It's time to put cyber security at the heart of ESG

Desk with a plant, phone, pencil, notepad and glasses.

Technology and digitalisation have transformed society and the way we do business, dramatically improving efficiency, quality, productivity and ultimately value. However, with these benefits come new challenges posed by escalating and rapidly changing cyber security and digital risks.

Cyber security threats and cyber crime are evolving faster than society's ability to effectively respond to or prevent them. It is reasonable to say that cyber security risks have become a fundamental challenge to corporate sustainability.

To ensure long-term corporate sustainability and demonstrate value to investors, organisations should see and manage cyber security risk not only as a compliance issue, but as part of their ESG strategy.

It is time to put the C(yber security) in ESG ─ not as a separate pillar, but as a foundational element underlying each of the E-S-G considerations. The reasons for this are outlined below.

1. Preserving trust and reputation

Cyber security is relevant to a company's social responsibilities through data protection and privacy. The high-profile data breaches that occurred in Australia in 2022 have brought home the critical responsibility companies have in protecting the personal data of their customers, employees, and other stakeholders. They have also reaffirmed the detrimental effect a data breach can have on public trust in a company, the reputation of a business, and even its survival.

Investing in uplifting cyber resilience and implementing cyber security measures ─ such as multi-factor authentication, encryption, secure data storage, secure backups and consistent cyber awareness training for employees ─ is more than a technical safeguard. In adopting these measures, companies demonstrate to stakeholders that they are taking necessary steps to protect the personal and sensitive data they are responsible for; that they are actively tackling the problem of human error, which has been traced to 95% of cyber security issues1; and that they are investing in upskilling and training their employees in cyber risk management. This is key to preserving trust and reputation as well as maintaining corporate sustainability.

2. Minimising environmental impact

A robust cyber security strategy plays an important part in reducing a company's environmental impact. Cyber incidents are not confined to the technological world; they may also bring physical consequences, including pollution and environmental damage. Cyber attacks can target industrial control systems, which may result in the loss of control of critical equipment and warning systems as well as potential damage to human health and the environment from catastrophic spills, waste discharges, air emissions and other environmental hazards. These types of attacks can also disrupt manufacturing, transportation and other operations, and cause fires, explosions and hazardous material releases that result in bodily injury, property damage, environmental remediation expense, and significant legal liability claims.2 In 2021, a hacker made a (thwarted) attempt to poison the water supply of a city in Florida, USA by increasing the amount of sodium hydroxide to extremely dangerous levels. This serves as an important reminder for companies, particularly those in critical infrastructure and other sensitive industries, of the importance of robust cyber security measures to reduce the potential environmental and societal impacts of a cyber attack.

3. Practising good corporate governance

Cyber security is also relevant to corporate governance, particularly risk and crisis management. Good corporate governance and risk management require the consideration and implementation of cyber security measures including incident response, business continuity and disaster recovery planning to minimise the impact of a cyber attack on operations and service delivery.

Stakeholders and regulators increasingly expect and require boards of companies to consider and assess cyber security risks as part of their enterprise risk management. The positive security obligations now in effect as part of the SOCI Act reforms also underlie the link between cyber security risk and governance risk. In addition, cyber attacks ─ particularly ransomware attacks and cyber extortion threats ─ often bring up difficult ethical and legal questions, and investors and stakeholders expect companies to have in place internal and external mechanisms to navigate these issues, and to behave ethically and in accordance with company values.

In other words, cyber security risk is not simply a compliance issue or a matter for risk transfer through insurance; it is a fundamental aspect of corporate sustainability. Companies must assess cyber security risks as part of their ESG strategy and focus on uplifting cyber resilience in their efforts to meet ESG goals.

Companies that integrate cyber security into their ESG strategy will improve not only their financial stability, reputation and trust, but also their compliance with regulations, overall risk management strategy, and their impact on the environment and society. Above all, an ESG strategy underpinned by robust cyber security could prove to be a critical factor in ensuring a company's insurability and long-term sustainability.

This article is part of CyberSight 360 2022/23.

1 Mee, P. and Brandenburg, R. 2020. “After reading, writing and arithmetic, the 4th ‘r’ of literacy is cyber-risk”. World Economic Forum Global Agenda. 17 December 2020; The Global Risks Report 2022.
2 AXA XL Environmental White Paper: Environmental risks: cyber security and critical industries.

Photo by Dan Nelson on Unsplash.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.

Key contacts