• Cyber attacks present a huge risk to the value of companies and ultimately the stability of society.
  • Companies need to start managing cybersecurity as part of their environmental, social and corporate governance strategy, rather than relying on insurance.
  • A standard framework for measuring cyber risk would help organizations and regulators to manage it.

In recent months there have been an increasing number of cyber attacks on critical infrastructure, financial networks, healthcare, and other networked systems. Despite this prevalence, however, investor and board pressure on Environmental, Social, and Corporate Governance (ESG), tends to focus on environment and social justice, while cybersecurity is left to the regulators and the insurance industry to tackle.

Companies need to start looking at cybersecurity as part of ESG. Cyber risk is the most immediate and financially material sustainability risk that organizations face today. Those that fail to implement good governance on cybersecurity, using appropriate tools and metrics, will be less resilient and less sustainable. This in turn has an impact on the other organizations they rely on, and ultimately on the stability of companies, communities and governments.

Here are three reasons why cyber risk needs to be included in ESG strategies:

1. It presents a threat to value

Intangible value – the value of assets that are not physical in nature – now represents 90% of the asset value in organizations, having more than tripled in the Standard and Poor’s 500 index (S&P 500) during the past 35 years. During the COVID-19 pandemic, organizations took an accelerated shift to digitize their assets.

Perhaps the most critical intangible asset in determining the value of a company today is data – be it personal data, financial information, security data or behavioral data. As companies grow, their intangible value grows too, which increases the potential impact of a cybersecurity breach. In this context, it is not surprising that cybercrime for economic profit is projected to increase.

To manage their cybersecurity, companies need to shift their thinking. Rather than trying to protect every single computer or system from attack, they need to focus on protecting the critical assets – the ones without which the organization can't operate. So in the event of a breach, value is not lost, or the loss is minimized.

2. It presents a threat to society

In the spirit of consumer convenience, organizations across industries have rapidly adopted digital transactions. These are near-ubiquitous across government services, financial and insurance services, healthcare and utilities, as well as consumer goods. This creates increased cybersecurity risks. In 2021, records were broken for identity theft, up 23% over the previous all-time high.

Data breaches can have a huge impact on people. Hackers have increasingly targeted healthcare data and institutions, with an impact on the quality of care for the community as a whole. A disruption to the utility industry, such as the attack on Colonial Pipeline in the United States, can also lead to temporary income loss, further affecting the community.

Hackers have increasingly targeted healthcare data and institutions, with an impact on the quality of care for the community as a whole.
Hackers have increasingly targeted healthcare data and institutions, with an impact on the quality of care for the community as a whole.
Image: ESGDatabook.com

3. Insurance can't mitigate the risk indefinitely

Instead of implementing governance around cybersecurity, organizations have heavily relied on insurance to manage the risk. But as courts rule in favor of policyholders, insurers will continue to narrow the scope of the cyber policy coverage, limiting the extent to which organizations can rely on it to mitigate the risk. In any case, an insurance claim can severely impact an organization’s ability to be insured; insurance alone is not a substitute for good governance.

As demand for cyber insurance increases, there is a growing gap in coverage. This makes understanding and managing the risk more important than ever, especially as regulatory fines alone can bankrupt an organization.

What is the World Economic Forum doing on cybersecurity?

The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. The centre is an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors.

Since its launch the centre has driven impact throughout the cybersecurity ecosystem:

Contact us for more information on how to get involved.

A standard framework for measuring cyber risk would help organizations and regulators to understand it and manage it as part of their ESG strategy. Companies including Apple, Amazon, Microsoft, and Netflix have a greater reach in numbers of engaged customers and yearly revenue than whole countries like Canada, Brazil, and Russia. Government regulations alone cannot realistically manage all companies, due to the complexity of continuously evolving new business models and the growing size of many technology companies. A standardized framework for analysis could set a precedent for effective governance.