Contributed by Edwin Doyle, Global Security Strategist, Check Point Software.
The concept of socially responsible investing has been around since the 20th century, but it was in the early 21st century that we first heard the term ESG (Environmental, Social, and Governance). ESG was first used in a 2005 report by the UN Global Compact (UNGC), the Swiss government, and the International Finance Corporation (IFC). Over the years, ESG has developed into an important financial factor that investors consider during their due diligence. Besides investors, the ESG is also becoming an important consideration among regulators, because certain ESG factors directly relate to important issues like technology risks.
Cyber security and ESG
In terms of cyber security, certain social (S) and governance (G) aspects of ESG investing matter to investors and regulators.
From the socially responsible investing side (the S), the company must have a cyber security policy and it should also document the implementation of that strategy.
In 2019, there were over 32,000 cyber security incidents worldwide. The targets of these attacks included all sectors, from finance and information to manufacturing and education. Another trend we have seen since 2017 is that the targets include businesses of all sizes.
A security breach can affect the company in many ways. Firstly, the cost of external consequences of cyber attacks can be in the millions. In 2018, the average annual cost was $5.9 million for information loss, $4 million for business disruption, $2.6 million for equipment damages, and $0.5 million for revenue loss.
Another aspect of a cyber attack is the impact it can have on the company’s reputation. With social media accelerating the spread of factual information (and rumors), the risk of getting and keeping a bad reputation has increased tremendously.
The cyber security policy should clearly inform what the company knows about its security and what it will do in case of a cyber attack. Besides the cyber security policy, the company should also have compulsory and continuous training programs to ensure investor confidence.
When it comes to governance (the G), the company should ensure that the right people are in place to oversee risk assessment. The company board should also be fully involved in overseeing personnel selection and implementation of the policy.
Threats to Consider
The type of threats that should be considered when creating the cyber security plan includes: phishing attacks – attacks that depend on the user clicking on or downloading a malicious link; malware –software that’s designed to infiltrate without permission; web-based and mobile app-based attacks; ransomware – a form of malware that blocks access to files for the computer; denial of service (DoS) attacks – a type of attack in which the purpose is to overwhelm the system…etc.
These S and G aspects mentioned above contribute to the “cyber resilience” of the company. Cyber resilience means the ability to continue delivering even when dealing with cyber security issues. In this sense, cyber resilience plays an important role in ensuring successful operations. Also, providing information about the cyber resilience of a company gives investors a complete picture of the investment opportunity.
While standards for ESG are still under development, the concept has gained wide acceptance as an important assessment tool. Cyber security assessment is still behind ESG when it comes to implementation, but it’s gaining popularity because of vulnerabilities exposed by cyber attacks and the direction in which most sectors are going. Hopefully, soon, we can expect more cyber security considerations to be included in ESG assessments.