beyond pushing for enhanced disclosure on attacks and certain ESG metrics, investors are also looking for information on the education and resources a company makes available to its board regarding cybersecurity. Although corporate directors have been building competencies in both cyber and ESG topics, a more comprehensive approach will be needed to address the increasingly sophisticated integrated issues and risks.
   
   
5. Smart technologies that accelerate the energy transition and circular economy will be at risk. Most plans for decarbonization and CO­₂ reduction rely on digital transformation and the application of smart technologies and automated systems that monitor and manage energy production, distribution, and consumption. However, these solutions can create new opportunities for cybercrime and demand a high level of cybersecurity and data protection. Similarly, introducing new technology solutions to support the circular economy when those systems involve significant financial transactions to incentivize green behaviors, can raise concerns over new fraud patterns.  
   
   
6. ESG frameworks are a tangible means of evaluating and managing corporate behavior for corporate directors. For companies to make demonstrable progress on ESG and cyber risk mitigation, and to satisfy growing investor demands, companies must take a holistic approach that recognizes the need to identify, measure and embed ESG factors across their organization and value chains. By doing so, businesses can improve access to capital, mitigate operational and brand risks, and generate greater long-term value for all stakeholders. Moreover, just like ESG, cybersecurity goes beyond addressing technical risks. It is an organizational problem that requires business alignment and should be viewed as a long-term strategic imperative.

Key takeaways for board members:

• As two of the most pressing and increasingly regulated board-level issues, cybersecurity and ESG present an opportunity to integrate approaches, build a more resilient and sustainable organizational strategy, find operational efficiencies, and generate enhanced long-term return for shareholders
• Corporate directors have a fiduciary responsibility to respond to investor requests for more comprehensive disclosures on both cybersecurity and ESG, as well as build board-level competency on these critical topics
• Boards should proactively engage with investors to better understand what investors expect of them on both cyber security and ESG

Additional Telesto resources: Find additional information on how to get started with ESG, and build topical familiarity with our ESG Glossary as well as Telesto’s ESG Maturity Model.