Make cybersecurity part of your approach to ESG.
While there may not be a C in ESG, the increasingly digital landscape of business is proving that you can’t have a complete appreciation of environmental, social and corporate governance concerns without extensive knowledge and understanding of cybersecurity.
Cybersecurity’s Role in Corporate Governance
Environmental, social and corporate governance concerns are top of mind for organizations and their stakeholders. Those stakeholders are not just investors. Organizations have experienced an uptick in ESG-related inquiries from clients, employees, recruits, debt ratings agencies and the media. While environmental and social topics are front and center, there is a crucial element that is being overlooked, and it carries significant risk if not properly addressed: cybersecurity.
Traditional corporate governance is focused more on auditing financials, board composition, shareholder rights, compliance and business ethics. While these remain important areas for corporate consideration, failing to implement proper cybersecurity governance leaves organizations exposed, putting their viability at risk. Depending on the industry, a cybersecurity risk can cause significantly more damage than a social or environmental risk. Cybersecurity incidents can permanently cripple an organization.
Governing bodies are aware of this heightened threat and are establishing regulations in response. The SEC recently voted to issue proposed rules that include reporting requirements for publicly traded companies on cybersecurity incidents. (Paul Kiernan, “SEC Proposes Requiring Firms to Report Cyberatttacks Within Four Days," The Wall Street Journal, March 9, 2022) The proposal also includes disclosing boards’ policies related to cyber risk oversight.
The proposed rules could be an indicator of how cybersecurity will be managed moving forward. As investors discover the risks and material losses stemming from cyberattacks, organizations will need to create or evolve their external reporting functions to maintain compliance (which falls within corporate governance) and customer trust. In turn, boards are adding directors with deep cybersecurity expertise, especially as ESG-related disclosures are touching more areas of the business.
In the fully digitized business environment that most organizations operate in today, cyber risk management is an undeniable proxy for good – or bad – governance. This type of environment demands that cybersecurity be treated like traditional risk and receive consideration in all decisions.
Poorly managed cyber risk can lead to material losses, insurance premium increases, operational disruptions, loss of customers, legal liabilities and reputational damage. These outcomes are costly and often difficult to restore, especially reputation and customer trust. Boards must provide organizations with cybersecurity expertise. Unaddressed cyber risks can hinder an organization’s ability to secure necessary resources to drive growth. Corporate governance strategy needs to evolve and include this material risk.
The Pandemic and Cyber Risk
COVID-19 brought with it an increase in cybersecurity risks. As organizations shifted to remote working environments, companies digitized more assets vital to their operations so they could be accessed by employees working from home. For example, organizations turned to third-party technologies and cloud-based infrastructures to run mission-critical operations. As a result, companies had more assets to protect, while simultaneously creating new vulnerabilities for cyber actors to exploit. Governance should be reevaluated to encompass this shift from traditional assets and risk to today’s expansive digital ecosystem and corresponding threats.
This evaluation process involves extensive preparation and implementation of cybersecurity protections. Organizations can ensure this by assessing whether their organizational structure, policies, procedures and reporting capabilities are conducive to a cyber risk management strategy that is aligned with heightened stakeholder expectations.
This process should also involve identification of personnel responsible for cyber risk management, including how specific risks are monitored and assessed. As new frameworks and proposed regulations roll out, the individuals tasked with administering cybersecurity must be determined in advance of an incident. Being properly prepared is not just developing a plan; it’s deciding who owns each element of that plan.
The Approach to Communication
From a communications standpoint, the preparation process is similar. It’s essential to stress-test a crisis communications plan against today’s threats and digital risks, especially since the threat landscape has drastically evolved. Stakeholders’ expectations around cyber incident disclosures are constantly rising and notification timelines accelerating. For example, the proposed SEC regulations would require disclosing cyber incidents within four days, including procedures for how cyber risk was managed.
A cybersecurity crisis is an opportunity to demonstrate good corporate governance, reflected in how effectively an organization can respond. It’s a chance to turn governance into an asset, leading to more proactive management of incident response and communication with stakeholders. Handling cybersecurity crises appropriately enhances reputational trust and limits an incident’s impact on financials. Negligent governance and failure to communicate immediately with impacted parties can cause a crisis to escalate quickly, resulting in the stalling of business operations and the potential for irreversible reputational harm. Preparedness equals strong governance that reflects the post-COVID, digitized business environment.
The Chinese word for “crisis” is loosely a combination of “danger” and “inflection point.” This translation is applicable to organizations facing a crisis. They can either succumb to the pressure and necessary work to recover, or they can capitalize on the incident and turn it into a positive. Proper governance will likely be the determining factor, especially as focus on ESG strategies grows and continues to be evaluated.
Erica Vinish is managing director and global head of cybersecurity operations for FTI Consulting. Adriana Villasenor is a senior director of crisis communications for FTI Consulting.
The views expressed herein are those of the authors and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates or its other professionals.