Cybersecurity and sustainability, don’t WannaCry?

How could sustainability, which relates to climate change responses as well as environment, social and corporate governance (ESG) performance, have anything to do with cybersecurity?

At first glance, these issues seem worlds apart, both mammoth concepts that are not easily understood nor managed, despite the diverse resources that exist. The link between the two, perhaps, is not so much about their content as it is about the strategic business opportunities that can be unlocked when one understands them. 

Sustainability and cybersecurity are material business concerns

Sustainability may be a big word, but when broken down it manifests itself in practical terms that we all can relate to: emissions management, water, human rights, and gender diversity – the list can go on and on. These issues make sustainability join the top long- term risks as identified in the World Economic Forum’s Global Risks Report 2017, in terms of likelihood and impact. What this means for business is that failure to understand and sufficiently address these risks, translates to a wide exposure to various potentially harmful impacts.

It’s no surprise that cybersecurity, particularly cyber-attacks, also figure prominently in the WEF Report.

With recent global cases ranging from state government hacks to the ransomware attacks orchestrated using malware called WannaCry, and more recently Petya, hitting victims including the UK’s National Health Service, Russia’s Ministry of Interior, FedEx, various crucial infrastructure in Ukraine and The WPP Group, it’s clear that cybersecurity should be everyone’s responsibility.

A cybersecurity report released by telecoms giant Telstra this year found that “14.7% of Hong Kong firms have been hit with cyber-attacks in the last year. Hong Kong was narrowly behind India, which clocked in at 14.8%”. This makes Hong Kong the second-highest country at-risk of cybersecurity attacks in Asia, despite recent efforts to strengthen IT security. Let’s not forget, for example, that it’s only been two years since Hong Kong educational toy maker VTech experienced a massive hack that exposed the personal data of over 6 million of children and 5 million parents – including their names, home addresses, and even pictures and chat logs.

Sustainability and cybersecurity are both therefore material issues that significantly impact business and in uence the assessments and decisions of stakeholders. It’s commonplace to find Cybersecurity in every listed Company’s risk register. More recently, it also has figured prominently in Hong Kong companies’ ESG / Sustainability Reports, identified as a material issue to the business alongside environmental and social impacts. The next stage is to move swiftly into quantifying their impact, before understanding how best to manage them.

Measuring impact today could make a difference in millions of dollars of company value. Any risk exposure such as an IT security breach or being impacted by natural disasters could not only mean, but also lead to, investor distrust. After all, no one wants to invest in a company that has been hacked, or one that has halted production due to unpreparedness for typhoons and hurricanes. Investors want to see companies be forthcoming about the way they manage risks. It is now commonplace for investors to request companies to disclose ESG performance as it directly relates to financial performance. CDP, a widely-used platform for disclosing the impacts of climate change, primarily around greenhouse gas to businesses, estimates that over 100 institutional investors and purchasers, representing over US$100 trillion, use their data and insights to make better-informed investment decisions.

Increased regulatory developments

There is nothing like regulation to force action. China’s cybersecurity law came into force on 1 June 2017, even if many companies are still unclear about the specific terms of the law. A recent SCMP headline noted, “Foreign firms have criticised the legislation, saying it forces them to share sensitive data with the authorities and favours domestic technology firms”.

This push back may be understandable, as the law mandates two major things: strict data surveillance and storage for firms working in the country as well as a thorough security review process for key hardware and software deployed in China put in place in order to assist the authorities conducting security investigations. There are more “unknown knowns” with regard to the details of the new cybersecurity law but one thing we know for sure is that companies will have to prepare well in terms of compliance. Whether this means strengthening internal security management systems or institutionalising network security plans or simply hiring a dedicated cybersecurity personnel, change must come very soon.

Sustainability has similarly seen increased reporting and disclosure obligations, due to a combination of investor requests and alignment with listing requirements across global markets. The Hong Kong Stock Exchange issued an ESG Reporting Guide that came into force on 1 January 2016, and has become fully effective for accounting periods starting on or after 1 January 2017. The reporting guide focuses mainly on environmental and social disclosures and requires a “comply or explain” response. Furthermore, ESG has formed part of the Business Review section of the Directors Report of the new Companies Ordinance (Cap. 622). This is a welcome development for the Exchange and the Hong Kong market in general, one that steers investors towards better valuation of investments by factoring in externalities such as environment and social impacts.

The Importance of Meaningful Employee Engagement

Delivering on true social value cannot be done from up high in the ivory tower. If people are truly a company’s biggest asset, as they are often described, then they should be empowered to drive positive impact. PwC’s 2016 report, Millennials at Work Reshaping the Workplace found that “millennials want their work to have a purpose, to contribute something to the world and they want to be proud of their employer”. This is not just being active in volunteer work but has more to do with being able to drive innovation at all levels of employment. According to the report, “millennials expect the technologies that empower their personal lives to also drive communication and innovation in the workplace. 78% said that access to the technology they like to use makes them more effective at work”.

Using technology they like is of course not enough – it should be used responsibly. A local cybersecurity expert emphasises the need to invest in educating people about cyber risks and social engineering beyond IT Departments. “Yearly e-learning courses are not sufficient for keeping up with the incredibly rapid developments. Integrating awareness into daily operations by making cybersecurity a default topic during periodic team meetings, for example, is not a luxury. For IT professionals, there are several globally recognised security certifications available. Having staff trained including on non- technical issues like when to disclose personal contact information and the IT workforce certified will enhance mitigating cyber risks significantly”.

It has often been said that for every risk, there is an opportunity. They may not be fully realised in the short term, but that is no reason not to act on them now. If companies are to be resilient, they will need to re-evaluate the changing context of society on an on-going basis. This means understanding impacts of wider macro-economic trends, ESG factors as well as commercial and operational risks like Cyber Security today and planning ahead. After all, we want businesses to be sustainable and not come under any attack. We certainly don’t want to cry.

This article was first published in Momentum, the official magazine of the Hong Kong Chamber of Listed Companies (www.chklc.org), September 2017