ESG Implications of Cybersecurity Threats and 5 Actions to Take

While cybersecurity might have different connotations, cybersecurity threats are a national security issue and a danger to critical U.S. infrastructure. According to Accenture’s 2021 Cyber Threat Intelligence Report, “The global ransomware crisis has entered a new phase, as threat actors adopt stronger pressure tactics and new targets – in particular, manufacturing and critical infrastructure. Ransom impact is more widespread, with attacks often highlighting weaknesses in a company’s security posture.” The World Economic Forum’s 2021 Global Risks  Report cites cyberattacks among the top 10 global risks with a high probability of occurring.[i]

A simple cyber incident can have significant environmental, social, and governance (ESG) implications. It could damage a business’s reputation and trigger significant financial losses. Businesses big and small are increasingly recognizing cybersecurity as a major business risk that needs to be mitigated, often at a high cost.

This note examines the ESG implications of ‘cyber-insecurity’ and offers basic steps businesses and individuals can take to address cyber threats.

Environmental Costs and Implications of Cybersecurity

Companies in the energy sector have continued to experience the higher threat posed by the dangers of cyberattacks unleashed by foreign and domestic bad actors. A single cyber intrusion and attack can pose a significant pollution liability to businesses of all sizes, especially in the energy and utility sectors that are critical parts of our infrastructure. For instance, a successful cyberattack can cause a company to lose control of its warning systems.  Equipment that is critical in controlling toxic material or toxic emissions could be unknowingly released, resulting in potentially catastrophic environmental pollution in the form of spills or other emissions.  Attacks that compromise equipment controls could also lead to fires and explosions, with significant damage to capital equipment and personal injury, as well as environmental cleanup costs, and liability claims from the injured.[ii] The energy sector systems are mostly built on Supervisory Control and Data Acquisition (SCADA) systems, which are a prime target for cyberattacks.

For example, in 2017, a Saudi Arabian Petrochemical plant suffered a cyberattack from Russian government-backed hackers that nearly resulted in an explosion. [iii] The explosion was prevented due to an error in the attacker’s computer code. If the attack had been successful, it would most likely have had adverse environmental consequences.

Social Cost and Implications of Cybersecurity

As our society continues to adopt digital technology to power our social and financial interactions, and with this adoption accelerated by the COVID-19 requirements for social distancing, cybercrime has quickly become the fastest-growing form of criminal activity. The social cost of cyberattacks goes beyond dollar values. Daily activities such as travel can be disrupted, the hacking of critical life-saving healthcare systems by foreign and local bad actors can lead to death, and cyberattacks on the food supply chain could cause food shortages.

The Colonial Pipeline remains an interesting case that offers insights into the vulnerability of the United States’ critical infrastructure. The attack on the Colonial Pipeline had such a large impact because the pipeline is a vital component of the nation’s essential infrastructure system.[iv] The system’s decommissioning shut off gas supplies throughout the whole east coast of the United States, generating confusion and fear. Many households went into panic buying of gas as the fear of gas price hikes rose.[v] Air travel was also impacted by the Colonial Pipeline ransomware attack due to a shortage of aviation fuel. American Airlines, for example, temporarily changed their flight schedule to adjust to a growing fear of fuel shortages.[vi]

Governance Cost and Implications of Cybersecurity.

As cyberattacks become more frequent and severe, cybersecurity is emerging as one of the top governance concerns within environmental, social, and governance factors. Companies big and small can view cybersecurity through the lens of preventing reputation risk, maintaining revenues, and avoiding extraordinary expenses. Reputation risk tied to cyberattacks has continued to be a major issue since the acceleration of remote working during the global lockdown.[vii] In recent years organizations such as the Internal Revenue Services (‘IRS”), Equifax, and Target are among companies and organizations that have experienced some form of cyberattack from foreign and domestic bad actors.

The Internal Revenue Services (“IRS”), one of the United States government agencies, in charge of collecting taxes suffered one of its worst cyberattacks in 2015. Cyber-hackers gained access to personal data of more than 700,000 taxpayers accounts. The hack was a nightmare for the IRS, one that raises questions as to how safe taxpayers’ information is in the hands of “Uncle Sam”.

In 2017, Equifax, one of the largest consumer credit reporting agencies, suffered a huge blow from cyberattacks orchestrated by a group of Chinese hackers.[viii] This data breach accessed the private records of 147 million Americans.[ix] The data breach was a hit to Equifax’s reputation and resulted in a $700 million monetary settlement to customers affected.[x]

Target and T-Mobile have also had significant data breaches. In 2013, the data for more than 60 million Target customers were stolen by a hacker, resulting in an $18.5 million multistate settlement.[xi] In 2021, T-Mobile, one of the nation’s largest telecommunications companies, experienced its worst data breach ever, exposing the personal information of 47 million Americans.[xii]

What can businesses and individuals do to protect against cyberattacks?

Businesses and individuals can protect themselves from cyberattacks by following steps such as:

1. Think before you click: Although a simple concept, businesses and individuals find it challenging to follow through and “think before you click” when trying to avoid sophisticated phishing attacks from foreign and domestic hackers. Simple questions should be asked, such as: How accurate is the email or text? Do I know this person? Does the email, text, or phone call sound funny? Should I report this email, text, or phone call to the computer team for verification? How urgent is this email, text, or phone call, and is this a false urgency? Does the email or text contain some typos, errors, or false names?

Individuals and businesses can effectively avoid phishing emails by simply pausing, verifying, and thinking through the content and context of the email, text, or phone call before opening or responding to any email, text, or phone call that might be considered phishing. Remember, most organizations never call to demand immediate payment, and most will not call about taxes or payments that are owed without first having mailed you a bill.[xiii]

2. Secure Hardware: Businesses should protect themselves with secure password-protected and physically protected hardware infrastructure, installed and maintained with guidance from industry experts.

3. Increase cybersecurity budget: Businesses would be better armed against cyberattacks when their cybersecurity budget is substantial enough to purchase and install appropriate cybersecurity protections. Businesses will not be able to defeat suffocated hackers with ill-equipped cyber protective tools. Cybersecurity remains an art of war that can only be dominated with the best technology, which requires money.

4. Invest in Cybersecurity Insurance: Cybersecurity insurance may be useful as part of the toolkit used by businesses and individuals to protect themselves from the fallout of data breaches, which may result in litigation and settlements.

5. Strengthen Existing Cybersecurity Policy: Businesses should periodically and proactively review existing cybersecurity policies to determine they are adequate and robust enough to withstand new and ever-evolving cyberattacks.