Why cyber security is an ESG issue
HM Treasury unwittingly set itself up for ridicule recently when it posted a recruitment advert for a Head of Cyber Security. The salary range was a none too impressive £50,500-57,500, far below the going rate for such an important role.
Why, nonplussed commentators on social and traditional media wanted to know, was the remuneration for such a critical position so low? Metro even described the salary as “measly”.
The Treasury’s thinking on this was unclear, and doubtless will remain so. Yet the Government’s own Cyber Security Breaches Survey, published in April 2023, finds that 32% of businesses and 24% of charities experienced breaches or attacks in the last 12 months.
Cyber security, therefore, should be, and often is, a matter of serious concern. Indeed, we subscribe to the view that it should be an Environmental, Social and Governance (ESG) issue. And we are far from alone in taking this stance.
In a feature on cybercrime last year, the World Economic Forum argued that in light of an increasing number of cyber-attacks on critical infrastructure, financial networks, healthcare, and other networked systems, companies need to start looking at cybersecurity as part of ESG, and in particular, Governance. “Cyber risk is the most immediate and financially material Sustainability risk that organisations face today,” said WEF.
Deloitte research published in February found that nearly half (48.8%) of Board level and other executives expect the number and size of cyber events targeting their organisations’ accounting and financial data to increase in the year ahead, yet only 20.3% believe their organisations’ accounting and finance teams work closely and consistently with their peers in cyber security.
Meanwhile, the National Association of Corporate Directors’ 2022 NACD Public Company Board Practices and Oversight Survey found that 83% of directors feel that their Board's understanding of cyber risk has “significantly improved” compared with two years earlier. That said, 42% of respondents indicated that recruiting a director savvy about cyber security would benefit their Board.
Such steps are increasingly necessary as cyber related risk is subjected to closer scrutiny by regulators and investors. Last year in the US, the SEC tightened rules on disclosures made by listed companies about their cyber security risk management, governance, and incident reporting.
Cyber insurance has a growing role to play in the risk management armoury. Tellingly, on 10th May, National Cyber Security Centre CEO Lindy Cameron spoke to insurance professionals at the British Insurance Brokers' Association 2023 Conference where she urged the insurance industry to work together to make the cyber insurance market as mature and effective as possible. “It’s really important that businesses look at cyber security as an integral part of their organisational risk management,” she told delegates. “For the cyber insurance industry, there is an added incentive to ensure that your customers make better, more informed decisions about their overall cyber security requirements and their resilience.”
While cyber security should form an important element of the ‘G’ in ESG, for many organisations, particularly industrial and energy businesses, it may also have a bearing on the ‘E’ and the ‘S’. A successful attack on operational technologies could cause environmental damage or personal injury. Consider this famous and frightening example from 2021, when a cyber-attack on a water treatment facility in Florida briefly saw a massive increase in sodium hydroxide levels to a highly dangerous point. Fortunately, an alert employee was quick to spot the cyber tampering and disaster was averted. There are countless scenarios in which a successful cyber-attack could damage a company’s Sustainability credentials and broader reputation.
As shown in this story from a FTSE-250 CEO whose business lost almost £500,000, “it’s your people, not technology, who typically hold many of the keys to unlocking how you can become more prepared and resilient to attacks.” The best professionals in this area have a strong appreciation of the interrelationship between cyber security and ESG. They understand risk and its wider ramifications, not just technology.