Cybersecurity is an environmental, social and governance issue. Here's why
Cybersecurity is the most immediate risk that organizations face to their sustainability. But it is often managed with insurance, rather than good governance. Image: Pixabay for Pexels
Cristina Dolan
Co-Author, Transparency in ESG and the Circular Economy: Capturing Opportunities Through DataListen to the article
- Cyber attacks present a huge risk to the value of companies and ultimately the stability of society.
- Companies need to start managing cybersecurity as part of their environmental, social and corporate governance strategy, rather than relying on insurance.
- A standard framework for measuring cyber risk would help organizations and regulators to manage it.
In recent months there have been an increasing number of cyber attacks on critical infrastructure, financial networks, healthcare, and other networked systems. Despite this prevalence, however, investor and board pressure on Environmental, Social, and Corporate Governance (ESG), tends to focus on environment and social justice, while cybersecurity is left to the regulators and the insurance industry to tackle.
Companies need to start looking at cybersecurity as part of ESG. Cyber risk is the most immediate and financially material sustainability risk that organizations face today. Those that fail to implement good governance on cybersecurity, using appropriate tools and metrics, will be less resilient and less sustainable. This in turn has an impact on the other organizations they rely on, and ultimately on the stability of companies, communities and governments.
Here are three reasons why cyber risk needs to be included in ESG strategies:
1. It presents a threat to value
Intangible value – the value of assets that are not physical in nature – now represents 90% of the asset value in organizations, having more than tripled in the Standard and Poor’s 500 index (S&P 500) during the past 35 years. During the COVID-19 pandemic, organizations took an accelerated shift to digitize their assets.
Perhaps the most critical intangible asset in determining the value of a company today is data – be it personal data, financial information, security data or behavioral data. As companies grow, their intangible value grows too, which increases the potential impact of a cybersecurity breach. In this context, it is not surprising that cybercrime for economic profit is projected to increase.
To manage their cybersecurity, companies need to shift their thinking. Rather than trying to protect every single computer or system from attack, they need to focus on protecting the critical assets – the ones without which the organization can't operate. So in the event of a breach, value is not lost, or the loss is minimized.
2. It presents a threat to society
In the spirit of consumer convenience, organizations across industries have rapidly adopted digital transactions. These are near-ubiquitous across government services, financial and insurance services, healthcare and utilities, as well as consumer goods. This creates increased cybersecurity risks. In 2021, records were broken for identity theft, up 23% over the previous all-time high.
Data breaches can have a huge impact on people. Hackers have increasingly targeted healthcare data and institutions, with an impact on the quality of care for the community as a whole. A disruption to the utility industry, such as the attack on Colonial Pipeline in the United States, can also lead to temporary income loss, further affecting the community.
3. Insurance can't mitigate the risk indefinitely
Instead of implementing governance around cybersecurity, organizations have heavily relied on insurance to manage the risk. But as courts rule in favor of policyholders, insurers will continue to narrow the scope of the cyber policy coverage, limiting the extent to which organizations can rely on it to mitigate the risk. In any case, an insurance claim can severely impact an organization’s ability to be insured; insurance alone is not a substitute for good governance.
As demand for cyber insurance increases, there is a growing gap in coverage. This makes understanding and managing the risk more important than ever, especially as regulatory fines alone can bankrupt an organization.
How is the Forum tackling global cybersecurity challenges?
A standard framework for measuring cyber risk would help organizations and regulators to understand it and manage it as part of their ESG strategy. Companies including Apple, Amazon, Microsoft, and Netflix have a greater reach in numbers of engaged customers and yearly revenue than whole countries like Canada, Brazil, and Russia. Government regulations alone cannot realistically manage all companies, due to the complexity of continuously evolving new business models and the growing size of many technology companies. A standardized framework for analysis could set a precedent for effective governance.
Don't miss any update on this topic
Create a free account and access your personalized content collection with our latest publications and analyses.
License and Republishing
World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.
The views expressed in this article are those of the author alone and not the World Economic Forum.
Stay up to date:
Cybersecurity
Related topics:
Forum Stories newsletter
Bringing you weekly curated insights and analysis on the global issues that matter.
More on CybersecuritySee all
Kate Whiting
December 12, 2024