The role cyber plays in the boardroom’s ESG agenda

As businesses accelerated the digitisation process during the pandemic, cyber risk spread to new corners of their operations, potentially impacting all aspects of ESG.

Companies have been digitising processes for decades as they have sought gains in productivity and efficiency, but the pandemic has accelerated this trend: businesses have had to react to decreased staff mobility, higher employee absenteeism, and a shift in consumer behaviour.

While many of the changes have boosted productivity, the expansion of digital processes has also widened the cyber risk exposure of organisations, potentially affecting companies’ environmental, social and governance (ESG) credentials. It is incumbent upon businesses to identify these factors and take appropriate steps to manage them.

Environmental

Inherent physical risks to the environment following a cyber event must be identified, understood and mitigated by the board of every business. The potential for environmental impact within certain business sectors, such as energy production and transmission, transportation, public services/utilities, and chemical and manufacturing industries, is no doubt front and centre of boardroom agendas, but identifying cyber threats as a possible trigger, is also crucial.

Compromises to critical equipment, monitoring and warning systems resulting from a cyber event, for example, may result in spillage, waste discharge, fire, explosion, or release of hazardous materials. The ensuing environmental damage, remediation expenses, legal liability claims, fines, and negative public relations, and even potential loss of human life, must be understood, identified and managed.

In a recent white paper titled Environmental risks: cyber security and critical industries, AXA XL described the potential entry points for cyber-attacks in several industries:

  • Refineries, manufacturing and chemical production facilities make extensive use of Distributed Control Systems (DCSs) and Programmable Logic Controllers (PLCs) that can be vulnerable to cyber-attack.

  • Pipelines can be susceptible to cyber-attack based on their extensive use of Supervisory Control and Data Acquisition (SCADA) systems to operate the pipeline remotely, control inputs and outputs, and perform critical leak detection.

  • Maritime activity has long relied on Global Positioning System (GPS) technology but also increasingly on Information Communication and Technology (ICT) to meet the demands of customers and provide transportation safety. ICT is used to deliver and optimise operations that include ship propulsion, navigation, freight management, traffic control, predictive maintenance, and communications. A single tanker accident can result in the release of millions of gallons of crude oil.

  • Other critical transportation systems have increased threat surfaces, including air transport, highway and rail cameras, signals, and monitoring/control systems.

  • Water/wastewater and electric utilities are also vulnerable via SCADA systems used in water treatment and distribution systems, potentially compromising the systems’ safety and performance.

Social

The social impact of cyber threats should not be underestimated. Companies that obtain or store large volumes of personal identifying information (PII) are particularly at risk of a cyber event. Many cyber-criminals are aware of the value of personal data, and the responsibility to protect it from unpermitted use has become more challenging and risky, not least because of the implementation of more stringent data privacy regulations across the globe.

The implications of these data protection regimes are as wide and varied as the jurisdictions themselves, but it is clear that the way businesses manage their relationships with both their employees’ data and third-party data will have a significant impact on the social aspect of those businesses’ ESG principles. The issues surrounding the relationships between any organisation and its people are crucial as the business seeks to maximise trust and brand reputation.

The way in which a business manages all data, but particularly PII, must be subject to close scrutiny to avoid potential conflict: protocols governing valid collection, storage, use and, where appropriate, anonymising of personal data, will be critical. A failure to do so has the potential to expose a business to liability claims for data breaches, as well as regulatory fines and penalties.

A dereliction of duty may be costly, directly affecting a business’s bottom line. A case in point, credit agency Equifax lost the personal and financial information of nearly 150 million people due to an unpatched Apache Struts framework in one of its databases, agreeing to pay at least USD575 million in a US settlement, as a result of this 2017 breach. Closer to home, supervising authorities in Europe issued a total of nearly EUR1.1 billion (GBP0.9 billion) in regulatory GDPR fines in 12 months, according to calculations by international law firm DLA Piper. This was an almost sevenfold increase on the previous year’s total, the law firm noted.

With reference to data, special attention is required for organisations using data in the context of artificial intelligence or machine learning: any inherent bias of data input or algorithm design, for example, must be identified and mitigated. Transparency is one of a number of AI-based principles with which an organisation must comply, to ensure social and legal responsibility in its use of data. As global AI regulations emerge, this is a space to watch closely.

Governance

Cyber risk is not ‘just’ a technical issue but a business risk that threatens all parts of the organisation and therefore needs to be dealt with at a boardroom level.

To protect a company appropriately, any board must ensure clear responsibility and ongoing vigilance as senior managers are increasingly required to engage in ‘legal’ conversations around this topic.

Quite apart from the business management of risk, the issue of potential personal exposure for directors and officers for failing to mitigate cyber risk is a real and ever-present issue. A failure to recognise certain events as financial threats is a management oversight and a potential directors and officers (D&O) liability exposure. Quite apart from the potential environmental and data-related consequences of a cyber event, consider also the following possible exposures:

  • Cyber extortion demands and expenses

  • Liability to third parties for cyber events, such as spreading of malware, or an inability to access online services

  • First party costs to remediate a cyber-attack, including legal fees, public relations costs, IT forensic costs

  • Reallocation of internal resources

  • Business interruption loss

  • Reputational harm

  • Damage to hardware and/or software including digital assets.

In the US, shareholders are increasingly seeking redress against board members to make them accountable for cyber-related losses. The SolarWinds’ software breach, which gave hackers access to the data of thousands of companies and government offices that used the software, has resulted in investors suing the company’s directors, alleging they knew about and failed to monitor cybersecurity risks ahead of the breach that created a vulnerability in thousands of its customers' systems. The allegation is that management failure contributed to the breach, reflecting the view that boards cannot simply divest responsibility of cyber threats issues to IT managers, without a full appreciation and management of those risks.

Recommendations:

Businesses that are looking to reduce their ESG cyber-related risk exposure may want to consider implementing some or all the measures below:

  • appoint a cyber security officer

  • implement strict access controls to company computer systems

  • introduce sophisticated password management

  • introduce different levels of system access for users

  • introduce comprehensive system monitoring

  • introduce an effective system of internal controls to ensure that data breaches are minimised

  • implement a governance strategy to monitor the material risks posed to the company, its stakeholders, and customers around the use of data

  • appoint a board member with background in IT

  • make cyber security an on-going action for all employees and contractors

  • raise awareness of the potential types of cyber-attacks (with a particular focus on ransomware) and provide clear guidance on reporting suspicious activity through internal IT security departments, training, and vendor assisted programmes

  • be consistent in the messaging in relation to cyber protection and refer to the policies and procedures in place

  • have a consistent and centralised approach to the company’s use of social media

  • ensure appropriate Business Continuity Plans and Incident Response Plans are in place, and regularly tested and updated.

The consideration of a cyber insurance policy is also recommended. While cyber policies may cover some or even all risk aspects discussed in this article, additional insurance products might be sought to cover ESG risks which are not covered under a typical cyber policy.

Environmental, social and governance criteria are a key part of any responsible business’s operational strategy. Stakeholders are increasingly aware that a focused, accountable and ethical response to these principles, will differentiate one business from another. A board’s management of the ever-present cyber threat, is a critical part of ESG governance.

For further information, please contact:

Vanessa Cathie, Vice President, Global Cyber & Technology

T +44 (0)20.7933.2478

E vanessa.cathie@lockton.com