Why cybersecurity is an ESG issue

The impact of COVID-19 has rippled through the three pillars of ESG investing. Following a steep increase in the number of cyberattacks on critical infrastructure, financial networks, healthcare, and other networked systems globally, the pandemic has served as a wake-up call for the investment community when it comes to ESG and cybersecurity. 

Increased risk of cyberattacks

In recent months a number of large corporations have experienced major disruptions to their operations and markets due to data breaches; the 2022 average cost is reported at USD 4.35 million. 44% of respondents to the Allianz Risk Barometer issued in January cited cyberattacks as their primary business concern for 2022. Global losses are forecast to hit $10.5 trillion USD annually by 2025. 

Though concern and risk management are often left at the door of regulators and the insurance industry, cybersecurity risk is the most immediate and financially material sustainability risk that organisations currently face. Failure to implement good governance will result in lower cyber resiliency. 

Cybersecurity matters as an ESG Concern

Possibly just as profound as threat to value, are the reputational and societal risks posed by cyber attacks. Cybersecurity failures can impact a company’s relationships with its workforce, the communities it serves, and political decision-makers. Colonial Pipeline, the largest fuel pipeline in the US; JBS, the world’s biggest meat processing company; Ireland’s national health service; and South Africa’s shipping terminals are all recent victims of well publicised ransomware attacks. The impact will have been felt by many, through confidential data loss, service disruptions, temporary income losses, as well as brand damage that can severely jeopardise customer loyalty and trust.

The cyber pandemic

The adoption of digital transactions as a measure of public convenience and COVID-19 safety has increased cybersecurity risk, with identity theft up 23% on previous highs in 2021. 

As companies accelerated digitalisation through the pandemic in order to continue operating and support their staff, so grew dependency on third-party software and technology. This served to increase attack surface exposure and points of vulnerability.

Corporate governance = cyber governance

Global spending on cybersecurity is predicted to accelerate between 2021 and 2025, reaching $1.75trn, compared to just $3.5m in 2004. As ESG investing grows, companies looking to attract investors’ capital must ensure they have robust governance structures in place, and feature cybersecurity prominently in any risk mapping. This not only demonstrates clear direction, but also serves as an important indicator of organisational culture. Poor corporate governance practices are likely to concern investors, jeopardising future plans for business growth. 

Considering the potential severity of impact, and the lack of fixed parameters in place to measure cybersecurity as an ESG metric, it is critical that fund managers comprehensively engage with portfolio companies to mitigate risks and identify opportunities. Though full public disclosure can make a company more vulnerable to cyberattacks, conversations between companies (whether a board member, or appointed executive such as a chief information security officer) and asset managers are necessary for understanding the risk mitigation measures that are in place. Low levels of disclosure are likely to sound alarm bells; ongoing and evolving conversations will facilitate greater insight, accountability and ultimately positive change.

Get in touch with our team to find out more about customising the SI Engage system to suit your needs.

Image credit to Vecteezy.com.