Find a place for cybersecurity in your ESG reporting

Cybersecurity is no longer solely a risk to the organisation, but a societal risk that impacts workplace safety, consumer safety, and data protection and privacy. However, not many organisations in Australia, or even globally, publicly report or set goals related to the impact of their cybersecurity program on society.

That has to change. Investor interest, public pressure, employee demands and government regulations are strengthening incentives for organisations to track and report cybersecurity goals and metrics within their environmental, social and governance (ESG) efforts.

Expectations that organisations should be more transparent about their cyber risks have increased, resulting in public demand for greater transparency within their ESG reporting. This is quickly moving from a discretionary activity to a business requirement. Gartner predicts that 30% of large organisations will have publicly shared ESG goals focused on cybersecurity by 2026, up from less than 2% in 2021.

Following its data breach in 2017, Equifax has increased focus on trust and transparency in its security practices, for example. The company has continued to publish a security annual report under its ESG program. Many do it in isolation when ASIC releases a survey, for instance, and industry data is published anonymously.

There are fewer examples of putting goals in place to change the societal impact of cybersecurity. In the public sector, the NSW Government’s cybersecurity strategy is focused on getting more talent involved in cybersecurity to help address the security talent gap currently in Australia. This goal should be on every CISO’s to-do list.

More organisations should be prepared to stand up and tell society, investors and regulators what they do from a security perspective. This will allow others to understand the importance of cybersecurity to business performance and learn from it. While numbers are currently very low, this will grow as pressure increases.

Reporting will become more widespread

Despite cybersecurity rarely being included in current ESG disclosures, there are various indicators that it will become more widespread. Oversight from the board and social expectations around cybersecurity are increasing because of ongoing breaches.

There are frameworks being developed by established third parties to benchmark ESG efforts, such as the Global Reporting Initiative (GRI) and the Sustainability Accounting Standards Board, which include data security or data breaches (as a subset of privacy).

As these frameworks and the inclusion of cybersecurity goals and metrics become industry norms, security and risk management leaders will increasingly have to demonstrate an organisational commitment to reducing the social issues that may arise from cybersecurity incidents.

The issues include data breaches of customer personal information; potential safety concerns from use of cyber-physical systems; potential for misuse and abuse within their products; and malicious cyber activity against critical infrastructure. The potential for negative societal impact can be reduced by developing ESG goals as part of annual cybersecurity strategic planning.

Can’t keep cybersecurity failures a secret

CISOs already have a key role to play in supporting other ESG metrics, particularly increasing equity and inclusion within the cybersecurity function, and ensuring security incidents are considered within executive compensation. Now they’ll increasingly have to demonstrate commitment to reducing the social issues that may arise from cybersecurity incidents.

As with other ESG metrics, external stakeholders, particularly institutional investors, will rely on publicly available information and data providers like security rating services (SRS) to inform their assessment of an organisation’s cybersecurity posture in the absence of transparent insight and metrics. They can no longer expect to keep the failures and successes of their cybersecurity function a secret.

How to get started

Work with enterprise risk and sustainability leaders to ensure that existing and emerging ESG reporting requirements and the short- and long-term implications for cybersecurity strategies are proactively identified.

Develop metrics to proactively assess the social or societal impact of cybersecurity incidents and increase transparency in the organisation’s current performance and strategies to reduce this impact. These metrics and strategies will form the basis of future cybersecurity ESG goals.

Proactively monitor the potential data sources including security rating services that could be used by external stakeholders, particularly institutional investors, to inform their assessment of an organisation’s cybersecurity posture.

Finally, work closely with the board and senior executives to ensure that corporate communications, including formal ESG disclosures, demonstrate commitment and progress to reducing the societal impact of cybersecurity incidents.

*Claude Mandy is a Senior Director Analyst at Gartner, covering security, risk management and privacy. Claude is a speaker at the upcoming Gartner Security & Risk Management Summit, to be held from 21–22 June 2022 in Sydney.

Image credit: ©stock.adobe.com/au/khanchit