Risk is an inherent part of doing business. As corporations face increasing privacy, security, geopolitical, diversity, employee wellbeing, reputational and climate change risks, corporations are realizing that risks do not exist in a vacuum or manifest neatly in isolation. They often combine and spill over into each other, which is why risks that are considered external must be incorporated into internal strategies.
Of all the risks facing organizations today, those related to cybersecurity and the environment carry some of the biggest and most lasting financial damage. The consequences of cyber attacks extend far beyond ransomed data and denial of service. Attacks on power grids, oil pipelines, manufacturing plants, water treatment systems, wastewater facilities, and communications infrastructure can cause lasting property and environmental damage (catastrophic spills, waste discharges and air emissions), devastating harm to public health and safety resulting in illness, injury and casualties, negative impacts on transportation systems and food supply, and significant recovery and remediation expenses and legal liability claims.
To mitigate the severity of these related risks, it is important for companies to integrate cybersecurity and ESG. Here are the cogent reasons to do so:
Cybersecurity: a critical component of the ‘S’ pillar in ESG
Cybersecurity has long been viewed as a "technology issue”, but it is not just a tech problem. Protecting an organization’s most valuable asset – data – is crucial for companies to survive and thrive, as well as to uphold the “social” (S) aspect of ESG.
Data breaches and other nefarious security compromises impact employees, customers, corporations, investors, supply chains and communities. The wider societal impacts of cybercrimes that arise because of targeted attacks on local governments, schools, health care providers and enterprises are not only felt financially, but also lead to service disruptions and psychological, behavioural and physical trauma.
In addition, the spectre of climate change and energy insecurity is here to stay and can affect society more seriously by disrupting the natural, economic and social systems we depend on, all of which pose significant risks to corporations worldwide.
ESG and cybersecurity are subject to increasing regulatory compliance frameworks
The proliferation of offensive cyber attacks and capabilities has catapulted the issue into global discourse and the regulatory and legislative spotlight. We are now entering a new era in cybersecurity reporting – one in which governments, regulatory agencies and organizations around the world will increase oversight of cybersecurity incidents and defences.
ESG issues have also leapt up the global corporate, social and political agenda over the past two years and are now moving from a voluntary disclosure-oriented dimension to a regulatory one with pressure from stakeholders – including shareholders, regulators and lawmakers, and indeed society at large – on companies across all sectors, to recognize, adhere to, measure and report performance against ESG metrics or a set criteria of ESG values.
Given the increase in the frequency and value of cyber insurance claims because of the surge in cyber attacks, and the increase in the frequency and severity of environmental claims driven by natural disasters or catastrophes, insurance companies are tightening their underwriting standards, and restricting or narrowing scope of coverage.
Laying or setting up a strong compliance foundation for the intrinsically connected ESG and cybersecurity concerns can help a company avoid relying on insurance coverage to mitigate the risks and costs of a data breach or an environmental disruption. Furthermore, adoption of standardised frameworks can align stakeholders for better measurement, effective governance and improved risk assessment.
Cyber attacks threaten sustainability investments; climate-related risks trigger cybercrime and conflicts
The 2022 Global Risks Report, published by the World Economic Forum, shows that experts and leaders around the world consider cybersecurity, space and climate change to be some of the greatest threats to the global economy.
According to Capital Group’s ESG Global Study 2022, “Climate change concerns are at the forefront of investor minds”, which is why it is a key dimension of ESG considerations for investors.
Climate change and cybersecurity risks are expected to accelerate in the future and pose a grave threat to corporations and the value of their business assets.
Cyber attacks on critical infrastructure (oil, chemical, water, power and gas industries rely heavily on computer networks and systems) and on the networked, interconnected systems that are a part of projects transitioning to renewable energy threaten the integrity of sustainable investments. The reverse is also true. Climate-related risks such as heat waves, floods and fires can lead to various vulnerabilities for computer network defence, system reliability and more. Such vulnerabilities have security implications, and the interconnectedness of our physical and virtual domains means that compromise or successful exploitation in one domain or system can inadvertently affect the other.
A common connection between climate change and cyber crime is global computing. Computing involves energy consumption and heat production. Supercomputers, blockchain mining, data centres and the internet are fields in computing and cybersecurity that consume massive amounts of energy and contribute to climate change. The KTH Royal Institute of Technology in Sweden reckons that about 10% of the world’s total electricity consumption is currently used by the internet, which is more than the world’s total energy production from renewable energy sources such as wind, solar and water.
The International Organization for Migration estimates that 200 million people could be forced to leave their homes due to environmental changes by 2050. The Climate Vulnerability Monitor (CVM) developed by DARA and the Climate Vulnerable Forum estimates that by 2030, climate change costs are projected to cost the global economy $US700 billion annually.
The effects of climate changes can destabilise society. The economic impact of increased energy use can hit companies, their customers, employees and their families, who will have to pay by way of loss of revenue, income or service and increased prices. When livelihoods are in danger, it does trigger resource competition and insecurities and conflicts, which can also impact cybersecurity and its associated threats.
Some have suggested that environmental changes and its colossal costs could spark international conflicts, and that – given the symbiotic relationships between nation state conflicts, cyberwar, loss-in-employment-income and cybercrimes – this could even lead to more countries and individuals turning to cyberattacks, which are often viewed as a low-risk activity with potentially high profits.
For many corporations, cyber exposures merely top the list of the ‘S’ pillar concerns, even though cybersecurity is integral to all the three pillars of ESG, which interlock and influence each other.
Given that the objective of business is to create long-term value with societal support, it is important to prioritize integration of ESG and cybersecurity so that it helps stakeholders perceive that corporations are deserving of trust because they care. Remember, organizations that endure in a sustainable, environmentally viable way with sound data governance will coalesce the benefits of societal impact and financial performance.
Like this item? Get our Weekly Update newsletter. Subscribe today