In his last column for Computers & Law, our regular contributor on cybersecurity, Peter Yapp, looks at the crucial governance issues that must now be tackled to ensure organisations can survive in the face of increasing threats.
Environmental, Social, and Governance issues are becoming more important in investment decisions and how companies are run. But whilst most people have concentrated on the E and S of ESG, it’s the G element which fundamentally underpins it all. Governance is the system by which companies are directed and controlled. It’s also an indicator of the culture of an organisation: the relative importance of cyber security and how it is perceived goes to the core of that culture. Almost all organisations are now completely reliant on Information Technology as an enabler. Without the proper protections, monitoring and training in place, however, a business could go under, and investments could be lost.
Understanding governance risks and opportunities in decision-making is critical, as poor corporate governance practices have stood at the heart of some of the largest corporate scandals. Good governance practices such as aligning strategies with goals, being accountable, having a high level of ethics and integrity, defining roles and responsibilities, and managing risk effectively need to be cascaded throughout the business.
The role of the CISO (Chief Information Security Officer)
Governance, in the context of ESG, is essentially about how a company is managed and how well the executive management and the board of directors attend to the interests of the company’s various stakeholders.
Investors, business partners, shareholders, consumers, and employees should all be interested in an organisation’s ESG objectives and it is the Chief Information Security Officer’s role (or equivalent) to help shape the security and risk strategies. The cybersecurity segment of ESG covers every aspect of an organisation's security needs and lifecycle; the network, endpoints, data, cloud, services, software and hardware, and how critical data is protected.
On top of cybersecurity’s critical role in protecting systems, networks, programs and data, it is equally as important to investors, who typically examine data protection and information security policies to assess a firm’s cybersecurity risks. While cybersecurity has historically been viewed as a technology issue (although in reality, it is much more about people and culture), it is now also regarded as a key ESG concern.
A major consideration is whether your board has a person dedicated to cybersecurity. Gartner estimates that 40% of all Boards of Directors will have dedicated cybersecurity committees by 2025. Make sure you are ready by having an empowered CISO well before then.
The importance of cyber security
In corporate governance, nothing is more important than cyber governance. You will have seen it in media reports with increased reporting about ransomware, data-breaches or state level interference. There has been a strong rise in the frequency, severity and scale of cyberattacks and the reputational fall-out and financial losses that often follow such an attack can have far-reaching and long-term consequences for an organisation. Questions have been raised about whether industry is adequately prepared to mitigate the risks.
A 2021 survey carried out by the USA’s Association of Corporate Counsel (ACC) which analysed data from nearly 1,000 chief legal officers demonstrated that cybersecurity has overtaken compliance as the most significant legal risk that businesses across 21 industries and 44 countries, face today.
To ensure progress is being made on the environmental and social elements, you need to make sure there are systems in place to ensure accountability and these systems will, by necessity be electronic.
At a strategic level, one aspect of cyber security governance I would look at is who your CISO or equivalent, reports to. If not a board position, they should report directly into someone on the board and not the CIO. CIO’s predate CISOs and traditionally controlled the whole IT budget, but there is a conflict of interest between providing systems that are inexpensive and easy to use and providing secure systems.
Cyber risk metrics
Once you have the right structure in place, you need to think about cyber risk metrics. Boards are always interested in metrics and cyber risk metrics add an additional dimension in attempting to measure and quantify corporate behaviours. Measuring cyber behaviours will determine the risk of adverse events, following the same underlying principles as ESG ratings. If you measure your overall vulnerability rating as compared to your peers, it will give a good indication as to the cyber related corporate behaviours. Just as with all ESG metrics, it is those corporate behaviours that will determine how resilient an organisation is to future adverse cyber events or future adverse business events in general.
Ask your CISO (or equivalent) whether they are monitoring your organisation’s vulnerabilities on a daily basis and whether they are comparing them to the rest of your sector.
Cyber resilience means the ability to continue delivering even when dealing with cyber security issues, and plays an important role in ensuring successful operations. In providing information about the cyber resilience, a company gives investors a complete picture of the investment opportunity.
A corporation’s positive environmental policy can benefit those outside its corporate walls and so can digital and data security and privacy. An organisation’s cyber policy and approach to risk can have far-reaching impact throughout the supply chain and society as a whole. Positive corporate actions on cybersecurity have positive impacts similar to environmental or socially responsible practices. An organisation that implements positive cybersecurity practices improves their whole cyber eco system. Conversely, an organisation’s poor cybersecurity practices directly impact the cyber risk exposure of its customers, business partners, investors and the wider economy.
Defining what ESG actually means for a firm and what metrics and elements should be measured can start to shape the narrative. Operationally, ESG can develop from core policies and procedures or frameworks that are already in place, so you don’t need to start from scratch. Look at how your data is stored, accessed, delivered and reviewed to help shape your compliance and cyber policies.
The inherent similarity between cyber risk and ESG makes the former an excellent addition to the set of metrics investors should use to evaluate responsible corporate behaviour. Those companies with good IT infrastructure and good cyber hygiene tend to be the more responsible companies with a greater likelihood of succeeding in the long run (and are better at monitoring for a breach, recovering from a breach and managing their reputation following a breach).
Investor due diligence
Investor due diligence now has a strong focus around how data is secured so that an organisation can get behind a single source of truth. Firms can put policies and procedures in place to stop attachments being forwarded by email, restrict printing and provide read-only dashboards and reports if necessary. There are currently no fixed parameters in place to measure cybersecurity as an ESG metric, but how a firm manages its data and the security of that data is key. Due diligence will also evaluate competence and training, risk, change management, third party vendor management and breach communication polices.
Although ESG metrics are not currently a required part of financial reports for publicly traded companies, a growing number of companies are including them in their reported statements or a separately issued document. There is consensus among many regulators that some form of standardised ESG disclosures will be required of publicly traded companies on most major global stock exchanges. Having dealt with several regulators whilst I was at the National Cyber Security Centre, I know that a key part of their focus will be on robust cyber security.
As an example, Oil and Gas pipeline operators in the USA must now report all cyberattacks to the federal government in the wake of the shutdown of the Colonial Pipeline from a ransomware attack in May 2021. A new US law mandates that companies report attacks to the U.S. Department of Homeland Security within 72 hours of discovery of the incident, and 24 hours if they make a ransomware payment.
If a cyber breach occurs, client data and capital could be at risk - but beyond that, managers should also be aware of the reputational risk a cyberattack would incur. Once data has been breached the impact is difficult to measure, financially but especially in terms of reputation.
Managing a breach
If a firm does suffer a breach, whether successful or not, working with outsourced technology and legal partners can help. The platforms available can provide monitoring and reporting on the flow of data and legal advice helps to focus in on what really matters. This information is essential if there is an information request from the regulator. If the source of the breach cannot be found, it will be nigh on impossible to shut down the breach. Training is important too, but one of the best ways to protect against cyber risk is to make risk management part of the day-to-day drum beat of business activity.
All this focus on ESG can be very beneficial, but only if real action is taken. This should not just be a box ticking exercise; real change needs to be made in the governance of cyber risk if you want your organisation to have the best chance of surviving a cyber breach. Data from RiskRecon’s analysis of 633 destructive ransomware events shows organisations make only marginal improvement in their cybersecurity hygiene one year after an event. Don’t let your organisation be like them.