Cybersecurity and Sustainability: Opportunities for better governance
It should not come as much of a surprise that widespread cybercrime and cyber insecurity appeared in this year’s World Economic Forum’s Global Risk Report ranking in #8 in terms of likelihood and impact, along risk categories such as biodiversity loss and climate change mitigation adaptation. It is therefore not unusual to find cybersecurity in a listed company’s risk register, and this trend is being featured more prominently in recent sustainability reports.
Why is Cybersecurity an integral part of ESG reporting?
1) Cyberattacks have been on the rise, especially in Southeast Asia region
In Malaysia, a web-hosting service (Exabytes) was the target of a ransomware attack which demanded USD$900,000 in cryptocurrency in late 2021. In the same month, a data breach hit a Thailand hospital involving over 10,000 patients’ records. Elsewhere, a data breach severely impacted Optus, an Australian telecommunication company, that led to the details of 10 million customers being compromised.
According to a 2021 Check Point report, the Asia Pacific region experienced a 168% increase in cyberattacks year-on-year, with 59% of businesses reported being a victim of a cyberattack. This issue is also further compounded by the global cybersecurity workforce gap which is estimated to be at 2.72 million in 2021.
2) Cybersecurity impacts not only businesses’ bottom-line but future business valuations
Thoroughly assessing business risks could make a difference in millions of dollars of one’s business value tomorrow. Any risk exposure – whether it is a breach of security in technology systems or a natural disaster in a key market – inevitably equals investor distrust. In general, it is estimated that business can take up to an average of 9 months to identify and contain cyber breaches, which can result in USD 4.35 million in losses globally.
Thus, it is common for Investors to want to see companies managing and being forthcoming in the way they govern risks and referencing standard frameworks would be helpful in guiding businesses in its management.
While there is a veritable alphabet soup of ESG reporting guidelines e.g., GRI, TCFD, CSP, SASB, TNFD, DJSI, ISSB, there is no one-size fit all solution for businesses on which reporting guidelines best represents how to manage risk. However, one thing for certain is that businesses can use such platforms to make better informed decisions. For example, CDP, a widely used platform for disclosing the impacts of climate change, estimates that 680 institutional investors and purchasers, representing over USD$130 trillion, use their data and insights to make better-informed investment decisions.
Thus, businesses need to look internally to assess their individual needs to select the most appropriate standards and guidelines to best serve its needs.
Cybersecurity as a Sustainability issue – Governance is key
At the first glance, cybersecurity and sustainability may seem like two diverse topics – where cybersecurity has traditionally been viewed as a technological issue and sustainability as an environmental issue (although neither of which was ever completely true). However, both issues are connected now more than ever, with both being material concerns for all businesses, requiring leadership and management to focus on having good governance and reporting measures in place.
In today’s context, a robust sustainability strategy should contain cybersecurity as part of the business’s risk management plans, addressing it under the “Social” aspect of ESG, as cybersecurity can have real world implications. As shown by oil giant Colonial Pipeline cyberattack, the victim of a ransomware attack in 2021, the cyberattack led to the shutdown of the pipeline’s digital system, affecting consumers and airlines across the East Coast, triggering price spikes, panic buying and shortages.
Hence, cybersecurity which used to be termed as only an industry concern, or “someone else’s problem”, has now become a threat that all businesses face and cannot simply afford to ignore.
Purpose as the driving force for responsible business
Purpose is the essence of a well-articulated and lived corporate purpose. This includes business’s ESG strategy and cybersecurity measures.
Purpose requires a wholesale shift away from business as usual and requires businesses taking a step back to reassess its necessary transformation. In Southeast Asia, we are in a state of polycrisis (from cybercrime, climate change to the cost of living), thus, a well-articulated purpose represents the opportunity to transform business models to not only deliver value to our shareholders but ensure that its value is equitable to all stakeholders in the long term.