Cybersecurity is now a component of ESG for many investors, but getting information from businesses remains tough.
With the number of cyber threats facing businesses growing by the day, cyber risk management is becoming a priority for many organisations. Investors are also becoming more tuned in to the impact cybercrime can have on businesses, and are making it central to environmental, social and governance (ESG) analysis they carry out of a company’s sustainability. But this information is often difficult to come by, with businesses still reticent to disclose cyber incidents in full. Developing standards around cyber incident reporting could help.
Government data released in March laid bare the problem facing UK businesses when it comes to cybercrime. The Cyber Security Breaches Survey 2022 from the Department for Digital, Culture, Media & Sport (DCMS) shows that 39% of companies fell victim to at least one cyberattack in the past year, with 31% of businesses and 26% of charities estimating they were attacked at least once a week, with criminals deploying phishing attacks, ransomware and distributed denial of service
The DCMS report says the average breach cost £4,200, rising to £19,400 where only medium and large businesses are taken into account. The cost and frequency of breaches means it is no surprise that how companies deal with them is becoming a big factor in investment decisions.
For businesses, putting cybersecurity at the heart of ESG strategies is vital to demonstrate good governance. “Cyber risk is the most immediate and financially material sustainability risk that organisations face today,” argue Anna Sarnek and Cristina Dolan in an article for the World Economic Forum. “Those that fail to implement good governance on cybersecurity, using appropriate tools and metrics, will be less resilient and less sustainable.”
ESG and cybersecurity: how important is risk management?
The Covid-19 pandemic, which saw a steep increase in the number of cyberattacks globally, also served as a wake-up call for the investment community when it comes to ESG and cybersecurity. The pandemic “amplified the challenges of dealing with cybersecurity risks,” says Betina Vaz Boni, senior analyst for corporate governance at Principles for Responsible Investment (PRI), a United Nations-backed organisation promoting sustainable investment.
“Cybersecurity threats continue to evolve at a rapid pace, with an increasing number of data breaches with severe impacts in the past few months,” Vaz Boni says. “While some investors have been comprehensively engaging with portfolio companies on this for years to mitigate risks and identify opportunities, many more are only just recognising the need to do so given its systemic relevance and the potential severity of impact.”