Given the acceleration of the digital economy worldwide, intangible asset values on the balance sheets of the ASX/S&P 200 companies would have likely experienced similar trends.
There is no escaping the fact technology has had a major impact on how companies do business. Digitisation makes business processes faster and easier, anytime and everywhere.
Despite the clear benefits, this increasing reliance on technology and data also makes companies more vulnerable to cyber threats. As a result, they have a growing responsibility to put in place appropriate protections.
Companies need a robust governance framework that promotes effective cyber security oversight and execution.
Therein lies the intrinsic link between cyber security and sustainability.
At its core, sustainability refers to a company’s ability to survive and thrive over the long term, given the various sustainability issues that are material to its business and the overall economy.
A responsible approach to the governance component of ESG needs to incorporate appropriate cyber security risk policies and procedures. Both the financial and reputational costs of not doing so are significant.
A study from US-based cyber security firm Deep Instinct reveals that in 2020, malware incidents increased by 358 per cent, and ransomware increased by 435 per cent compared to 2019. Accenture’s State of Cybersecurity surveys found that companies experienced an average of 270 attacks during 2021, a 31 per cent increase compared to 2020.
Further, IBM’s latest Cost of Data Breach Report found the average total cost of a data breach reached a high of $4.35 million in 2022, climbing almost 13 per cent from 2020.
It’s no longer enough to appoint a cyber security executive and expect that a company’s vulnerabilities are being looked after. There needs to be a whole-of-company approach.
One of the things companies need to pay more attention to is prioritising cyber resilience. Importantly, this needs to be a priority across the entire business. Highlighting the disconnect that can occur within departments, the World Economic Forum’s Global Risks Perception Survey found that 41 per cent of business executives believe that cyber resilience is an established business priority, while just 13 per cent of executives who focus on security (such as chief information security officers, or CISOs), agreed with that statement.
The old saying that a chain is only as strong as its weakest link applies here.
Businesses should also be focusing on attracting and retaining talent. According to a 2022 study from the International Information System Security Certification Consortium, roughly 3.4 million cyber security jobs worldwide are unfilled, a 26 per cent increase from 2021.
Finally, companies need to protect data privacy. With so much of our lives now lived online, a growing number of people are sharing very personal details on apps. For example, health tracking applications may collect data around people’s levels of anxiety and depression, along with data on gender, ethnicity, marital status, and parental status. This is information that data brokers are increasingly advertising for sale, and companies need to assure their clients that they are protecting this very sensitive data appropriately.
Good governance in the cyber security arena is therefore a critical part of risk management. Companies need to question their organisational structure and oversight, policies and procedures, and investments and resource capacity dedicated towards cyber security.
On the organisational structure front, we want to know if a company has a CISO, and if and how they interact with the board, along with how often that board communicates on cyber security issues. Having members on the board with cyber security expertise is also becoming an important factor in determining board oversight effectiveness.
When it comes to policies and procedures, we want to know a company’s incident response plan and its disclosure practices. We also want to know whether they conduct external audits on their cyber security plan.
And regarding investments, we want to know how much capital is allocated to security improvements and human capital in the cyber security space.
Overall, if companies want to operate sustainably in our increasingly digital world, they need to be able to assure customers and investors that they are appropriately managing the cyber risks of doing so.
Jake Hense, sustainable research analyst, American Century Investments