Why cyber security should be part of your ESG strategy

Organisations need to consider cyber security risks in their overall environmental, social and governance (ESG) strategy amid growing cyber threats and regulatory scrutiny, according to a cyber security expert.

In an interview with Computer Weekly, Nathan Wenzler, chief security strategist at Tenable, noted that an ESG programme is, in many ways, a form of risk management to mitigate the risks to businesses, societies and the environment, all of which can be impacted by cyber security.

In fact, the investment community has been singling out cyber security as one of the major risks that ESG programmes will need to address due to the potential financial losses, reputational damage and business continuity risks posed by a growing number of cyber attacks and data breaches.

Investment firm Nomura already takes into account an investee firm’s cyber security performance in its credit ESG scoring model, while KPMG noted in its report that cyber security is not only applicable to the governance aspects of ESG, but also has social and environmental implications.

For example, a manufacturing firm, which is likely to be very concerned with the environmental impact of its activities, will need to think about protecting critical infrastructure from cyber attacks and what it can do to prevent system misconfigurations that could cause environmental damage.

Software firms, on the other hand, may be more concerned with social impact through the customer data they hold. “I have to maintain privacy and integrity of that data and build trust with my customers that I’m not inappropriately using their data, or have it stolen by criminals who are going to sell it on the black market,” Wenzler said.

“Only the very largest companies see it that way – it’s very natural for them to look at the ESG pillars, see what puts those pillars at risk and get cyber security, legal and finance teams involved. But outside of that, it's not as common for organisations to see cyber security as a risk management function”

“That trust you want to build from a social standpoint comes from sound cyber security practices, so you can tell customers you’re taking the right steps to protect their identity and financial information,” he added.

But even after organisations have identified aspects of their businesses that are at risk, building up their risk profile remains challenging as they are often unaware of what technology assets they have, coupled with the lack of efforts to assess technical risks, Wenzler said.

“They’re not monitoring their networks, scanning for vulnerabilities or reviewing access controls and credentials. They’re not doing some of the fundamentals, and so they may not be thinking about those things in context of how they can support ESG better,” he added.

Various ESG reporting frameworks have emerged in recent years to provide organisations with guidelines on how they can operate ethically and sustainably, along with metrics that they can use to measure their progress. There are also specific IT security standards and frameworks, including the well-known ISO 27001 and government guidelines such as Australia’s Essential Eight.

Some regulators have gone as far as mandating the adoption of baseline security standards by critical infrastructure operators and firms in industries like financial services, but that does not mean organisations outside of regulated sectors are less pressured to shore up their cyber security posture.

“Customers are becoming more savvy now and they understand the implications of having their information exposed. If you are a company that doesn’t take data privacy seriously, your customers will take their business elsewhere because they don’t want to work with companies that put them at risk.

“So more than anyone, they need to be doing more than the bare minimum – they have to take steps to look at cyber security again as a business risk function,” Wenzler said.

Wenzler also warned against falling into the checkbox compliance trap, particularly by organisations that are covered by cyber insurance policies and have undergone cyber risk audits by their insurers.

He noted that many organisations have taken up cyber insurance for only critical systems as premiums have shot up in the wake of costly data breaches. “But from an attacker’s perspective, I'll use those less monitored systems to get in, run my attack from there and I’ll still be able to breach you at the place you’re not paying as much attention to.

“So, you should be looking at all your technology assets and what people can see publicly. There are so many pieces of technology that every company has. If you don’t realise you have those things – and we see that happen quite a lot – you’re open to attacks even if you have cyber insurance and have ticked all the boxes.”

But whether more organisations will view cyber security as part of an ESG programme remains to be seen. That’s because cyber security is still viewed largely as a technical and IT function, making it harder for organisations to see it as part of a broader risk management effort, Wenzler said.

“Only the very largest companies see it that way – it’s very natural for them to look at the ESG pillars, see what puts those pillars at risk, and get cyber security, legal and finance teams involved. But outside of that, it’s not as common for organisations to see cyber security as a risk management function.”