Once thought to be an IT issue, cybersecurity is now a business risk as successful cyber attacks can have material consequences through financial losses and indirect costs like diminishing reputation. Moreover, cybersecurity should be incorporated into environmental, social and corporate governance (ESG) strategies as it addresses the risks associated with increasing reliance on digital systems and data, and helps strengthen an organisation’s business resilience.
“Amidst the recent spike in cyber attacks across industries, including the financial services sector, cybersecurity is emerging as a key area of interest to all organisational stakeholders — including investors, regulatory bodies and customers — and is a growing factor in evaluating credit risk,” Christophe Barel, managing director for Asia Pacific of industry consortium FS-ISAC, tells DigitalEdge.
He adds: “It is critical to two pillars of ESG: Governance, in terms of operational risk management, and social, in terms of being responsible for customers’ sensitive data and handling communications in the wake of an attack. Without robust cybersecurity measures in place, organisations are exposed to significant risks that can undermine their sustainability and long-term value creation, not to mention their very existence.”
Daryl Seetoh, senior associate at law firm Baker McKenzie Wong & Leow, agrees that cybersecurity is a strong hallmark of good governance as it reflects accountability. “Organisations that develop robust cybersecurity systems demonstrate a commitment to addressing concerns about the digital space and build trust with their stakeholders, particularly how their personal data is safeguarded and shared. [Cybersecurity can have social implications too] as digital threats pervade many aspects of our everyday life linked with technology.”
He continues: “Given that ESG frameworks have become one litmus test of a well-managed and responsible organisation, cybersecurity undoubtedly has an important place within these standards. If we are to rely on the ESG frameworks to showcase organisations which comply with our standards for the future, the frameworks must adapt to the demands of the times.
See also: Keys to achieving human-centred automation testing
With cybersecurity as a critical part of ESG frameworks, stakeholders may holistically assess an organisation’s commitment to sustainable profitability, good governance, social responsibility, business ethics, environmental sustainability and a beneficial impact on the world.
Daryl Seetoh, senior associate, Baker McKenzie Wong & Leow
A holistic approach
When integrated into ESG, cybersecurity becomes an integral part of the organisation’s business strategy instead of an isolated function. “Rather than viewing it as a standalone or predominantly IT issue, the approach [to cybersecurity] becomes more holistic and aligned with the broader corporate responsibility to execute sound business risk management programmes. In essence, cybersecurity is seen not just as an operational necessity, but also as a critical aspect of corporate citizenship and stewardship,” says Nathan Wenzler, chief security strategist at cybersecurity firm Tenable.
See also: Human element still important for effective mass communication
He continues: “For instance, embracing this integrated risk management perspective means recognising the potential social impact of a data breach, such as that the misuse of personal customer information could lead to a loss of trust and harming individuals directly. It acknowledges that robust cybersecurity practices are part of good governance and shows that a company is managing its risks responsibly and effectively. This can build confidence among stakeholders, including investors, customers and regulators.”
Wendy Lim, partner, Cyber, Advisory at KPMG in Singapore, also believes cybersecurity will better align with broader organisational goals and stakeholder expectations when integrated into an ESG framework. “From KPMG’s interactions with industry players, we have observed organisations and their boards paying greater attention towards harmonising cyber and ESG strategies, focusing on areas such as safeguarding information assets and ensuring transparent reporting.
By making cybersecurity a key part of their ESG strategy, organisations are signalling its importance to stakeholders and making it a board-level issue — particularly since they would be responsible for reporting on its progress annually.
Wendy Lim, partner, Cyber, Advisory, KPMG Singapore
Varying levels of awareness
There are currently different levels of awareness of the need to make cybersecurity a core component of the ESG strategy. “Similar to how businesses’ investment in cybersecurity can vary across the board, taking action on incorporating cybersecurity into their ESG strategy can also differ across Asia Pacific. Factors that businesses will consider include upfront investments, resource availability, technical expertise and regulatory pressures,” shares Lim.
Larger multinational corporations, notes Wenzler, are generally more aware of the importance of cybersecurity due to their exposure to international markets and the rigorous regulatory environments in which they operate.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
However, he foresees an upward trend in both awareness and inclination to incorporate cybersecurity into ESG strategies.
Globally, there is a growing body of regulatory and compliance directives being handed down, prescribing organisations of all sizes and in broader industries to have ESG initiatives in place. With that comes the need to ensure they have formal cybersecurity programmes to support those initiatives.
Nathan Wenzler, chief security strategist, Tenable
He adds: "It is possible that governments and regulators across Asia Pacific will become more prescriptive with regard to the steps and measures firms will need to take to ensure an adequate cybersecurity posture, which means that awareness will also likely grow.”
As regulations around data privacy and security globally increase, would complying with them be sufficient to reduce an organisation’s exposure to cyber risks? No, states Seetoh, as those regulatory frameworks only help form the scaffold which organisations shape and develop their cybersecurity programmes.
He adds: “Organisations ought to not allow regulatory compliance to form an inhibiting perimeter that restricts their cybersecurity programme development. In line with the spirit of ESG, the goal should not only be regulatory compliance but to also go above and beyond as responsible stewards to the planet and society at large.
“In the context of cybersecurity, this could entail taking the initiative to spearhead improvements to their programmes and pioneer industrial standards or best practices. Having ownership over their cybersecurity programmes enables organisations and industries to develop symbiotic synergies with regulatory institutions in cybersecurity. While taking direction from regulatory institutions, organisations may also offer insights into their own industry-specific advancements and needs, enabling both sides to work off one another. In doing so, both general society and the individual organisations benefit from a jointly constructed and robust cybersecurity framework.”
Integrating cybersecurity into ESG
To effectively integrate cybersecurity into their ESG strategy, organisations must first have visibility of their cyber risks. “By understanding the state of cybersecurity throughout the organisation, stakeholders will be better able to make sound decisions about how, when and where to address cyber risks and protect the initiatives that support their ESG programme,” says Wenzler.
Meanwhile, Seetoh highlights the need to ensure the ESG framework organisations adopt aligns with their specific cybersecurity risks, business needs, legal and compliance requirements, and ESG goals. “Engage trusted advisers as necessary to leverage their expertise and get assistance with an audit of the integration. Having third-party reviews of the integration prevents systematic biases that may conceal misalignment, inefficiencies and gaps.”
Once the groundwork is done, Barel recommends organisations to look at:
- Increasing board-level engagement and engendering a mindset shift in prioritising cyber risk
- Codifying cyber risk frameworks and protocols into an organisation’s governance structure, such as mandating cybersecurity risk assessments at regular intervals to identify, prioritise and mitigate risks
- Implementing robust employee awareness and training programmes to educate employees about their role in protecting sensitive data and detecting potential threats
- Engaging with industry associations, government bodies and peer organisations in cross-sector knowledge sharing and collaboration, including participation in cyber defence exercises.
Many of the best practices that organisations can embrace to integrate cybersecurity into their ESG strategy mirror those that help firms build business resilience against cyber risk.
Christophe Barel, managing director for Asia Pacific, FS-ISAC
It is also vital to measure and report their integrated cybersecurity and ESG efforts to show progress and accountability to stakeholders. “[To do so effectively,] organisations should develop clear metrics or key risk indicators that align with their strategic objectives. These could include incident response times, the number of staff trained, or the results of penetration tests or phishing campaigns. Regular audits and transparent reporting can help demonstrate the effectiveness of these efforts and build stakeholder confidence,” adds Lim.
Organisations can take reporting a step further by translating cybersecurity’s technical metrics into something tied to the broader business risk metrics. Wenzler explains: “This means using fewer metrics that are volume-based and moving towards trending of risk levels over time, tying financial impact from direct loss or regulatory fines, or leveraging risk models that can show which areas of the organisation are most at risk of harm from a cyber attack and how much that contributes to the overall health and risk of the organisation.
“It’s not an easy process, and for many IT practitioners, it is a very different style of reporting metrics. [However, this can help] demonstrate how proactive security efforts are helping to lower the likelihood of financial and legal harm to the organisation. Additionally, companies can showcase their ongoing investment in cybersecurity training and tools, as well as the adoption of best-practice frameworks as commitments to protecting their technology assets in support of their ESG programmes. [This helps] demonstrate credibility to their customers or constituents.”
As the cyber risk landscape evolves, organisations must make cybersecurity a core component of their ESG strategy. Doing so will enable them to take a more holistic, strategic and proactive view of cybersecurity, which will in turn help strengthen their business resilience.