CSR

Cyber Resilience Is All About ESG


Russia’s invasion of Ukraine and President Putin’s increasing hostility toward the West have significantly heightened the risk of large-scale cyberattacks. As a result, financial investors are increasingly concerned, and Western companies face new pressure to demonstrate to stakeholders that, should such scenarios occur, they possess the necessary defenses to minimize damage and remain resilient.

There are two primary ways companies can publicly disclose components of their cyber preparedness:

  • By providing specific technology disclosures in their reporting

  • By incorporating evidence into existing Environmental, Social, and Governance (ESG) reporting frameworks

Since cybersecurity is no longer a standalone technology or IT issue in most businesses, ESG reporting has become the most practical, transparent, and effective approach.

Environmental

Energy and utility providers that rely on Information Technology and Operational Technology systems, such as industrial control systems, automated diagnostics, and monitoring tools, are particularly vulnerable to cyberattacks.

Companies must develop and communicate a clear understanding of the environmental impact of cyberattacks and define mitigation and response measures. ESG reports should include cyber capabilities that support business continuity and resilience strategies to reduce IT and OT system disruptions.

Bitcoin mining, for instance, is highly energy-intensive and increasingly scrutinized from a sustainability perspective.

Social

The May 2021 cyberattack on JBS meat production facilities, which disrupted processing and production across the U.S. food supply chain, illustrates the broader societal risks of cyberattacks.

Good social practices in cyber-related ESG disclosure may include embedding cyber resilience into the enterprise risk management framework and establishing clear policies regarding cyber ransom payments.

Cyber incidents can create high anxiety among employees, particularly security teams responding to attacks under extreme pressure.

Governance

Strong governance leads to strong risk management. If cybersecurity governance is not integrated into a comprehensive strategy and plan, organizations will struggle to detect and respond to attacks confidently and swiftly.

Good governance practices include:

  • Building trust in the company’s ability to manage cyber risks

  • Using formal cyber risk appetite statements

  • Identifying critical assets and restricting access

  • Appointing a board-level individual accountable for cyber resilience

  • Maintaining a dedicated cybersecurity budget

Addressing cybersecurity through the ESG framework provides markets with clarity about how an organization prepares to withstand cyberattacks.