Cyber-security risk: a growing ESG issue

 

Ransomware and cyber-attacks increased by an alarming rate of 105 per cent last year, sparking concern among companies and investors. With the Russia-Ukraine conflict adding more fuel to the fire, companies are facing acute challenges in addressing enterprise cyber risk exposures.  With these factors in play, companies need to evaluate cyber-security risk as a critical part of their ESG strategy in order to sustain shareholder value and investor confidence.  

Cyber-security across the pillars of ESG

Cyber-security risk impacts all parts of an organisation and should be considered a boardroom concern similar to other ESG risks. As cyber-attacks increase in size and frequency, the direct and indirect damage to companies touch all aspects of ESG, including loss of customer confidence, reputational damage, potential impact on stock price and possible regulatory actions or litigation. Data breaches can pose a threat to the social and environmental pillars of ESG. Hackers have successfully targeted critical infrastructure, pipelines and healthcare systems, causing harm to society and the environment. Companies need to integrate cyber-security into their overall ESG strategies to ensure such risks are viewed through an ESG lens to promote and maintain enterprise-wide cyber-resilience. This will assure investors that these cyber-security risks are being managed.

Resilience through cyber-security hygiene

Cyber-security planning is a critical part of any existing ESG programs. A robust and clear cyber-response plan can help any organisation promote cyber-resilience across its business and technical teams, while managing and mitigating cyber-exposures proactively. 

Cyber-security hygiene involves proactively supporting a best common risk management practice to protect an organisation from debilitating cyber-attacks. Continuously assessing an organisation’s security posture to ensure that its networks are protected from potential intrusions is imperative. Another way to gain insight into an organisation’s cyber-hygiene practice is to use cyber-risk ratings that provide a view into the external risks to their network. Using a similar approach to a potential hacker testing the technical defences of an organisation, cyber-risk ratings are used to identify vulnerabilities across public-facing networks. 

Managing third-party supply chain cyber-risk

How organisations manage and mitigate their supply chain cyber-risk is equally important to investors.  Third-party risk and resilience are key issues that keep company executives up at night. This challenge extends to the management of cyber and privacy risks involving data shared with an organisation’s supply chain partners, who are often the weakest link in security. By applying the same ESG standards to their supply chains, companies can ensure that risks posed by the vendor ecosystem are addressed at the same high level.

 

"The United States’ SEC has proposed rules that address how public reporting companies assign board oversight, report material cyber-security incidents, disclose cyber-security risk management plans and governance."

Proposed rules and company cyber-risk management

The United States’ SEC has proposed rules that address how public reporting companies assign board oversight, report material cyber-security incidents, disclose cyber-security risk management plans and governance. The recent rules are designed to help inform investors through updated periodic disclosure a company’s cyber-security exposure and ability to manage and mitigate its risks.  

With the continued rise of ransomware and cyber-attacks threatening companies globally, investors need to evaluate their portfolio companies through an ESG lens, including enterprise-wide cyber-security risk management and transparent disclosures about how the organisation is mitigating these risks.

---

 

To discover how ISS Corporate Solutions helps companies design and manage their ESG programs to align with company goals, reduce risk, and manage the needs of diverse stakeholders by delivering expert advisory, data, and software solutions, visit: isscorporatesolutions.com.

 

---

 

ISS Corporate Solutions, Inc. (ICS) is a wholly owned subsidiary of Institutional Shareholder Services Inc. (ISS). ICS provides advisory services, analytical tools and information to companies to enable them to improve shareholder value and reduce risk through the adoption of improved corporate governance and executive compensation practices. The ISS Global Research Department, which is separate from ICS, will not give preferential treatment to, and is under no obligation to support, any proxy proposal of a company (whether or not that company has purchased products or services from ICS). No statement from an employee of ICS should be construed as a guarantee that ISS will recommend that its clients vote in favor of any particular proxy proposal.

 

---

 

© 2022 | Institutional Shareholder Services and/or its affiliates